License Scanner FAQs

Question 1

Does License Scanner report on operating system package licenses by default?

Accepted Answer

By default, License Scanner excludes OS package findings (from 'dpkg', 'rpm', 'apk') to reduce noise and focus on application dependencies. Users can choose to include OS package licenses if desired via a configuration option.

Question 2

How does License Scanner ensure license finding accuracy and relevance?

Accepted Answer

It aggregates data from diverse evidence sources, filters out low-signal noise, and by default, excludes OS package findings to deliver focused, actionable results primarily on application and runtime dependencies.

Question 3

What kind of reports and artifacts does License Scanner generate?

Accepted Answer

License Scanner generates detailed reports and artifacts, including SPDX and CycloneDX SBOMs, Trivy license data, ScanCode findings (optional), and a 'review_summary.json' with categorized, deduplicated license findings, severity, and rationale.

Question 4

What is License Scanner and what does it do?

Accepted Answer

License Scanner is a tool that identifies and reports software licenses found within local code repositories and Docker images. It aggregates data from multiple evidence sources like SBOMs, Trivy, and package metadata to provide comprehensive insights.

License Scanner

Key Features

Use Cases

License Scanner

Key Features

Use Cases