{"id":20617808,"url":"https://github.com/cyclonedx/license-scanner","last_synced_at":"2025-06-26T12:34:57.890Z","repository":{"id":95837607,"uuid":"588399531","full_name":"CycloneDX/license-scanner","owner":"CycloneDX","description":"Utility that provides an API and CLI to identify licenses and legal terms","archived":false,"fork":false,"pushed_at":"2025-06-02T20:09:00.000Z","size":3274,"stargazers_count":49,"open_issues_count":7,"forks_count":9,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-06-03T05:43:06.166Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CycloneDX.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"custom":["https://owasp.org/donate/?reponame=www-project-cyclonedx\u0026title=OWASP+CycloneDX"]}},"created_at":"2023-01-13T02:43:33.000Z","updated_at":"2025-06-02T22:19:27.000Z","dependencies_parsed_at":null,"dependency_job_id":"d130e10e-c0f1-4171-a886-91e3b30e9e14","html_url":"https://github.com/CycloneDX/license-scanner","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/CycloneDX/license-scanner","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Flicense-scanner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Flicense-scanner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Flicense-scanner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Flicense-scanner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CycloneDX","download_url":"https://codeload.github.com/CycloneDX/license-scanner/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Flicense-scanner/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262068692,"owners_count":23253849,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-16T12:06:04.882Z","updated_at":"2025-06-26T12:34:57.877Z","avatar_url":"https://github.com/CycloneDX.png","language":"Go","funding_links":["https://owasp.org/donate/?reponame=www-project-cyclonedx\u0026title=OWASP+CycloneDX"],"categories":[],"sub_categories":[],"readme":"[![License](https://img.shields.io/badge/license-Apache%202.0-brightgreen.svg)](LICENSE)\n\n# license-scanner\n\n_license-scanner_ scans files for licenses and legal terms. It can be used to identify text matching licenses and license exceptions from the [SPDX License List](https://spdx.org/licenses/). _license_scanner_ can also be configured to identify additional legal terms, keywords, aliases, and non-SPDX licenses.\n\nAs a library, written in Go, _license-scanner_ is designed to be integrated into your software supply chain pipelines. In addition, _license-scanner_ may be used as a command-line utility.\n\n## Getting started\n\nThe license scanner is available as a CLI and as a go module. Importing the scanner as go module is a recommended way to\nintegrate it in your own tools.\n\n### Compatability\n\n* Building from source requires Go 1.18 or newer\n* CycloneDX output is based on v1.6\n* SPDX template matching has been tested with SPDX license template versions 3.17, 3.18, 3.21 and 3.26\n\n### Installing as a CLI\n\nInstall the `license-scanner` CLI executable in your go environment by building from source with `go install`:\n\n```shell\ngo install github.com/CycloneDX/license-scanner@latest\n```\n\n**Note:** If you run into this kind issue while installing a CLI or installing it as a [module](#installing-as-a-module):\n\n```ShellSession\n$ go get github.com/CycloneDX/license-scanner\n\ngo: module github.com/CycloneDX/license-scanner: git ls-remote -q origin in /Go/pkg/mod/cache/vcs/4195cda34249b1abf68da7e56a4660155fdfd914eb0e0cec2f402756880b5767: exit status 128:\n        fatal: could not read Username for 'https://github.com': terminal prompts disabled\nConfirm the import path was entered correctly.\nIf this is a private repository, see https://golang.org/doc/faq#git_https for additional information.\n```\n\nThis error says that the repository you are trying to access is private. Until this repository is available in public,\nyou can update your `~/.gitconfig` to use SSH in place of HTTPS for URLS matching a prefix.\n\n```ini\n[url \"ssh://git@github.com/\"]\n\tinsteadOf = https://github.com/\n```\n\nAnd set `GOPRIVATE` environment variable:\n\n```bash\nexport GOPRIVATE=github.com/CycloneDX/*\n```\n\nThese two configuration changes should be able to help you install license-scanner package/CLI.\n\n### Installing for developers\n\nFor developers, `git clone` the repo and build the source code with `go build`:\n\nClone the repo:\n\n```shell\ngit clone https://github.com/CycloneDX/license-scanner.git\n```\n\nThe commands that follow are to be run from your cloned repo root directory:\n\n```shell\ncd license-scanner\n```\n\nBuild the source code:\n\n```shell\ngo build ./...\n```\n\nRun the CLI from source code in your cloned repo (with local changes):\n\n```shell\ngo run . --help\n```\n\nOptionally, install a _license-scanner_ executable from your cloned repo (with local changes) :\n\n```shell\ngo install\n```\n\n\u003e NOTE: For documentation purposes, the CLI examples assume the use of the _license-scanner_ executable, but typically developers will instead use `go run .` (or `go run ./main.go`) in place of `license-scanner`.\n\n### Installing as a Module\n\nUsing the `license-scanner` API is simple. First, use `go get` to install the latest version of the library.\n\n```shell\ngo get -u github.com/CycloneDX/license-scanner@latest\n```\n\nNext, import the scanner API into your application:\n\n```go\nimport \"github.com/CycloneDX/license-scanner/api/scanner\"\n```\n\n## CLI usage\n\nTo get more information about command-line usage directly from your executable, run `license-scanner --help`. When you run with the `--debug` flag, the latest usage in markdown format will also be updated in [cmd/license-scanner.md](cmd/license-scanner.md)\n\n```ShellSession\n$ license-scanner --help\n\nUsage:\n  license-scanner [flags]\n\nFlags:\n  -g, --acceptable          Flag acceptable\n      --addAll string       Add licenses\n      --configName string   Base name for config file (default \"config\")\n      --configPath string   Path to any config files\n  -c, --copyrights          Flag copyrights\n      --custom string       Custom templates to use (default \"default\")\n      --customPath string   Path to external custom templates to use\n  -d, --debug               Enable debug logging\n      --dir string          A directory in which to identify licenses\n  -f, --file string         A file in which to identify licenses\n  -x, --hash                Output file hash\n  -h, --help                help for license-scanner\n  -k, --keywords            Flag keywords\n  -l, --license string      Display match debugging for the given license\n      --list                List the license templates to be used\n  -n, --normalized          Flag normalized\n      --overwrite           Overwrite existing directories and files when using --addAll flag\n  -q, --quiet               Set logging to quiet\n      --spdx string         Set of embedded SPDX templates to use (default \"default\")\n      --spdxPath string     Path to external SPDX templates to use\n      --updateAll           Update existing licenses\n```\n\n### Example CLI usage\n\nExample usage to scan LICENSE.txt, but only print the license IDs and positions of license matches:\n\n```shell\nlicense-scanner --quiet -f LICENSE.txt\n```\n\nExample usage to print license IDs, copyrights, and blocks found in file LICENSE.txt:\n\n```shell\nlicense-scanner -c -f LICENSE.txt\n```\n\nExample scan of a license file with output shown:\n\n```shell\ncurl -o ASYNC_LICENSE https://raw.githubusercontent.com/caolan/async/master/LICENSE\n```\n\n```ShellSession\n$ license-scanner -f ASYNC_LICENSE\n\n[INFO] Looking for all licences\n\nFOUND LICENSE MATCHES:\n        License ID:     MIT\n                begins:     0   ends:  1061\n                begins:    40   ends:   600\n                begins:   602   ends:  1061\n\n[INFO] [MIT] :: Copyright (c) 2010-2018 Caolan McMahon\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in\nall copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\nTHE SOFTWARE.\n```\n\n## Library usage\n\n### Example library usage\n\nInitialize the `ScanSpecs` with `LicenseText` to scan the license text against the set of SPDX licenses and get the\nCycloneDX [LicenseChoice](https://cyclonedx.org/use-cases/#license-compliance). The CycloneDX LicenseChoice includes\nSPDX License ID, SPDX License Expression, and License name.\n\n```go\nscanSpecs := scanner.ScanSpecs{\n\tSpecs: []scanner.ScanSpec{\n\t\t{\n\t\t\tName:        \"async\",\n\t\t\tLicenseText: asyncLicenseText,\n\t\t},\n\t\t{\n\t\t\tName:        \"helmet\",\n\t\t\tLicenseText: helmetLicenseText,\n\t\t},\n\t},\n}\n```\n\nCall the `ScanLicenseText`:\n\n```go\nresults, err := scanSpecs.ScanLicenseText()\nif err != nil {\n\t// report error and return\n\treturn err\n}\n```\n\nThe `ScanLicenseText` returns `ScanResult` which contains the original specifications along with original license text,\nnormalized license text, the digest (Md5, Sha256, and Sha512) of the normalized text, and CycloneDX LicenseChoice schema.\n\nFor example:\n\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"io/ioutil\"\n\t\"log\"\n\t\"net/http\"\n\t\"os\"\n\n\t\"github.com/CycloneDX/license-scanner/api/scanner\"\n)\n\nfunc GetLicense(urls map[string]string) {\n\tfor n, u := range urls {\n\t\t// Create a blank file\n\t\tfile, err := os.Create(n)\n\t\tdefer file.Close()\n\t\tif err != nil {\n\t\t\tlog.Fatal(err)\n\t\t}\n\n\t\t// initiate HTTP client with the specified URL\n\t\tclient := http.Client{\n\t\t\tCheckRedirect: func(r *http.Request, via []*http.Request) error {\n\t\t\t\tr.URL.Opaque = r.URL.Path\n\t\t\t\treturn nil\n\t\t\t},\n\t\t}\n\n\t\t// Copy content in a file\n\t\tresp, err := client.Get(u)\n\t\tdefer resp.Body.Close()\n\t\tif err != nil {\n\t\t\tlog.Fatal(err)\n\t\t}\n\n\t\t_, err = io.Copy(file, resp.Body)\n\t\tif err != nil {\n\t\t\tlog.Fatal(err)\n\t\t}\n\t}\n}\n\nfunc main() {\n\tsampleLicenses := map[string]string{\n\t\t\"async\":     \"https://raw.githubusercontent.com/caolan/async/master/LICENSE\",\n\t\t\"urllib3\":   \"https://raw.githubusercontent.com/urllib3/urllib3/main/LICENSE.txt\",\n\t\t\"cobra\":     \"https://raw.githubusercontent.com/spf13/cobra/main/LICENSE.txt\",\n\t\t\"golang-go\": \"https://raw.githubusercontent.com/golang/go/master/LICENSE\",\n\t}\n\n\tGetLicense(sampleLicenses)\n\n\tvar scanSpecs scanner.ScanSpecs\n\n\tfor n, u := range sampleLicenses {\n\t\ttext, _ := ioutil.ReadFile(n)\n\t\tscanSpecs.Specs = append(scanSpecs.Specs, scanner.ScanSpec{\n\t\t\tName:        n,\n\t\t\tLocation:    u,\n\t\t\tLicenseText: string(text),\n\t\t})\n\t}\n\n\tresults, _ := scanSpecs.ScanLicenseText()\n\tfor _, result := range results {\n\t\tfmt.Printf(\"License IDs for %s: \", result.Spec.Name)\n\t\tfor _, r := range result.CycloneDXLicenses {\n\t\t\tfmt.Printf(\"%s\\n\", r.License.ID)\n\t\t}\n\t}\n}\n```\n\n```bash\nLicense IDs for async: MIT\nLicense IDs for urllib3: MIT\nLicense IDs for cobra: Apache-2.0\nLicense IDs for golang-go: BSD-3-Clause\n```\n\n### Scan Results\n\nThe `license-scanner` returns a list of identified licenses in CycloneDX `LicenseChoice` schema which holds a `License`\nor an `Expression`. The main goal of a `license-scanner` is to return a list of SPDX License IDs in the `License` struct:\n\n```go\ntype License struct {\n\tID   string\n\tName string\n\tText *AttachedText\n\tURL  string\n}\n```\n\nThe `ID` here represents the SPDX ID in case of a license is identified against a known SPDX licenses. In case of a no match,\n`ID` is left empty string but `Name` is set to `NOASSERTION` to signify that this particular license text was compared\nagainst the known licenses but did not match any.\n\nHere is an example of a [go-yaml](https://github.com/go-yaml/yaml) package with `Apache-2.0` and `MIT` licenses:\n\n```go\n      \"licenses\": [\n        {\n          \"license\": {\n            \"id\": \"Apache-2.0\",\n            \"text\": {\n              \"contentType\": \"text/plain\",\n              \"encoding\": \"base64\",\n              \"content\": \"...\"\n            },\n            \"url\": \"https://www.apache.org/licenses/LICENSE-2.0.txt\"\n          }\n        },\n        {\n          \"license\": {\n            \"id\": \"MIT\",\n            \"text\": {\n              \"contentType\": \"text/plain\",\n              \"encoding\": \"base64\",\n              \"content\": \"...\"\n            },\n            \"url\": \"https://opensource.org/licenses/mit-license.php\"\n          }\n        }\n      ]\n```\n\n### Setting flags with the API\n\nOptional flags maybe used with the API to locate the config file and control runtime options. These are the same flags that are used in [CLI Usage](#cli-usage), but instead of using command-line flags, they are set and passed using the API as shown below.\n\n```go\npackage main\n\nimport (\n\t\"github.com/CycloneDX/license-scanner/api/scanner\"\n\t\"github.com/CycloneDX/license-scanner/configurer\"\n)\n\nfunc main() {\n\t// To override default flags, start with a new default flag set.\n\tflagSet := configurer.NewDefaultFlags()\n\t// Override flags where necessary using Set(flag, value)\n\tflagSet.Set(\"spdx\", \"my3.17\")\n\t// Setup your scanner.ScanSpecs as shown earlier.\n\tscanSpecs := scanner.ScanSpecs{ /* ...see earlier example... */ }\n\t// Use WithFlags() to set the non-default flags for a scan\n\tresult, err := scanSpecs.WithFlags(flagSet).ScanLicenseText()\n}\n```\n\n## Optional Configuration\n\nRefer to [configurer/README.md](configurer/README.md) for advanced configuration options.\n\n## CLI modes\n\n### Help mode\n\nWhen you add `--help` or `-h` to any _license_scanner_ command it will produce help output and no other action will be performed.\n\n| Name | Shorthand | Type | Default | Usage |\n|------|-----------|------|---------|-------|\n| `--help` | `-h` | Boolean | false | Print usage help |\n\nIn help mode, all other flags are ignored.\n\n### Scan mode\n\nWhen running `license_scanner --file \u003cinput_file\u003e` the input file is scanned for license matches.\nWhen running `license_scanner --dir \u003cinput_dir\u003e` the input directory is recursively scanned for license matches.\n\n| Name | Shorthand | Type | Usage |\n|------|-----------|------|-------|\n| `--file` | `-f` | string | A file in which to identify licenses |\n| `--dir` | | string | A directory in which to identify licenses |\n\nThe following **optional** runtime flags may be used to modify and enhance the behavior:\n\n* Resource flags: `--spdx` or `--spdxPath` and `--custom` or `--customPath`\n* Output logging flags: `--quiet` or `--debug`\n* Config file location flags: `--configPath`, `--configName`\n* Output enhancer flags: `--acceptable`, `--copyrights`, `--hash`, `--keywords`, `--normalized`, `--license`\n\n### Import mode\n\nWhen running `license_scanner --addAll \u003cinput_dir\u003e` the input directory is used to validate, prepare, and import licenses.\n\n| Name  | Type | Usage |\n|------|------|-------|\n| `--addAll` | string | Add the licenses from a directory |\n\nThe following runtime flags may be used to modify the behavior:\n\n* Resource flags (import destination): one of `--spdx`, `--spdxPath`, `--custom`, `--customPath`\n* Config file location: `--configPath`, `--configName`\n* `--overwrite` will overwrite existing directories and files at the target path when using the `--spdx` or `--spdxPath` flags.  *This helps when successive calls to `--addAll` are needed by preventing the need for manual deletion of the target path.*\n\n### List mode\n\nWhen running `license_scanner --list` a listing of the SPDX and custom license templates will be output.\n\n| Name | Usage |\n|------|-------|\n| `--list` | List the license templates to be used |\n\nSince you may have multiple locations for resources and multiple SPDX and custom folders under each of those resources, use the following flags to generate non-default listings:\n\n* Resource flags: `--spdx` or `--spdxPath` and `--custom` or `--customPath`\n* Config file location (used to locate resources): `--configPath`, `--configName`\n\nExample license library listing: [resources/LIST.md](resources/LIST.md)\n\n## Runtime flags\n\n### Resource flags\n\n_license-scanner_ uses configurable resources to identify licenses and legal terms. By default, SPDX licenses and license exceptions are configured under `resources/spdx/default`. This directory is provided in the repo for out-of-the-box functionality.\n\nIn addition, default examples used to recognize additional legal terms and extend SPDX license matching are provided under `resources/custom/default`.\n\nResources under `resources/spdx/*` and `resources/custom/*` are embedded in *license-scanner* or your own executables when building with the API.\n\nResource flags can be used in scan mode to run scans with alternative resources. These flags are also used in import/update mode as described in [Importing license templates](#importing-license-templates) and [Updating license templates](#updating-license-templates).\n\n| Name     | Default | Usage                                                          |\n|----------|---------|----------------------------------------------------------------|\n| `--spdx`   | default | Use the specified resources/spdx subdir for SPDX templates     |\n| `--custom` | default | Use the specified resources/custom subdir for custom templates |\n\nInstead of using embedded resources in these fixed locations, you can specify external directories to use with the `--spdxPath` and/or `--customPath` flags.\n\n| Name         | Usage                                       |\n|--------------|---------------------------------------------|\n| `--spdxPath`   | Use the specified path for SPDX templates   |\n| `--customPath` | Use the specified path for custom templates |\n\n### Output logging flags\n\nLogging flags control the amount of output. --quiet takes priority over --debug and other enhancer flags that rely on printed output.\n\n| Name | Shorthand | Default | Usage |\n|------|-----------|---------|-------|\n| `--quiet` | `-q` | false | Suppress all logging |\n| `--debug` | `-d` | false | Enable debug logging |\n\n### Output enhancer flags\n\nOutput enhancers create additional output details for a license scan. The enhanced output uses logging, so these should not be used with the `--quiet` flag. All enhancer flags are Boolean except for `--license`, which  requires a string identifying the license template to use for the diff.\n\n| Name | Shorthand | Default | Usage |\n|------|-----------|---------|-------|\n| `--acceptable` | `-g` | false | Flag acceptable pattern matches |\n| `--copyrights` | `-c` | false | Flag copyrights |\n| `--hash` | `-x` | false | Output the normalized license file hashcode |\n| `--keywords` | `-k` | false | Flag keywords |\n| `--normalized` | `-n` | false | Output the normalized license text |\n| `--license` | `-l` | | Output normalized diff of input and license |\n\n### Config file location flags\n\nWhen a _license-scanner_ command is executed or a ScanLicenseText() call is made via the API, _license-scanner_ will look for a config file to initialize runtime options.\n\nBy default, _license-scanner_ will look for the config file in:\n\n1. The directory containing the executable\n2. The project root (for development and tests)\n\nYou can use the `--configPath \u003cpath\u003e` flag to read your the config file from an alternate location. You can also override the \"config\" part of the file name by setting the `--configName \u003cbase\u003e`.\n\nFor example, `--configPath /tmp/test_dir --configName configTest` would allow you to test using `/tmp/test_dir/configTest.json`.\n\nThe default config file is named `config.\u003cext\u003e` (e.g. `config.json`). Viper provides the ability to read config files in a variety of formats, such as TOML or YAML instead of JSON. Use the file extension to indicate the format and refer to Viper for supported languages. **For _license-scanner_, JSON is presumed for testing and documentation.**\n\n| Name | Shorthand | Default | Usage |\n|------|-----------|---------|-------|\n| `--configName` | | config | Base name for config file |\n| `--configPath` | | executable's dir or project root | Path to any config files |\n\nRefer to [configurer/README.md](configurer/README.md) for advanced configuration options.\n\n## Running the tests\n\n### Unit Tests\n\nEach package has many `unit` tests in `*_test.go` which can be executed using `go test`:\n\n```ShellSession\n$ go test ./... -tags=unit\n\n?       github.com/CycloneDX/license-scanner    [no test files]\nok      github.com/CycloneDX/license-scanner/api/scanner        3.009s\nok      github.com/CycloneDX/license-scanner/cmd        8.646s\n?       github.com/CycloneDX/license-scanner/debugger   [no test files]\nok      github.com/CycloneDX/license-scanner/identifier 20.923s\nok      github.com/CycloneDX/license-scanner/licenses   7.151s\n?       github.com/CycloneDX/license-scanner/logging    [no test files]\nok      github.com/CycloneDX/license-scanner/normalizer 0.161s\nok      github.com/CycloneDX/license-scanner/resources  0.278s\n```\n\n## Importing license templates\n\n**_license-scanner_ includes a default current release of SPDX license templates already imported**. If you want to download and work with an alternate version (e.g. newer or older than the one that is currently included), you can import them. _license-scanner_ also supports custom policies. These can be used to extend the SPDX standard templates with policies for your organization. In both cases, importing will copy, preprocess, and validate the files to ensure they are ready for use.\n\nImported SPDX templates (and generated precheck files) will be copied into a destination specified by the --spdxPath or --spdx argument.\n\n* `--spdx \u003csubDir\u003e`: The destination must be an empty or non-existent directory under `resources/spdx/`. These templates will be available as embedded resources when you scan for licenses using the same `--spdx \u003csubDir\u003e` flag.\n\n* `--spdxPath \u003cpath\u003e`: The destination must be an empty or non-existent directory. These copied templates and precheck files will not be available as embedded resources, but can be used when you scan for licenses using the `--spdxPath \u003cpath\u003e` flag to read this external directory.\n\nImported custom policies (and generated precheck files) will be copied into a destination specified by the --customPath or --custom argument.\n\n* `--custom \u003csubDir\u003e`: The destination must be an empty or non-existent directory under `resources/custom/`. These policies will be available as embedded resources when you scan for licenses using the same `--custom \u003csubDir\u003e` flag.\n\n* `--customPath \u003cpath\u003e`: The destination must be an empty or non-existent directory. These copied policies and precheck files will not be available as embedded resources, but can be used when you scan for licenses using the `--customPath \u003cpath\u003e` flag to read this external directory.\n\nWhen importing, only one of `--spdx, --spdxPath, --custom, --customPath` can be used. This will be the destination for the files copied from the `--addAll \u003cdirectory\u003e`. When scanning for licenses, you can combine one set of SPDX templates specified by `--spdx` or `--spdxPath` with one set of custom policies specified by `--custom` or `--customPath`.\n\n#### Steps\n\n1. Download the SPDX license list assets (zip file or tar.gz) from https://github.com/spdx/license-list-data/releases\n1. Unzip the file. This will create the `\u003cdir\u003e` that you will import from (below).\n1. Ensure that the destination directory named `resources/spdx/\u003cversionDir\u003e` is not in use.\n1. Run the `license-scanner --addAll \u003cdir\u003e --spdx \u003cversionDir\u003e` command. For example:\n   ```shell\n   license-scanner --addAll ~/Downloads/license-list-data-3.xx --spdx my3.xx\n   ```\n1. The new templates, json, testdata, and generated precheck files will all be put in the `resources/spdx/my3.xx` directory and will be available as embedded resources when you build a *license-scanner* binary or build your own binary using the API.\n\t- *If you want to make the new templates the defaults, copy the contents of the `resources/spdx/my3.xx` directory to the `resources/spdx/default` directory.  This would be done when contributing new SPDX release content to this tool.*\n1. As a final step, update the file `resources/LIST.md` with the new set of supported license by using the output of the `license-scanner --list` command.\n\n## Updating license templates\n\nIf your imported files need to be re-validated and precheck files regenerated, you can use `--updateAll` with `--spdx`, `--spdxPath`, `--custom`, or `--customPath` to update them in place.\n\n- *This type of update would be needed if your templates and precheck files got out-of-sync either due to changes in those files or updated license-scanner code which requires updated prechecks.*","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyclonedx%2Flicense-scanner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcyclonedx%2Flicense-scanner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyclonedx%2Flicense-scanner/lists"}