Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Include package licenses #229

Closed
jeff-cook opened this issue Oct 16, 2020 · 4 comments
Closed

Include package licenses #229

jeff-cook opened this issue Oct 16, 2020 · 4 comments
Labels
ecosystem:java relating to the java ecosystem enhancement New feature or request license relating to software licensing

Comments

@jeff-cook
Copy link

What would you like to be added:

Output to include license for each package.

Why is this needed:

Anchore inline scan includes the license for each package. Having this would allow for replacing all package info from the inline scan. Once in the output it can be used to determine if the license is allowed or not.

Additional context:

@jeff-cook jeff-cook added the enhancement New feature or request label Oct 16, 2020
@wagoodman
Copy link
Contributor

@jeff-cook today if you use the json output format (-o option) there are some catalogers that support populating the licenses field or a similar metadata.licenses field. We are continuing to enhance support for each cataloger, adding more fields as we go (including licenses), but depending on the ecosystem and the existence of the data in the image you should see at least some license fields be populated.

@jeff-cook
Copy link
Author

The project I'm working with right now has the following types as found by syft.

"deb"
"egg"
"java-archive"
"python-requirements"
"wheel"

There are no licenses keys in the json output file.

curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
anchore/syft info checking GitHub for latest tag
anchore/syft info found version: 0.3.0 for v0.3.0/linux/amd64
anchore/syft info installed /usr/local/bin/syft

When a scan is run by anchore in-line scanner it finds the license for all packages except for java-archives.

@geertvanheusden
Copy link

@wagoodman First of all, thanks for providing this awesome tool!
Any chance the Java library license information will be added in the near future?

@benken-parasoft
Copy link

Which catalogers now collect licenses? Just JavaScript or Java too?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
ecosystem:java relating to the java ecosystem enhancement New feature or request license relating to software licensing
Projects
Archived in project
Development

No branches or pull requests

5 participants