-
Notifications
You must be signed in to change notification settings - Fork 567
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No licenses included in scan with yarn.lock #845
Comments
Same here. I just scanned a couple of codebases, and Syft lists no licenses – using the straight JSON output format. The corpus includes packages.json and packages-lock.json files as well as requirements.txt files with many well known packages (Angular, React, popular Python packages...). |
Seems related to discussion in #229 |
Hi, just a note here — Syft is inspecting different files for package evidence depending on whether Syft is scanning a local directory or a container image. For directory scans, Syft looks for evidence of packages that are described but not necessarily installed, so files like This means that if Syft scans a file that doesn't have license information, there's no way for Syft to surface license information. Syft behaves differently when scanning container images, because its strategy shifts to finding evidence of software that has already been installed. In this case, Syft looks for files like One common enhancement request is for users to be able to control when Syft looks for what kinds of evidence. We're tracking that here: #465 |
But, if we run Syft locally in our projects (i.e. Javascript project) it would be nice to take a look at node_modules to identify licenses in the supply chain and it is static analysis no? we can apply the same procedure into a CICD pipeline. |
Right, we can adjust Syft to enable that method of scanning — that's what we're talking about in #465 (see above). |
any updates? it seems data catalogs are included and merged but not sure if it covers this issue |
Hi There, just stumbled across this. Would it be possible to just take the license from the example:
|
What happened:
Get SBOM from a project result in an SPDX-JSON file with all licenses NONE.
What you expected to happen:
SPDX-JSON file with licenses concluded differently than NONE
How to reproduce it (as minimally and precisely as possible):
As we discussed in Slack, you only need to have a dummy nodeJS project with
yarn.lock
andnode_modules
Anything else we need to know?:
Nope.
Environment:
syft version
: 0.38.0cat /etc/os-release
or similar): OS X (tested locally)The text was updated successfully, but these errors were encountered: