-
Notifications
You must be signed in to change notification settings - Fork 567
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency's MIT license not picked up when scanning package-lock.json #1113
Comments
Similar issue linked here! Thanks for filing the bug. We'll take a look and see what needs to be done to get licenses populated for dir scans. |
@spiffcs thank you! Just to be doubly sure, the above was meant to be me running against a lockfile, and not doing a dir scan! I ran this: |
Thanks for the clarification! It's an interesting case because it poses the question "Given some manifest file, should syft traverse extra noninput paths to find additional metadata information?"
I'm going to add it to our community meeting today for discussion since we've knocked around crossing this boundary before but have stayed on the side of reporting only on the truth of the input and not something the tool inferred. At any rate we definitely should solve for |
Yes, when you lay it out like that I see more the depth of the complexity. It's even trickier when perhaps the package.json license field and the text in the LICEN[CS]E file don't match! I'm currently using a tool called cdxgen which optionally calls out to a server to get the results, so for big projects it takes a while to respond. Might be worth a look. |
I believe this may have been fixed when #845 was implemented -- note: this requires running an |
I just went back to validate this and it looks like after running the reproduce steps above we do not get the license from just The license IS picked up when running It looks like syft/syft/pkg/cataloger/javascript/cataloger.go Lines 38 to 45 in 1b0cfe7
The correct path for the But the resolver returns an empty slice of locations: I can't remember if we opted for allowing syft to traverse over to node modules even if the user specified only the |
If we do want this to work where node_modules is accounted for as a post catalog task I think we would need to rebuild the tree for this post process function and then use |
This is expected behavior when using the |
What happened
Outputting a CycloneDX SBOM does not pick up the sole dependency's licence in its output.
What you expected to happen:
Given I can see the dependency inside
node_modules
has a licence (MIT) in its package.json, and it also comes with a LICENSE file with the MIT licence text in it, I would expect the licence to appear in the cyclonedx output.How to reproduce it (as minimally and precisely as possible):
^ no licence listed in the cyclonedx output.
Anything else we need to know?:
It also doesn't appear if I output with SPDX format. If I try syft-json then it says
"licences": [],
.Environment:
syft version
:cat /etc/os-release
or similar): OSX 12.4 Monterey.The text was updated successfully, but these errors were encountered: