allow-dependencies-licenses: allow-list specific license #1046
Description
Is your feature request related to a problem? Please describe.
When using the allow-dependencies-licenses configuration, it only allows for specifying specific packages and not their particular license. This is an issue if a dependency you've previously allowed, changes their license to something more restrictive.
Describe the solution you'd like
Use PURL qualifiers (or subpaths) to allow optional filtering of specific licenses for specific dependencies.
Example:
pkg:npm/@foo/bar?license=GPL-1.0-or-later- If this package changes to a different license in my
deny_licensesfield, then it should fail.
- If this package changes to a different license in my
- Not specifying license should retain existing behaviour of a "blanket" allow.
Describe alternatives you've considered
There are no alternatives.
Additional context
N/A