Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SBOM generated from poetry lock file contains no license information on any dependencies #3204

Closed
nfelt14 opened this issue Sep 6, 2024 · 6 comments
Assignees
Labels
bug Something isn't working

Comments

@nfelt14
Copy link

nfelt14 commented Sep 6, 2024

What happened:

I am unable to generate an SBOM that contains license information on dependencies from a poetry lock file.

What you expected to happen:
I would expect an SBOM to contain license information.

Steps to reproduce the issue:

  1. Use poetry to generate a lock file
  2. perform a scan on the file

Anything else we need to know?:

Environment:

  • Output of syft version:
Application: syft
Version:    1.11.1
BuildDate:  2024-08-20T16:25:20Z
GitCommit:  95b4a88256bddebb91831250f28f602f8c36552a
GitDescription: v1.11.1
Platform:   windows/amd64
GoVersion:  go1.22.6
Compiler:   gc
  • OS (e.g: cat /etc/os-release or similar): Windows/Ubuntu
@nfelt14 nfelt14 added the bug Something isn't working label Sep 6, 2024
@nfelt14
Copy link
Author

nfelt14 commented Sep 6, 2024

There is also no license information for any of the GitHub actions that are used in the repo.

@spiffcs spiffcs self-assigned this Sep 9, 2024
@spiffcs
Copy link
Contributor

spiffcs commented Sep 9, 2024

Thanks @nfelt14 for the issue! I didn't know poetry.lock allowed for a field that contained license metadata. I tried searching for the specific documentation outlining the poetry.lock specification and only found this:
https://github.com/orgs/python-poetry/discussions/6763

Do you have an example project with a lot of licenses we could use as a basis for development?

The only example I could find in our org has a single license ukkonen

[[package]]
name = "identify"
version = "2.6.0"
description = "File identification library for Python"
optional = false
python-versions = ">=3.8"
files = [
    {file = "identify-2.6.0-py2.py3-none-any.whl", hash = "sha256:e79ae4406387a9d300332b5fd366d8994f1525e8414984e1a59e058b2eda2dd0"},
    {file = "identify-2.6.0.tar.gz", hash = "sha256:cb171c685bdc31bcc4c1734698736a7d5b6c8bf2e0c15117f4d469c8640ae5cf"},
]

[package.extras]
license = ["ukkonen"]

Is this license under extras the correct field, or is this extras an optional package that requires the package ukkonen?

I'm unclear on which field we should be grabbing to associate a license to the [[package]]

I also noticed here that the license for identify is MIT:
https://github.com/pre-commit/identify/blob/main/setup.cfg

This does NOT show up in our poetry.lock when consuming this package as you can see above.
Is there an extra option when running poetry that would populate the field?

@nfelt14
Copy link
Author

nfelt14 commented Sep 9, 2024

We are trying to generate SBOMs for this repo: https://github.com/tektronix/tm_devices

The workflow is here: https://github.com/tektronix/tm_devices/actions/workflows/sbom-scan.yml

After I spent more time looking into it, it may be a lack of information that poetry provides, so I don't know if there is much that can be done on this side.

@spiffcs
Copy link
Contributor

spiffcs commented Sep 10, 2024

No worries! This looks like a good candidate for #1115

  • If there is a url we can use from the poetry lock we can probably enhance the cataloger to color in this license information if you're running syft in an environment where you don't care about network connections going out to find more information about what is being cataloged into the SBOM.

@nfelt14
Copy link
Author

nfelt14 commented Sep 10, 2024

No worries! This looks like a good candidate for #1115

  • If there is a url we can use from the poetry lock we can probably enhance the cataloger to color in this license information if you're running syft in an environment where you don't care about network connections going out to find more information about what is being cataloged into the SBOM.

That would work great!

@spiffcs spiffcs closed this as completed Sep 23, 2024
@github-project-automation github-project-automation bot moved this to Done in OSS Sep 23, 2024
@spiffcs
Copy link
Contributor

spiffcs commented Sep 23, 2024

Tagged this in #1115 closing as it will be implemented as a part of that issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Archived in project
Development

No branches or pull requests

2 participants