License is showing unknown in PYPI.

[sureshvigneshbe]

The Bandit package license is showing as UNKNOWN in PYPI. Could you clarify , whether it is allowed to use for code review and vulnerability checks.

[ericwb]

Hi @sureshvigneshbe, you can find Bandit's license in a variety of places. Namely, on GitHub you can find listed on right hand side of the repo main page as Apache-2.0 License, also in our LICENSE file. On PyPI its listed in the metadata as License: Apache Software License and also int the classifier named License as OSI Approved :: Apache Software License.

https://github.com/PyCQA/bandit/blob/master/LICENSE
https://pypi.org/project/bandit/#description

However, I'm not sure where you are see it listed as unknown. Could you please provide a link?

[sureshvigneshbe]

Hi Ericwb, I have found in the pip-licenses packages. where the license return as unknown for Bandit,Gitpython,Pbr and stevedore.

Could you help and assist on this. Also in PIP show command the same output.

[ericwb]

So it appears pip-licenses is showing the content from the metadata license field. It is true this is unset by Bandit. You can duplicate this with pip:

browne-a03:mado browne$ pip show bandit
Name: bandit
Version: 1.7.0
Summary: Security oriented static analyser for python code.
Home-page: https://bandit.readthedocs.io/en/latest/
Author: PyCQA
Author-email: [email protected]
License: UNKNOWN
Location: /Users/browne/.pyenv/versions/3.9.0/lib/python3.9/site-packages
Requires: GitPython, PyYAML, six, stevedore
Required-by: 
browne-a03:mado browne$ pip show bandit
Name: bandit
Version: 1.7.0
Summary: Security oriented static analyser for python code.
Home-page: https://bandit.readthedocs.io/en/latest/
Author: PyCQA
Author-email: [email protected]
License: UNKNOWN
Location: /Users/browne/.pyenv/versions/3.9.0/lib/python3.9/site-packages
Requires: six, PyYAML, stevedore, GitPython
Required-by: 

However, if you also read: https://packaging.python.org/guides/distributing-packages-using-setuptools/#license, it states "The “license” argument is more typically used to indicate differences from well-known licenses, or to include your own, unique license. As a general rule, it’s a good idea to use a standard, well-known license, both to avoid confusion and because some organizations avoid software whose license is unapproved."

Bandit's well-known license is set in the classifiers. So if we're adhering to the setuptools guide, we wouldn't set the metadata license field unless it's a custom different license from the well know SPDX types.

[sureshvigneshbe]

Thanks for the reply.Also whether any other way to check the classifier licenses in bulk ?,
Since I am comparing many packages licenses , pip show -v Bandit is showing the classifiers license "License :: OSI Approved :: Apache Software License"