Allow licenses by groups #1068
Description
Is your feature request related to a problem? Please describe.
Since switching from deny-licenses to allow-licenses I encounter a new license about every week. This are mainly uncommon licenses detected by Scancode. Sometimes not (yet) listed on SPDX License list. To get a list of licenses known to Scancode, see the Scancode LicenseDB.
To reduce the number of flagged licenses, I'm considering to allow-list all licenses from:
- Public Domain
- Permissive
- Patent License
- Copyleft Limited
- CLA
This would cover most of our library-cases, making the dependency-review-action approach our internal license policy.
If I'd do add all licenses, it would result in hundreds of license entries in my yaml file.
Describe the solution you'd like
I would like to use shorthands for license categories to simplify specifying the license categories. @ahpook made a suggestion in August last year in #938 (comment) which I think would make sense:
allow-licenses:
- include:
- Permissive
- Free Restricted
- GFDL-1.1-onlyThis would allow specifying both license groups and specific licenses to have a more specific license policy.
Describe alternatives you've considered
Adding all licenses myself.
Additional context
Personally I'd like to have a more refined policy that includes scope, repository-specific overrides and perhaps a warning-category. I'd like it if this feature wouldn't block a path towards are more specific license policy.