Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No licenses included in scan with yarn.lock #845

Closed
geret1 opened this issue Feb 23, 2022 · 7 comments · Fixed by #1152
Closed

No licenses included in scan with yarn.lock #845

geret1 opened this issue Feb 23, 2022 · 7 comments · Fixed by #1152
Assignees
Labels
bug Something isn't working ecosystem:javascript relating to the javascript ecosystem license relating to software licensing

Comments

@geret1
Copy link

geret1 commented Feb 23, 2022

What happened:

Get SBOM from a project result in an SPDX-JSON file with all licenses NONE.

What you expected to happen:

SPDX-JSON file with licenses concluded differently than NONE

How to reproduce it (as minimally and precisely as possible):

As we discussed in Slack, you only need to have a dummy nodeJS project with yarn.lock and node_modules

Anything else we need to know?:

Nope.

Environment:

  • Output of syft version: 0.38.0
  • OS (e.g: cat /etc/os-release or similar): OS X (tested locally)
@geret1 geret1 added the bug Something isn't working label Feb 23, 2022
@kzantow kzantow changed the title Exclude node_modules from scans with yarn.lock No licenses include in scan with yarn.lock Feb 23, 2022
@kzantow kzantow changed the title No licenses include in scan with yarn.lock No licenses included in scan with yarn.lock Feb 23, 2022
@martin-langhoff
Copy link

Same here. I just scanned a couple of codebases, and Syft lists no licenses – using the straight JSON output format. The corpus includes packages.json and packages-lock.json files as well as requirements.txt files with many well known packages (Angular, React, popular Python packages...).

@martin-langhoff
Copy link

Seems related to discussion in #229

@luhring luhring added the ecosystem:javascript relating to the javascript ecosystem label Mar 25, 2022
@luhring
Copy link
Contributor

luhring commented Mar 25, 2022

Hi, just a note here — Syft is inspecting different files for package evidence depending on whether Syft is scanning a local directory or a container image. For directory scans, Syft looks for evidence of packages that are described but not necessarily installed, so files like package-lock.json, yarn.lock and requirements.txt. Also, Syft doesn't (yet) perform any remote queries to supplement its discovered package data — all analysis is static and local.

This means that if Syft scans a file that doesn't have license information, there's no way for Syft to surface license information.

Syft behaves differently when scanning container images, because its strategy shifts to finding evidence of software that has already been installed. In this case, Syft looks for files like package.json as proof for installation, and in these files, Syft is able to detect license information.

One common enhancement request is for users to be able to control when Syft looks for what kinds of evidence. We're tracking that here: #465

@geret1
Copy link
Author

geret1 commented Mar 25, 2022

But, if we run Syft locally in our projects (i.e. Javascript project) it would be nice to take a look at node_modules to identify licenses in the supply chain and it is static analysis no? we can apply the same procedure into a CICD pipeline.

@luhring
Copy link
Contributor

luhring commented Mar 28, 2022

Right, we can adjust Syft to enable that method of scanning — that's what we're talking about in #465 (see above).

@wagoodman wagoodman added the license relating to software licensing label Apr 28, 2022
@spiffcs spiffcs assigned spiffcs and unassigned spiffcs May 31, 2022
@geret1
Copy link
Author

geret1 commented Jul 15, 2022

any updates? it seems data catalogs are included and merged but not sure if it covers this issue

@henrysachs
Copy link
Contributor

Hi There, just stumbled across this. Would it be possible to just take the license from the package-lock.json? lockfileversion 2 includes this field (not in yarn.lock or other lock files). I would also be interested to do it as kind of a first time contribution? But I can't estimate if thats a difficult issue. I also read that one day syft will do dynamic analysis so I'm not sure if it would be "worth it".

example:

    "node_modules/@angular-devkit/architect/node_modules/rxjs": {
      "version": "6.6.7",
      "resolved": "https://bahnhub.tech.rz.db.de:443/artifactory/api/npm/default-npm-3rdparty/rxjs/-/rxjs-6.6.7.tgz",
      "integrity": "sha1-kKwBisq/SRv2UEQjXVhjxNq4BMk=",
      "dev": true,
      "license": "Apache-2.0",
      "dependencies": {
        "tslib": "^1.9.0"
      },
      "engines": {
        "npm": ">=2.0.0"
      }
    },

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working ecosystem:javascript relating to the javascript ecosystem license relating to software licensing
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

7 participants