Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Syft's license not listed for Grype image #2352

Closed
egertoft opened this issue Nov 23, 2023 · 2 comments
Closed

Syft's license not listed for Grype image #2352

egertoft opened this issue Nov 23, 2023 · 2 comments
Labels
bug Something isn't working

Comments

@egertoft
Copy link

The SBOM of the Grype image doesn't show Syft's Apache license, only a BSD-3-Cluase license, even though Grype depends on-/includes the Syft module.

$ docker run anchore/syft:latest -q --output syft-json anchore/grype:latest | jq -r '.artifacts[].licenses[].value' | sort -u
BSD-3-Clause

Similar when running on the Syft image, only the BSD-3-Clause license is listed.

Expected to see Grype's and Syft's Apache License plus several other licenses of the included modules.

Versions:

$ docker run anchore/syft:latest version
Application: syft
Version:    0.97.1
BuildDate:  2023-11-17T21:03:07Z
GitCommit:  7cfb5f630a7a2105d49d65eaaaa2e2c06e4eda73
GitDescription: v0.97.1
Platform:   linux/amd64
GoVersion:  go1.21.3
Compiler:   gc

$ docker run anchore/grype:latest version
Application:         grype
Version:             0.73.3
BuildDate:           2023-11-18T13:05:51Z
GitCommit:           dbe2a9515a99ef1c78e22ead0cbf17b29fb1b674
GitDescription:      v0.73.3
Platform:            linux/amd64
GoVersion:           go1.21.4
Compiler:            gc
Syft Version:        v0.97.1
Supported DB Schema: 5
@egertoft egertoft added the bug Something isn't working label Nov 23, 2023
@tgerla
Copy link
Contributor

tgerla commented Nov 27, 2023

Hi @egertoft, can you make sure that the following Syft configuration options in the "golang" section are set to true? Like this:

golang:
  search-local-mod-cache-licenses: true
  search-remote-licenses: true

Syft by default doesn't reach out to external services for information, but the first setting will enable searching your local module cache, and the second option will have Syft reach out to golang.org for license information. Hope this helps!

@tgerla tgerla moved this to Awaiting Response in OSS Nov 27, 2023
@ddzzj ddzzj mentioned this issue Nov 27, 2023
Open
@stnert stnert mentioned this issue Nov 28, 2023
Open
@ekmixon ekmixon mentioned this issue Nov 28, 2023
Open
@tgerla
Copy link
Contributor

tgerla commented Jan 25, 2024

Since we haven't heard back, I'll go ahead and close this issue but please feel free to reopen it or open a new one if you need more help here. Thanks!

@tgerla tgerla closed this as not planned Won't fix, can't repro, duplicate, stale Jan 25, 2024
@github-project-automation github-project-automation bot moved this from Awaiting Response to Done in OSS Jan 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tgerla @egertoft