diff --git a/docs/docs/references/configuration/cli/trivy.md b/docs/docs/references/configuration/cli/trivy.md index f11635a25992..f3c543a210f9 100644 --- a/docs/docs/references/configuration/cli/trivy.md +++ b/docs/docs/references/configuration/cli/trivy.md @@ -53,7 +53,7 @@ trivy [global flags] command [flags] target * [trivy plugin](trivy_plugin.md) - Manage plugins * [trivy repository](trivy_repository.md) - Scan a repository * [trivy rootfs](trivy_rootfs.md) - Scan rootfs -* [trivy sbom](trivy_sbom.md) - Scan SBOM for vulnerabilities +* [trivy sbom](trivy_sbom.md) - Scan SBOM for vulnerabilities and licenses * [trivy server](trivy_server.md) - Server mode * [trivy version](trivy_version.md) - Print the version * [trivy vm](trivy_vm.md) - [EXPERIMENTAL] Scan a virtual machine image diff --git a/docs/docs/references/configuration/cli/trivy_sbom.md b/docs/docs/references/configuration/cli/trivy_sbom.md index 04e024f5e656..67acca38286c 100644 --- a/docs/docs/references/configuration/cli/trivy_sbom.md +++ b/docs/docs/references/configuration/cli/trivy_sbom.md @@ -1,6 +1,6 @@ ## trivy sbom -Scan SBOM for vulnerabilities +Scan SBOM for vulnerabilities and licenses ``` trivy sbom [flags] SBOM_PATH @@ -36,6 +36,7 @@ trivy sbom [flags] SBOM_PATH --ignore-policy string specify the Rego file path to evaluate each vulnerability --ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life) --ignore-unfixed display only fixed vulnerabilities + --ignored-licenses strings specify a list of license to ignore --ignorefile string specify .trivyignore file (default ".trivyignore") --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") --list-all-pkgs enabling the option will output all packages regardless of vulnerability @@ -50,6 +51,7 @@ trivy sbom [flags] SBOM_PATH --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") --reset remove all caches and database --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) + --scanners strings comma-separated list of what security issues to detect (vuln,license) (default [vuln]) --server string server address in client mode -s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]) --show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities diff --git a/docs/docs/scanner/license.md b/docs/docs/scanner/license.md index dad487965481..6033542e4bea 100644 --- a/docs/docs/scanner/license.md +++ b/docs/docs/scanner/license.md @@ -30,10 +30,10 @@ To configure the confidence level, you can use `--license-confidence-level`. Thi Currently, the standard license scanning doesn't support filesystem and repository scanning. -| License scanning | Image | Rootfs | Filesystem | Repository | -| :-------------------: | :---: | :----: | :--------: | :--------: | -| Standard | ✅ | ✅ | - | - | -| Full (--license-full) | ✅ | ✅ | ✅ | ✅ | +| License scanning | Image | Rootfs | Filesystem | Repository | SBOM | +|:---------------------:|:-----:|:------:|:----------:|:----------:|:----:| +| Standard | ✅ | ✅ | - | - | ✅ | +| Full (--license-full) | ✅ | ✅ | ✅ | ✅ | - | License checking classifies the identified licenses and map the classification to severity. diff --git a/docs/docs/target/sbom.md b/docs/docs/target/sbom.md index a287455fc68a..4ea50035df1c 100644 --- a/docs/docs/target/sbom.md +++ b/docs/docs/target/sbom.md @@ -1,6 +1,6 @@ # SBOM scanning -Trivy can take the following SBOM formats as an input and scan for vulnerabilities. +Trivy can take the following SBOM formats as an input and scan for vulnerabilities and licenses. - CycloneDX - SPDX @@ -17,6 +17,9 @@ $ trivy sbom /path/to/sbom_file ``` +By default, vulnerability scan in SBOM is executed. You can use `--scanners vuln,license` +command property to select also license scan, or `--scanners license` alone. + !!! note Passing SBOMs generated by tool other than Trivy may result in inaccurate detection because Trivy relies on custom properties in SBOM for accurate scanning. diff --git a/integration/sbom_test.go b/integration/sbom_test.go index dc18cb43bceb..5c1439b98665 100644 --- a/integration/sbom_test.go +++ b/integration/sbom_test.go @@ -19,6 +19,7 @@ func TestSBOM(t *testing.T) { input string format string artifactType string + scanners string } tests := []struct { name string @@ -150,6 +151,16 @@ func TestSBOM(t *testing.T) { }, }, }, + { + name: "license check cyclonedx json", + args: args{ + input: "testdata/fixtures/sbom/license-cyclonedx.json", + format: "json", + artifactType: "cyclonedx", + scanners: "license", + }, + golden: "testdata/license-cyclonedx.json.golden", + }, } // Set up testing DB @@ -157,6 +168,11 @@ func TestSBOM(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { + scanners := "vuln" + if tt.args.scanners != "" { + scanners = tt.args.scanners + } + osArgs := []string{ "--cache-dir", cacheDir, @@ -165,6 +181,8 @@ func TestSBOM(t *testing.T) { "--skip-db-update", "--format", tt.args.format, + "--scanners", + scanners, } // Set up the output file diff --git a/integration/testdata/fixtures/sbom/license-cyclonedx.json b/integration/testdata/fixtures/sbom/license-cyclonedx.json new file mode 100644 index 000000000000..af1db6f9b8b1 --- /dev/null +++ b/integration/testdata/fixtures/sbom/license-cyclonedx.json @@ -0,0 +1,898 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.5", + "serialNumber": "urn:uuid:c09512e3-47e7-4eff-8f76-5d7ae72b26a5", + "version": 1, + "metadata": { + "timestamp": "2024-03-10T14:57:31+00:00", + "tools": { + "components": [ + { + "type": "application", + "group": "aquasecurity", + "name": "trivy", + "version": "dev" + } + ] + }, + "component": { + "bom-ref": "acc9d4aa-4158-4969-a497-637e114fde0c", + "type": "application", + "name": "C:/Users/bedla.czech/IdeaProjects/sbom-demo", + "properties": [ + { + "name": "aquasecurity:trivy:SchemaVersion", + "value": "2" + } + ] + } + }, + "components": [ + { + "bom-ref": "eb56cd49-da98-4b08-bfc8-9880fb063cf1", + "type": "application", + "name": "pom.xml", + "properties": [ + { + "name": "aquasecurity:trivy:Class", + "value": "lang-pkgs" + }, + { + "name": "aquasecurity:trivy:Type", + "value": "pom" + } + ] + }, + { + "bom-ref": "pkg:maven/aopalliance/aopalliance@1.0", + "type": "library", + "group": "aopalliance", + "name": "aopalliance", + "version": "1.0", + "licenses": [ + { + "license": { + "name": "Unlicense" + } + } + ], + "purl": "pkg:maven/aopalliance/aopalliance@1.0", + "properties": [ + { + "name": "aquasecurity:trivy:PkgID", + "value": "aopalliance:aopalliance:1.0" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "pom" + } + ] + }, + { + "bom-ref": "pkg:maven/javax.annotation/jsr250-api@1.0", + "type": "library", + "group": "javax.annotation", + "name": "jsr250-api", + "version": "1.0", + "licenses": [ + { + "license": { + "name": "CDDL-1.0" + } + } + ], + "purl": "pkg:maven/javax.annotation/jsr250-api@1.0", + "properties": [ + { + "name": "aquasecurity:trivy:PkgID", + "value": "javax.annotation:jsr250-api:1.0" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "pom" + } + ] + }, + { + "bom-ref": "pkg:maven/junit/junit@4.13.2", + "type": "library", + "group": "junit", + "name": "junit", + "version": "4.13.2", + "licenses": [ + { + "license": { + "name": "Eclipse Public License 1.0" + } + } + ], + "purl": "pkg:maven/junit/junit@4.13.2", + "properties": [ + { + "name": "aquasecurity:trivy:PkgID", + "value": "junit:junit:4.13.2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "pom" + } + ] + }, + { + "bom-ref": "pkg:maven/org.apache.commons/commons-lang3@3.12.0", + "type": "library", + "group": "org.apache.commons", + "name": "commons-lang3", + "version": "3.12.0", + "licenses": [ + { + "license": { + "name": "Apache-2.0" + } + } + ], + "purl": "pkg:maven/org.apache.commons/commons-lang3@3.12.0", + "properties": [ + { + "name": "aquasecurity:trivy:PkgID", + "value": "org.apache.commons:commons-lang3:3.12.0" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "pom" + } + ] + }, + { + "bom-ref": "pkg:maven/org.codehaus.plexus/plexus-utils@3.0.20", + "type": "library", + "group": "org.codehaus.plexus", + "name": "plexus-utils", + "version": "3.0.20", + "licenses": [ + { + "license": { + "name": "Apache-2.0" + } + } + ], + "purl": "pkg:maven/org.codehaus.plexus/plexus-utils@3.0.20", + "properties": [ + { + "name": "aquasecurity:trivy:PkgID", + "value": "org.codehaus.plexus:plexus-utils:3.0.20" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "pom" + } + ] + }, + { + "bom-ref": "pkg:maven/org.codehaus.woodstox/stax2-api@4.2.1", + "type": "library", + "group": "org.codehaus.woodstox", + "name": "stax2-api", + "version": "4.2.1", + "licenses": [ + { + "license": { + "name": "BSD-4-Clause" + } + } + ], + "purl": "pkg:maven/org.codehaus.woodstox/stax2-api@4.2.1", + "properties": [ + { + "name": "aquasecurity:trivy:PkgID", + "value": "org.codehaus.woodstox:stax2-api:4.2.1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "pom" + } + ] + }, + { + "bom-ref": "pkg:maven/org.cyclonedx/cyclonedx-maven-plugin@2.7.11", + "type": "library", + "group": "org.cyclonedx", + "name": "cyclonedx-maven-plugin", + "version": "2.7.11", + "licenses": [ + { + "license": { + "name": "Apache-2.0" + } + } + ], + "purl": "pkg:maven/org.cyclonedx/cyclonedx-maven-plugin@2.7.11", + "properties": [ + { + "name": "aquasecurity:trivy:PkgID", + "value": "org.cyclonedx:cyclonedx-maven-plugin:2.7.11" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "pom" + } + ] + }, + { + "bom-ref": "pkg:maven/org.eclipse.sisu/org.eclipse.sisu.plexus@0.3.0.M1", + "type": "library", + "group": "org.eclipse.sisu", + "name": "org.eclipse.sisu.plexus", + "version": "0.3.0.M1", + "licenses": [ + { + "license": { + "name": "EPL-1.0" + } + } + ], + "purl": "pkg:maven/org.eclipse.sisu/org.eclipse.sisu.plexus@0.3.0.M1", + "properties": [ + { + "name": "aquasecurity:trivy:PkgID", + "value": "org.eclipse.sisu:org.eclipse.sisu.plexus:0.3.0.M1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "pom" + } + ] + }, + { + "bom-ref": "pkg:maven/org.hamcrest/hamcrest@2.2", + "type": "library", + "group": "org.hamcrest", + "name": "hamcrest", + "version": "2.2", + "licenses": [ + { + "license": { + "name": "BSD License 3" + } + } + ], + "purl": "pkg:maven/org.hamcrest/hamcrest@2.2", + "properties": [ + { + "name": "aquasecurity:trivy:PkgID", + "value": "org.hamcrest:hamcrest:2.2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "pom" + } + ] + }, + { + "bom-ref": "pkg:maven/org.ow2.asm/asm@9.5", + "type": "library", + "group": "org.ow2.asm", + "name": "asm", + "version": "9.5", + "licenses": [ + { + "license": { + "name": "BSD-3-Clause" + } + } + ], + "purl": "pkg:maven/org.ow2.asm/asm@9.5", + "properties": [ + { + "name": "aquasecurity:trivy:PkgID", + "value": "org.ow2.asm:asm:9.5" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "pom" + } + ] + }, + { + "bom-ref": "pkg:maven/org.slf4j/slf4j-api@2.0.11", + "type": "library", + "group": "org.slf4j", + "name": "slf4j-api", + "version": "2.0.11", + "licenses": [ + { + "license": { + "name": "MIT License" + } + } + ], + "purl": "pkg:maven/org.slf4j/slf4j-api@2.0.11", + "properties": [ + { + "name": "aquasecurity:trivy:PkgID", + "value": "org.slf4j:slf4j-api:2.0.11" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "pom" + } + ] + }, + { + "bom-ref": "pkg:maven/org.sonatype.plexus/plexus-cipher@1.4", + "type": "library", + "group": "org.sonatype.plexus", + "name": "plexus-cipher", + "version": "1.4", + "licenses": [ + { + "license": { + "name": "Apache-2.0" + } + } + ], + "purl": "pkg:maven/org.sonatype.plexus/plexus-cipher@1.4", + "properties": [ + { + "name": "aquasecurity:trivy:PkgID", + "value": "org.sonatype.plexus:plexus-cipher:1.4" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "pom" + } + ] + } + ], + "dependencies": [ + { + "ref": "acc9d4aa-4158-4969-a497-637e114fde0c", + "dependsOn": [ + "eb56cd49-da98-4b08-bfc8-9880fb063cf1" + ] + }, + { + "ref": "eb56cd49-da98-4b08-bfc8-9880fb063cf1", + "dependsOn": [ + "pkg:maven/com.example/demo@0.0.1-SNAPSHOT", + "pkg:maven/org.cyclonedx/cyclonedx-maven-plugin@2.7.11", + "pkg:maven/org.springframework.boot/spring-boot-starter-jdbc@3.1.8", + "pkg:maven/org.springframework.boot/spring-boot-starter-web@3.1.8" + ] + }, + { + "ref": "pkg:maven/aopalliance/aopalliance@1.0", + "dependsOn": [] + }, + { + "ref": "pkg:maven/ch.qos.logback/logback-classic@1.4.14", + "dependsOn": [ + "pkg:maven/ch.qos.logback/logback-core@1.4.14", + "pkg:maven/org.slf4j/slf4j-api@2.0.11" + ] + }, + { + "ref": "pkg:maven/ch.qos.logback/logback-core@1.4.14", + "dependsOn": [] + }, + { + "ref": "pkg:maven/com.ethlo.time/itu@1.7.0", + "dependsOn": [] + }, + { + "ref": "pkg:maven/com.example/demo@0.0.1-SNAPSHOT", + "dependsOn": [ + "pkg:maven/org.cyclonedx/cyclonedx-maven-plugin@2.7.11", + "pkg:maven/org.springframework.boot/spring-boot-starter-jdbc@3.1.8", + "pkg:maven/org.springframework.boot/spring-boot-starter-web@3.1.8" + ] + }, + { + "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.15.3", + "dependsOn": [] + }, + { + "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.15.3", + "dependsOn": [] + }, + { + "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.3", + "dependsOn": [ + "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.15.3", + "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.15.3" + ] + }, + { + "ref": "pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-xml@2.15.3", + "dependsOn": [ + "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.15.3", + "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.15.3", + "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.3", + "pkg:maven/com.fasterxml.woodstox/woodstox-core@6.5.1", + "pkg:maven/org.codehaus.woodstox/stax2-api@4.2.1" + ] + }, + { + "ref": "pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jdk8@2.15.3", + "dependsOn": [ + "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.15.3", + "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.3" + ] + }, + { + "ref": "pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310@2.15.3", + "dependsOn": [ + "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.15.3", + "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.15.3", + "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.3" + ] + }, + { + "ref": "pkg:maven/com.fasterxml.jackson.module/jackson-module-parameter-names@2.15.3", + "dependsOn": [ + "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.15.3", + "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.3" + ] + }, + { + "ref": "pkg:maven/com.fasterxml.woodstox/woodstox-core@6.5.1", + "dependsOn": [ + "pkg:maven/org.codehaus.woodstox/stax2-api@4.2.1" + ] + }, + { + "ref": "pkg:maven/com.github.package-url/packageurl-java@1.4.1", + "dependsOn": [] + }, + { + "ref": "pkg:maven/com.google.guava/guava@16.0.1", + "dependsOn": [] + }, + { + "ref": "pkg:maven/com.networknt/json-schema-validator@1.0.77", + "dependsOn": [ + "pkg:maven/com.ethlo.time/itu@1.7.0", + "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.3", + "pkg:maven/org.slf4j/slf4j-api@2.0.11" + ] + }, + { + "ref": "pkg:maven/com.zaxxer/HikariCP@5.0.1", + "dependsOn": [ + "pkg:maven/org.slf4j/slf4j-api@2.0.11" + ] + }, + { + "ref": "pkg:maven/commons-codec/commons-codec@1.15", + "dependsOn": [] + }, + { + "ref": "pkg:maven/commons-io/commons-io@2.11.0", + "dependsOn": [] + }, + { + "ref": "pkg:maven/io.micrometer/micrometer-commons@1.11.8", + "dependsOn": [] + }, + { + "ref": "pkg:maven/io.micrometer/micrometer-observation@1.11.8", + "dependsOn": [ + "pkg:maven/io.micrometer/micrometer-commons@1.11.8" + ] + }, + { + "ref": "pkg:maven/jakarta.annotation/jakarta.annotation-api@2.1.1", + "dependsOn": [] + }, + { + "ref": "pkg:maven/javax.annotation/jsr250-api@1.0", + "dependsOn": [] + }, + { + "ref": "pkg:maven/javax.enterprise/cdi-api@1.0", + "dependsOn": [ + "pkg:maven/javax.annotation/jsr250-api@1.0", + "pkg:maven/javax.inject/javax.inject@1" + ] + }, + { + "ref": "pkg:maven/javax.inject/javax.inject@1", + "dependsOn": [] + }, + { + "ref": "pkg:maven/junit/junit@4.13.2", + "dependsOn": [ + "pkg:maven/org.hamcrest/hamcrest-core@2.2" + ] + }, + { + "ref": "pkg:maven/org.apache.commons/commons-lang3@3.12.0", + "dependsOn": [] + }, + { + "ref": "pkg:maven/org.apache.logging.log4j/log4j-api@2.20.0", + "dependsOn": [] + }, + { + "ref": "pkg:maven/org.apache.logging.log4j/log4j-to-slf4j@2.20.0", + "dependsOn": [ + "pkg:maven/org.apache.logging.log4j/log4j-api@2.20.0", + "pkg:maven/org.slf4j/slf4j-api@2.0.11" + ] + }, + { + "ref": "pkg:maven/org.apache.maven.shared/maven-dependency-analyzer@1.13.2", + "dependsOn": [ + "pkg:maven/commons-io/commons-io@2.11.0", + "pkg:maven/javax.inject/javax.inject@1", + "pkg:maven/org.apache.maven/maven-core@3.2.5", + "pkg:maven/org.ow2.asm/asm@9.5", + "pkg:maven/org.slf4j/slf4j-api@2.0.11" + ] + }, + { + "ref": "pkg:maven/org.apache.maven.shared/maven-dependency-tree@3.2.1", + "dependsOn": [ + "pkg:maven/org.eclipse.aether/aether-util@1.0.0.v20140518", + "pkg:maven/org.slf4j/slf4j-api@2.0.11" + ] + }, + { + "ref": "pkg:maven/org.apache.maven/maven-aether-provider@3.2.5", + "dependsOn": [ + "pkg:maven/org.apache.maven/maven-model-builder@3.2.5", + "pkg:maven/org.apache.maven/maven-repository-metadata@3.2.5", + "pkg:maven/org.codehaus.plexus/plexus-component-annotations@1.5.5", + "pkg:maven/org.codehaus.plexus/plexus-utils@3.0.20", + "pkg:maven/org.eclipse.aether/aether-api@1.0.0.v20140518", + "pkg:maven/org.eclipse.aether/aether-impl@1.0.0.v20140518", + "pkg:maven/org.eclipse.aether/aether-spi@1.0.0.v20140518", + "pkg:maven/org.eclipse.aether/aether-util@1.0.0.v20140518" + ] + }, + { + "ref": "pkg:maven/org.apache.maven/maven-core@3.2.5", + "dependsOn": [ + "pkg:maven/org.apache.maven/maven-aether-provider@3.2.5", + "pkg:maven/org.apache.maven/maven-model-builder@3.2.5", + "pkg:maven/org.apache.maven/maven-plugin-api@3.2.5", + "pkg:maven/org.apache.maven/maven-repository-metadata@3.2.5", + "pkg:maven/org.apache.maven/maven-settings-builder@3.2.5", + "pkg:maven/org.apache.maven/maven-settings@3.2.5", + "pkg:maven/org.codehaus.plexus/plexus-classworlds@2.5.2", + "pkg:maven/org.codehaus.plexus/plexus-component-annotations@1.5.5", + "pkg:maven/org.codehaus.plexus/plexus-interpolation@1.21", + "pkg:maven/org.codehaus.plexus/plexus-utils@3.0.20", + "pkg:maven/org.eclipse.aether/aether-api@1.0.0.v20140518", + "pkg:maven/org.eclipse.aether/aether-impl@1.0.0.v20140518", + "pkg:maven/org.eclipse.aether/aether-util@1.0.0.v20140518", + "pkg:maven/org.eclipse.sisu/org.eclipse.sisu.plexus@0.3.0.M1", + "pkg:maven/org.sonatype.plexus/plexus-sec-dispatcher@1.3", + "pkg:maven/org.sonatype.sisu/sisu-guice@3.2.3" + ] + }, + { + "ref": "pkg:maven/org.apache.maven/maven-model-builder@3.2.5", + "dependsOn": [ + "pkg:maven/org.codehaus.plexus/plexus-component-annotations@1.5.5", + "pkg:maven/org.codehaus.plexus/plexus-interpolation@1.21", + "pkg:maven/org.codehaus.plexus/plexus-utils@3.0.20" + ] + }, + { + "ref": "pkg:maven/org.apache.maven/maven-plugin-api@3.2.5", + "dependsOn": [ + "pkg:maven/org.eclipse.sisu/org.eclipse.sisu.plexus@0.3.0.M1" + ] + }, + { + "ref": "pkg:maven/org.apache.maven/maven-repository-metadata@3.2.5", + "dependsOn": [ + "pkg:maven/org.codehaus.plexus/plexus-utils@3.0.20" + ] + }, + { + "ref": "pkg:maven/org.apache.maven/maven-settings-builder@3.2.5", + "dependsOn": [ + "pkg:maven/org.apache.maven/maven-settings@3.2.5", + "pkg:maven/org.codehaus.plexus/plexus-component-annotations@1.5.5", + "pkg:maven/org.codehaus.plexus/plexus-interpolation@1.21", + "pkg:maven/org.codehaus.plexus/plexus-utils@3.0.20", + "pkg:maven/org.sonatype.plexus/plexus-sec-dispatcher@1.3" + ] + }, + { + "ref": "pkg:maven/org.apache.maven/maven-settings@3.2.5", + "dependsOn": [ + "pkg:maven/org.codehaus.plexus/plexus-utils@3.0.20" + ] + }, + { + "ref": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@10.1.18", + "dependsOn": [] + }, + { + "ref": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-el@10.1.18", + "dependsOn": [] + }, + { + "ref": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-websocket@10.1.18", + "dependsOn": [ + "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@10.1.18" + ] + }, + { + "ref": "pkg:maven/org.codehaus.plexus/plexus-classworlds@2.5.2", + "dependsOn": [] + }, + { + "ref": "pkg:maven/org.codehaus.plexus/plexus-component-annotations@1.5.5", + "dependsOn": [] + }, + { + "ref": "pkg:maven/org.codehaus.plexus/plexus-interpolation@1.21", + "dependsOn": [] + }, + { + "ref": "pkg:maven/org.codehaus.plexus/plexus-utils@3.0.20", + "dependsOn": [] + }, + { + "ref": "pkg:maven/org.codehaus.woodstox/stax2-api@4.2.1", + "dependsOn": [] + }, + { + "ref": "pkg:maven/org.cyclonedx/cyclonedx-core-java@7.3.2", + "dependsOn": [ + "pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-xml@2.15.3", + "pkg:maven/com.github.package-url/packageurl-java@1.4.1", + "pkg:maven/com.networknt/json-schema-validator@1.0.77", + "pkg:maven/commons-codec/commons-codec@1.15", + "pkg:maven/commons-io/commons-io@2.11.0", + "pkg:maven/org.apache.commons/commons-lang3@3.12.0" + ] + }, + { + "ref": "pkg:maven/org.cyclonedx/cyclonedx-maven-plugin@2.7.11", + "dependsOn": [ + "pkg:maven/commons-codec/commons-codec@1.15", + "pkg:maven/org.apache.commons/commons-lang3@3.12.0", + "pkg:maven/org.apache.maven.shared/maven-dependency-analyzer@1.13.2", + "pkg:maven/org.apache.maven.shared/maven-dependency-tree@3.2.1", + "pkg:maven/org.cyclonedx/cyclonedx-core-java@7.3.2" + ] + }, + { + "ref": "pkg:maven/org.eclipse.aether/aether-api@1.0.0.v20140518", + "dependsOn": [] + }, + { + "ref": "pkg:maven/org.eclipse.aether/aether-impl@1.0.0.v20140518", + "dependsOn": [ + "pkg:maven/org.eclipse.aether/aether-api@1.0.0.v20140518", + "pkg:maven/org.eclipse.aether/aether-spi@1.0.0.v20140518", + "pkg:maven/org.eclipse.aether/aether-util@1.0.0.v20140518" + ] + }, + { + "ref": "pkg:maven/org.eclipse.aether/aether-spi@1.0.0.v20140518", + "dependsOn": [ + "pkg:maven/org.eclipse.aether/aether-api@1.0.0.v20140518" + ] + }, + { + "ref": "pkg:maven/org.eclipse.aether/aether-util@1.0.0.v20140518", + "dependsOn": [ + "pkg:maven/org.eclipse.aether/aether-api@1.0.0.v20140518" + ] + }, + { + "ref": "pkg:maven/org.eclipse.sisu/org.eclipse.sisu.inject@0.3.0.M1", + "dependsOn": [] + }, + { + "ref": "pkg:maven/org.eclipse.sisu/org.eclipse.sisu.plexus@0.3.0.M1", + "dependsOn": [ + "pkg:maven/javax.enterprise/cdi-api@1.0", + "pkg:maven/org.codehaus.plexus/plexus-classworlds@2.5.2", + "pkg:maven/org.codehaus.plexus/plexus-component-annotations@1.5.5", + "pkg:maven/org.codehaus.plexus/plexus-utils@3.0.20", + "pkg:maven/org.eclipse.sisu/org.eclipse.sisu.inject@0.3.0.M1" + ] + }, + { + "ref": "pkg:maven/org.hamcrest/hamcrest-core@2.2", + "dependsOn": [ + "pkg:maven/org.hamcrest/hamcrest@2.2" + ] + }, + { + "ref": "pkg:maven/org.hamcrest/hamcrest@2.2", + "dependsOn": [] + }, + { + "ref": "pkg:maven/org.ow2.asm/asm@9.5", + "dependsOn": [] + }, + { + "ref": "pkg:maven/org.slf4j/jul-to-slf4j@2.0.11", + "dependsOn": [ + "pkg:maven/org.slf4j/slf4j-api@2.0.11" + ] + }, + { + "ref": "pkg:maven/org.slf4j/slf4j-api@2.0.11", + "dependsOn": [] + }, + { + "ref": "pkg:maven/org.sonatype.plexus/plexus-cipher@1.4", + "dependsOn": [ + "pkg:maven/junit/junit@4.13.2" + ] + }, + { + "ref": "pkg:maven/org.sonatype.plexus/plexus-sec-dispatcher@1.3", + "dependsOn": [ + "pkg:maven/junit/junit@4.13.2", + "pkg:maven/org.codehaus.plexus/plexus-utils@3.0.20", + "pkg:maven/org.sonatype.plexus/plexus-cipher@1.4" + ] + }, + { + "ref": "pkg:maven/org.sonatype.sisu/sisu-guice@3.2.3", + "dependsOn": [ + "pkg:maven/aopalliance/aopalliance@1.0", + "pkg:maven/com.google.guava/guava@16.0.1", + "pkg:maven/javax.inject/javax.inject@1" + ] + }, + { + "ref": "pkg:maven/org.springframework.boot/spring-boot-autoconfigure@3.1.8", + "dependsOn": [ + "pkg:maven/org.springframework.boot/spring-boot@3.1.8" + ] + }, + { + "ref": "pkg:maven/org.springframework.boot/spring-boot-starter-jdbc@3.1.8", + "dependsOn": [ + "pkg:maven/com.zaxxer/HikariCP@5.0.1", + "pkg:maven/org.springframework.boot/spring-boot-starter@3.1.8", + "pkg:maven/org.springframework/spring-jdbc@6.0.16" + ] + }, + { + "ref": "pkg:maven/org.springframework.boot/spring-boot-starter-json@3.1.8", + "dependsOn": [ + "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.3", + "pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jdk8@2.15.3", + "pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310@2.15.3", + "pkg:maven/com.fasterxml.jackson.module/jackson-module-parameter-names@2.15.3", + "pkg:maven/org.springframework.boot/spring-boot-starter@3.1.8", + "pkg:maven/org.springframework/spring-web@6.0.16" + ] + }, + { + "ref": "pkg:maven/org.springframework.boot/spring-boot-starter-logging@3.1.8", + "dependsOn": [ + "pkg:maven/ch.qos.logback/logback-classic@1.4.14", + "pkg:maven/org.apache.logging.log4j/log4j-to-slf4j@2.20.0", + "pkg:maven/org.slf4j/jul-to-slf4j@2.0.11" + ] + }, + { + "ref": "pkg:maven/org.springframework.boot/spring-boot-starter-tomcat@3.1.8", + "dependsOn": [ + "pkg:maven/jakarta.annotation/jakarta.annotation-api@2.1.1", + "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@10.1.18", + "pkg:maven/org.apache.tomcat.embed/tomcat-embed-el@10.1.18", + "pkg:maven/org.apache.tomcat.embed/tomcat-embed-websocket@10.1.18" + ] + }, + { + "ref": "pkg:maven/org.springframework.boot/spring-boot-starter-web@3.1.8", + "dependsOn": [ + "pkg:maven/org.springframework.boot/spring-boot-starter-json@3.1.8", + "pkg:maven/org.springframework.boot/spring-boot-starter-tomcat@3.1.8", + "pkg:maven/org.springframework.boot/spring-boot-starter@3.1.8", + "pkg:maven/org.springframework/spring-web@6.0.16", + "pkg:maven/org.springframework/spring-webmvc@6.0.16" + ] + }, + { + "ref": "pkg:maven/org.springframework.boot/spring-boot-starter@3.1.8", + "dependsOn": [ + "pkg:maven/jakarta.annotation/jakarta.annotation-api@2.1.1", + "pkg:maven/org.springframework.boot/spring-boot-autoconfigure@3.1.8", + "pkg:maven/org.springframework.boot/spring-boot-starter-logging@3.1.8", + "pkg:maven/org.springframework.boot/spring-boot@3.1.8", + "pkg:maven/org.springframework/spring-core@6.0.16", + "pkg:maven/org.yaml/snakeyaml@1.33" + ] + }, + { + "ref": "pkg:maven/org.springframework.boot/spring-boot@3.1.8", + "dependsOn": [ + "pkg:maven/org.springframework/spring-context@6.0.16", + "pkg:maven/org.springframework/spring-core@6.0.16" + ] + }, + { + "ref": "pkg:maven/org.springframework/spring-aop@6.0.16", + "dependsOn": [ + "pkg:maven/org.springframework/spring-beans@6.0.16", + "pkg:maven/org.springframework/spring-core@6.0.16" + ] + }, + { + "ref": "pkg:maven/org.springframework/spring-beans@6.0.16", + "dependsOn": [ + "pkg:maven/org.springframework/spring-core@6.0.16" + ] + }, + { + "ref": "pkg:maven/org.springframework/spring-context@6.0.16", + "dependsOn": [ + "pkg:maven/org.springframework/spring-aop@6.0.16", + "pkg:maven/org.springframework/spring-beans@6.0.16", + "pkg:maven/org.springframework/spring-core@6.0.16", + "pkg:maven/org.springframework/spring-expression@6.0.16" + ] + }, + { + "ref": "pkg:maven/org.springframework/spring-core@6.0.16", + "dependsOn": [ + "pkg:maven/org.springframework/spring-jcl@6.0.16" + ] + }, + { + "ref": "pkg:maven/org.springframework/spring-expression@6.0.16", + "dependsOn": [ + "pkg:maven/org.springframework/spring-core@6.0.16" + ] + }, + { + "ref": "pkg:maven/org.springframework/spring-jcl@6.0.16", + "dependsOn": [] + }, + { + "ref": "pkg:maven/org.springframework/spring-jdbc@6.0.16", + "dependsOn": [ + "pkg:maven/org.springframework/spring-beans@6.0.16", + "pkg:maven/org.springframework/spring-core@6.0.16", + "pkg:maven/org.springframework/spring-tx@6.0.16" + ] + }, + { + "ref": "pkg:maven/org.springframework/spring-tx@6.0.16", + "dependsOn": [ + "pkg:maven/org.springframework/spring-beans@6.0.16", + "pkg:maven/org.springframework/spring-core@6.0.16" + ] + }, + { + "ref": "pkg:maven/org.springframework/spring-web@6.0.16", + "dependsOn": [ + "pkg:maven/io.micrometer/micrometer-observation@1.11.8", + "pkg:maven/org.springframework/spring-beans@6.0.16", + "pkg:maven/org.springframework/spring-core@6.0.16" + ] + }, + { + "ref": "pkg:maven/org.springframework/spring-webmvc@6.0.16", + "dependsOn": [ + "pkg:maven/org.springframework/spring-aop@6.0.16", + "pkg:maven/org.springframework/spring-beans@6.0.16", + "pkg:maven/org.springframework/spring-context@6.0.16", + "pkg:maven/org.springframework/spring-core@6.0.16", + "pkg:maven/org.springframework/spring-expression@6.0.16", + "pkg:maven/org.springframework/spring-web@6.0.16" + ] + }, + { + "ref": "pkg:maven/org.yaml/snakeyaml@1.33", + "dependsOn": [] + } + ], + "vulnerabilities": [] +} diff --git a/integration/testdata/license-cyclonedx.json.golden b/integration/testdata/license-cyclonedx.json.golden new file mode 100644 index 000000000000..6cc42ac452f7 --- /dev/null +++ b/integration/testdata/license-cyclonedx.json.golden @@ -0,0 +1,148 @@ +{ + "SchemaVersion": 2, + "CreatedAt": "2021-08-25T12:20:30.000000005Z", + "ArtifactName": "testdata/fixtures/sbom/license-cyclonedx.json", + "ArtifactType": "cyclonedx", + "Metadata": { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + }, + "Results": [ + { + "Target": "OS Packages", + "Class": "license" + }, + { + "Target": "pom.xml", + "Class": "license", + "Licenses": [ + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "org.cyclonedx:cyclonedx-maven-plugin", + "FilePath": "", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "org.apache.commons:commons-lang3", + "FilePath": "", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + } + ] + }, + { + "Target": "Java", + "Class": "license", + "Licenses": [ + { + "Severity": "LOW", + "Category": "unencumbered", + "PkgName": "aopalliance:aopalliance", + "FilePath": "", + "Name": "Unlicense", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "MEDIUM", + "Category": "reciprocal", + "PkgName": "javax.annotation:jsr250-api", + "FilePath": "", + "Name": "CDDL-1.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "junit:junit", + "FilePath": "", + "Name": "Eclipse Public License 1.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "org.codehaus.plexus:plexus-utils", + "FilePath": "", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "org.codehaus.woodstox:stax2-api", + "FilePath": "", + "Name": "BSD-4-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "MEDIUM", + "Category": "reciprocal", + "PkgName": "org.eclipse.sisu:org.eclipse.sisu.plexus", + "FilePath": "", + "Name": "EPL-1.0", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "org.hamcrest:hamcrest", + "FilePath": "", + "Name": "BSD License 3", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "org.ow2.asm:asm", + "FilePath": "", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "UNKNOWN", + "Category": "unknown", + "PkgName": "org.slf4j:slf4j-api", + "FilePath": "", + "Name": "MIT License", + "Confidence": 1, + "Link": "" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "org.sonatype.plexus:plexus-cipher", + "FilePath": "", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "" + } + ] + }, + { + "Target": "Loose File License(s)", + "Class": "license-file" + } + ] +} diff --git a/pkg/commands/app.go b/pkg/commands/app.go index 069c9f8b71cd..41d1d2ff645d 100644 --- a/pkg/commands/app.go +++ b/pkg/commands/app.go @@ -1125,11 +1125,24 @@ func NewSBOMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { reportFlagGroup.DependencyTree = nil // disable '--dependency-tree' reportFlagGroup.ReportFormat = nil // TODO: support --report summary + scanners := flag.ScannersFlag.Clone() + scanners.Values = xstrings.ToStringSlice(types.Scanners{ + types.VulnerabilityScanner, + types.LicenseScanner, + }) + scanners.Default = xstrings.ToStringSlice(types.Scanners{ + types.VulnerabilityScanner, + }) scanFlagGroup := flag.NewScanFlagGroup() - scanFlagGroup.Scanners = nil // disable '--scanners' as it always scans for vulnerabilities + scanFlagGroup.Scanners = scanners // allow only 'vuln' and 'license' options for '--scanners' scanFlagGroup.IncludeDevDeps = nil // disable '--include-dev-deps' scanFlagGroup.Parallel = nil // disable '--parallel' + licenseFlagGroup := flag.NewLicenseFlagGroup() + // License full-scan and confidence-level are for file content only + licenseFlagGroup.LicenseFull = nil + licenseFlagGroup.LicenseConfidenceLevel = nil + sbomFlags := &flag.Flags{ GlobalFlagGroup: globalFlags, CacheFlagGroup: flag.NewCacheFlagGroup(), @@ -1139,11 +1152,12 @@ func NewSBOMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { ScanFlagGroup: scanFlagGroup, SBOMFlagGroup: flag.NewSBOMFlagGroup(), VulnerabilityFlagGroup: flag.NewVulnerabilityFlagGroup(), + LicenseFlagGroup: licenseFlagGroup, } cmd := &cobra.Command{ Use: "sbom [flags] SBOM_PATH", - Short: "Scan SBOM for vulnerabilities", + Short: "Scan SBOM for vulnerabilities and licenses", GroupID: groupScanning, Example: ` # Scan CycloneDX and show the result in tables $ trivy sbom /path/to/report.cdx @@ -1166,9 +1180,6 @@ func NewSBOMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { return xerrors.Errorf("flag error: %w", err) } - // Scan vulnerabilities - options.Scanners = types.Scanners{types.VulnerabilityScanner} - return artifact.Run(cmd.Context(), options, artifact.TargetSBOM) }, SilenceErrors: true, diff --git a/pkg/dependency/parser/golang/mod/testdata/replaced-with-local-path-and-version-mismatch/go.sum b/pkg/dependency/parser/golang/mod/testdata/replaced-with-local-path-and-version-mismatch/go.sum index 3d1d7c0e3913..8a219a39d474 100644 --- a/pkg/dependency/parser/golang/mod/testdata/replaced-with-local-path-and-version-mismatch/go.sum +++ b/pkg/dependency/parser/golang/mod/testdata/replaced-with-local-path-and-version-mismatch/go.sum @@ -50,6 +50,7 @@ golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgw golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= diff --git a/pkg/licensing/normalize.go b/pkg/licensing/normalize.go index 942d388a3f52..d0628cd044ee 100644 --- a/pkg/licensing/normalize.go +++ b/pkg/licensing/normalize.go @@ -67,15 +67,94 @@ var mapping = map[string]string{ "MPL 2": MPL20, // BSD - "BSD": BSD3Clause, // 2? 3? - "BSD-2-CLAUSE": BSD2Clause, - "BSD-3-CLAUSE": BSD3Clause, - "BSD-4-CLAUSE": BSD4Clause, - - "APACHE": Apache20, // 1? 2? - "APACHE 2.0": Apache20, - "RUBY": Ruby, - "ZLIB": Zlib, + "BSD": BSD3Clause, // 2? 3? + "BSD-2-CLAUSE": BSD2Clause, + "BSD-3-CLAUSE": BSD3Clause, + "BSD-4-CLAUSE": BSD4Clause, + "BSD 2 CLAUSE": BSD2Clause, + "BSD 2-CLAUSE": BSD2Clause, + "BSD 2-CLAUSE LICENSE": BSD2Clause, + "THE BSD 2-CLAUSE LICENSE": BSD2Clause, + "THE 2-CLAUSE BSD LICENSE": BSD2Clause, + "TWO-CLAUSE BSD-STYLE LICENSE": BSD2Clause, + "BSD 3 CLAUSE": BSD3Clause, + "BSD 3-CLAUSE": BSD3Clause, + "BSD 3-CLAUSE LICENSE": BSD3Clause, + "THE BSD 3-CLAUSE LICENSE": BSD3Clause, + "BSD 3-CLAUSE \"NEW\" OR \"REVISED\" LICENSE (BSD-3-CLAUSE)": BSD3Clause, + "ECLIPSE DISTRIBUTION LICENSE (NEW BSD LICENSE)": BSD3Clause, + "NEW BSD LICENSE": BSD3Clause, + "MODIFIED BSD LICENSE": BSD3Clause, + "REVISED BSD": BSD3Clause, + "REVISED BSD LICENSE": BSD3Clause, + "THE NEW BSD LICENSE": BSD3Clause, + "3-CLAUSE BSD LICENSE": BSD3Clause, + "BSD 3-CLAUSE NEW LICENSE": BSD3Clause, + "BSD LICENSE": BSD3Clause, + "EDL 1.0": BSD3Clause, + "ECLIPSE DISTRIBUTION LICENSE - V 1.0": BSD3Clause, + "ECLIPSE DISTRIBUTION LICENSE V. 1.0": BSD3Clause, + "ECLIPSE DISTRIBUTION LICENSE V1.0": BSD3Clause, + "THE BSD LICENSE": BSD4Clause, + + // APACHE + "APACHE LICENSE": Apache10, + "APACHE SOFTWARE LICENSES": Apache10, + "APACHE": Apache20, // 1? 2? + "APACHE 2.0": Apache20, + "APACHE 2": Apache20, + "APACHE V2": Apache20, + "APACHE 2.0 LICENSE": Apache20, + "APACHE SOFTWARE LICENSE, VERSION 2.0": Apache20, + "THE APACHE SOFTWARE LICENSE, VERSION 2.0": Apache20, + "APACHE LICENSE (V2.0)": Apache20, + "APACHE LICENSE 2.0": Apache20, + "APACHE LICENSE V2.0": Apache20, + "APACHE LICENSE VERSION 2.0": Apache20, + "APACHE LICENSE, VERSION 2.0": Apache20, + "APACHE PUBLIC LICENSE 2.0": Apache20, + "APACHE SOFTWARE LICENSE - VERSION 2.0": Apache20, + "THE APACHE LICENSE, VERSION 2.0": Apache20, + "APACHE-2.0 LICENSE": Apache20, + "APACHE 2 STYLE LICENSE": Apache20, + "ASF 2.0": Apache20, + + // CC0-1.0 + "CC0 1.0 UNIVERSAL": CC010, + "CC0": CC010, + "PUBLIC DOMAIN, PER CREATIVE COMMONS CC0": CC010, + + // CDDL 1.0 + "CDDL 1.0": CDDL10, + "CDDL LICENSE": CDDL10, + "COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) VERSION 1.0": CDDL10, + "COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) V1.0": CDDL10, + + // CDDL 1.1 + "CDDL 1.1": CDDL11, + "COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) VERSION 1.1": CDDL11, + "COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) V1.1": CDDL11, + + // EPL 1.0 + "ECLIPSE PUBLIC LICENSE - VERSION 1.0": EPL10, + "ECLIPSE PUBLIC LICENSE (EPL) 1.0": EPL10, + "ECLIPSE PUBLIC LICENSE V1.0": EPL10, + "ECLIPSE PUBLIC LICENSE, VERSION 1.0": EPL10, + "ECLIPSE PUBLIC LICENSE - V 1.0": EPL10, + "ECLIPSE PUBLIC LICENSE - V1.0": EPL10, + "ECLIPSE PUBLIC LICENSE (EPL), VERSION 1.0": EPL10, + + // EPL 2.0 + "ECLIPSE PUBLIC LICENSE - VERSION 2.0": EPL20, + "EPL 2.0": EPL20, + "ECLIPSE PUBLIC LICENSE - V 2.0": EPL20, + "ECLIPSE PUBLIC LICENSE V2.0": EPL20, + "ECLIPSE PUBLIC LICENSE, VERSION 2.0": EPL20, + "THE ECLIPSE PUBLIC LICENSE VERSION 2.0": EPL20, + "ECLIPSE PUBLIC LICENSE V. 2.0": EPL20, + + "RUBY": Ruby, + "ZLIB": Zlib, // Public Domain "PUBLIC DOMAIN": Unlicense,