Support Maven(?) scopes #183
Comments
jankoritak
added
enhancement
|
@jerrinot That's for this issue. You are correct. We should not include "dev" issues in the results. |
4rokis
added
Priority: Critical
|
@jankoritak Removing |
|
✔️ NPM |
|
Pipenv issue has separate issue as there might be another issue #187 |
|
I see, so the problem is exclusive to Pip and Maven. Let's focus the Maven part within this thread, in order to address @jerrinot's issue. We can deal with Pip separately. |
|
If i understand it correctly from https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Scope You can have 6 scopes (compile, provided, runtime, test, system, import). Only @jerrinot Can you please confirm that this is correct? |
|
@S4n60w3n It depends. Usually you do not want to include libraries in a It's probably fine for GPL as you typically don't distribute test code. but imagine a testing library with a license which says: "Everything this testing library touches belongs to me. Deal with it. Then you do not want to use this library even in a test scope and you want a compliance check to fail when it encounters this library under any scope. The other scopes are similar. The |
"
|
@jerrinot Thanks for clarification. I
As it requires more input |
|
Proper support for dependency scopes #189 |
It's OK to have a certain license as a build-time only dependency.
Think of a benchmark harness under a GPL license: We only use it during a build/testing time and we never distribute it / our product does not depend on it. So as long as it stays as a build-time only dependency only it's OK and it should not have been reported.
However I am reluctant to whitelist/ignore this dependency/license because if someone accidentally change the scope of this dependency then it won't be reported at all and this would lead to a compliance issue.
The text was updated successfully, but these errors were encountered: