-
Notifications
You must be signed in to change notification settings - Fork 587
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SBOM generated from poetry lock file contains no license information on any dependencies #3204
Comments
There is also no license information for any of the GitHub actions that are used in the repo. |
Thanks @nfelt14 for the issue! I didn't know Do you have an example project with a lot of licenses we could use as a basis for development? The only example I could find in our org has a single license
Is this license under I'm unclear on which field we should be grabbing to associate a license to the I also noticed here that the license for identify is MIT: This does NOT show up in our poetry.lock when consuming this package as you can see above. |
We are trying to generate SBOMs for this repo: https://github.com/tektronix/tm_devices The workflow is here: https://github.com/tektronix/tm_devices/actions/workflows/sbom-scan.yml After I spent more time looking into it, it may be a lack of information that poetry provides, so I don't know if there is much that can be done on this side. |
No worries! This looks like a good candidate for #1115
|
That would work great! |
Tagged this in #1115 closing as it will be implemented as a part of that issue. |
What happened:
I am unable to generate an SBOM that contains license information on dependencies from a poetry lock file.
What you expected to happen:
I would expect an SBOM to contain license information.
Steps to reproduce the issue:
Anything else we need to know?:
Environment:
syft version
:cat /etc/os-release
or similar): Windows/UbuntuThe text was updated successfully, but these errors were encountered: