fix(license): don't normalize unlicensed licenses into unlicense

[DmitriyLewen]

Description

This PR fixes a bug in license normalization where "unlicensed" licenses were incorrectly being mapped to "Unlicense".

The issue was that both "UNLICENSE" and "UNLICENSED" were being normalized to the same "Unlicense" license expression. However, these represent fundamentally different licensing concepts:

• "Unlicense" (or "The Unlicense") is a public domain dedication license that grants maximum freedom
• "unlicensed" in npm specifically means the package is private/unpublished and the developer grants no rights to use it

The fix removes the mapping of "UNLICENSED" → "Unlicense" from the normalization table, allowing "unlicensed" licenses to be properly categorized as unknown/restricted rather than being incorrectly treated as permissive public domain
licenses.

Example

Before:

➜ trivy -q rootfs --scanners license /Users/dmitriy/work/tmp/9500/package.json --table-mode detailed

Node.js (license)

Total: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌───────────────────────────┬───────────┬────────────────┬──────────┐
│          Package          │  License  │ Classification │ Severity │
├───────────────────────────┼───────────┼────────────────┼──────────┤
│ @nxtvid/component-library │ Unlicense │ Unencumbered   │ LOW      │
└───────────────────────────┴───────────┴────────────────┴──────────┘

After:

➜  ./trivy -q rootfs --scanners license /Users/dmitriy/work/tmp/9500/package.json --table-mode detailed

Node.js (license)

Total: 1 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌───────────────────────────┬────────────┬────────────────┬──────────┐
│          Package          │  License   │ Classification │ Severity │
├───────────────────────────┼────────────┼────────────────┼──────────┤
│ @nxtvid/component-library │ UNLICENSED │ Non Standard   │ UNKNOWN  │
└───────────────────────────┴────────────┴────────────────┴──────────┘

Related issues

• Close Trivy incorrectly reports "UNLICENSED" software as "Unencumbered" #9581

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[knqyf263]

Is UNLICENSED only used in npm? Is it possible that in other ecosystems, UNLICENSED means unlicense?

[DmitriyLewen]

I found only one ecosystem that uses the UNLICENSED license:
NuGet applies the same logic — https://github.com/nuget/home/wiki/packaging-license-within-the-nupkg-%28technical-spec%29?utm_source=chatgpt.com#approach-for-in-house-packages—unlicensed

Other ecosystems use similar approaches:

• Composer uses proprietary — https://getcomposer.org/doc/04-schema.md#license
• Ruby uses an empty license field (equivalent to UNLICENSED) — https://guides.rubygems.org/specification-reference/#license=

For other cases:

• you should use an SPDX ID or expression
• or you should provide a license file.

I haven’t found any examples where UNLICENSED is meant to be the same as UNLICENSE.