license information of several components is incorrect when creating sbom

[2020-ks]

Description

I created sbom with CycloneDX by Trivy:

trivy -v image ## -f cyclonedx --output ##.json --timeout 10m --security-checks vuln --ignore-unfixed

The creation succeeded, but I noticed that license information of several components is missing or incorrect.

What did you expect to happen?

All detected components have license information.

What happened instead?

1.Missing

At least, license information of following components is missing.
networkx, zipp, filelock, typer, iniconfig, packaging, tomli, typing_extensions, importlib-metadata, idna

2.Incorrect

In addition, following license information is incorrect.
uritemplate

"licenses": [
{
"expression": "BSD 3-Clause License or Apache License"
},
{
"expression": "Version 2.0"
}
]

Output of run with -debug:

2023-03-10T11:44:50.440+0900    WARN    '--security-checks' is deprecated. Use '--scanners' instead.
2023-03-10T11:44:50.444+0900    DEBUG   ["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2023-03-10T11:44:50.444+0900    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-03-10T11:44:50.448+0900    DEBUG   cache dir:  .../.cache/trivy
2023-03-10T11:44:50.448+0900    DEBUG   There is no valid metadata file: unable to open a file: open .../.cache/trivy/db/metadata.json: no such file or directory
2023-03-10T11:44:50.448+0900    INFO    Need to update DB
2023-03-10T11:44:50.448+0900    INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2023-03-10T11:44:50.448+0900    INFO    Downloading DB...
2023-03-10T11:44:50.448+0900    DEBUG   no metadata file
35.94 MiB / 35.94 MiB [----------------------------------------------------------------------] 100.00% 7.10 MiB p/s 5.3s
2023-03-10T11:44:57.158+0900    DEBUG   Updating database metadata...
2023-03-10T11:44:57.158+0900    DEBUG   DB Schema: 2, UpdatedAt: 2023-03-10 00:13:33.078790601 +0000 UTC, NextUpdate: 2023-03-10 06:13:33.078790101 +0000 UTC, DownloadedAt: 2023-03-10 02:44:57.1583922 +0000 UTC
2023-03-10T11:44:57.158+0900    INFO    Vulnerability scanning is enabled
2023-03-10T11:44:57.158+0900    DEBUG   Vulnerability type:  [os library]
2023-03-10T11:44:57.278+0900    DEBUG   Saving the container image to a local file to obtain the image config...
2023-03-10T11:50:11.421+0900    DEBUG   Image ID: ...
2023-03-10T11:50:11.424+0900    DEBUG   Diff IDs: [...]
2023-03-10T11:50:11.425+0900    DEBUG   Base Layers: [....]
2023-03-10T11:50:11.601+0900    INFO    Detected OS: debian
2023-03-10T11:50:11.601+0900    INFO    Detecting Debian vulnerabilities...
2023-03-10T11:50:11.601+0900    DEBUG   debian: os version: 10
2023-03-10T11:50:11.601+0900    DEBUG   debian: the number of packages: 463
2023-03-10T11:50:11.868+0900    INFO    Number of language-specific files: 1
2023-03-10T11:50:11.869+0900    INFO    Detecting python-pkg vulnerabilities...
2023-03-10T11:50:11.870+0900    DEBUG   Detecting library vulnerabilities, type: python-pkg, path:

Output of trivy -v:

2023-03-10T11:52:10.011+0900    WARN    '--security-checks' is deprecated. Use '--scanners' instead.
2023-03-10T11:52:10.021+0900    INFO    Vulnerability scanning is enabled
2023-03-10T11:57:16.014+0900    INFO    Detected OS: debian
2023-03-10T11:57:16.016+0900    INFO    Detecting Debian vulnerabilities...
2023-03-10T11:57:16.250+0900    INFO    Number of language-specific files: 1
2023-03-10T11:57:16.251+0900    INFO    Detecting python-pkg vulnerabilities...

Additional details (base image name, container registry info...):

I attach sbom of components with problems
pip_sboms_with_problem.txt

[afdesk]

@2020-ks thanks for the report.
Could you share a some public image, which reproduces this issue?
I'd like to investigate it more.

[2020-ks]

Dear @afdesk
Thank you for reply.
I pushed image with this issue into my public docker-hub repository.
When creating sbom by trivy againt the image, this issue occurs about almost python components that are defined as "pkg:pypi~".

Link
https://hub.docker.com/r/2020ksdocker/ks-repository/tags

If you want to get more information, please let me know.

Best regards

[afdesk]

@2020-ks thanks. I'll take a look at this image today

[afdesk]

Just FYI
definitely, there is a problem here: Trivy shouldn't scan licenses with --security-checks vuln. it's another my issue.

it's a bit strange. Trivy can detect zipp license as MIT, but only with flag --license-full.
I'm looking for a reason of skipping it

[afdesk]

I managed next:
for these packages (networkx, zipp, filelock, typer etc ), the license field is empty, so Trivy can't detect licenses for them.

Trivy can find license files (when Trivy scans source code files, Markdown documents, text files and LICENSE documents to identify license usage within the image or filesystem.), but cannot bind a license to a package in cyclonedx result.

# python -m pip show zipp
Name: zipp
Version: 3.12.1
Summary: Backport of pathlib-compatible object wrapper for zip files
Home-page: https://github.com/jaraco/zipp
Author: Jason R. Coombs
Author-email: jaraco@jaraco.com
License: 
Location: /usr/local/lib/python3.9/site-packages
Requires: 
Required-by: importlib-metadata

# python -m pip show networkx
Name: networkx
Version: 3.0
Summary: Python package for creating and manipulating graphs and networks
Home-page: https://networkx.org/
Author: Aric Hagberg
Author-email: hagberg@lanl.gov
License: 
Location: /usr/local/lib/python3.9/site-packages
Requires: 
Required-by: 

# python -m pip show filelock
Name: filelock
Version: 3.9.0
Summary: A platform independent file lock.
Home-page: 
Author: 
Author-email: 
License: 
Location: /usr/local/lib/python3.9/site-packages
Requires: 
Required-by: 

[afdesk]

about 2.
it seems it's not a Trivy issue.
the information came from License field:

# python -m pip show uritemplate
Name: uritemplate
Version: 4.1.1
Summary: Implementation of RFC 6570 URI Templates
Home-page: https://uritemplate.readthedocs.org
Author: Ian Stapleton Cordasco
Author-email: graffatcolmingov@gmail.com
License: BSD 3-Clause License or Apache License, Version 2.0
Location: /usr/local/lib/python3.9/site-packages
Requires: 
Required-by: 

[2020-ks]

Dear @afdesk
I appreciate your investigation. I get it about this issue.
However, please let me confirm a little bit things.

About 1.
Is spec change, that trivy is able to bind license infomation from files such as LICENSE or Classifier in METADATA and so on, impossile ?
Despite writing license information on these file, I think that what trivy not able to bind is inconvenient.

About 2.
According to result of your investigation, it seems that license infomtion is splited by comma.
Is trivy spec when OSS have multi-license information ?

[afdesk]

@2020-ks
about 1. Now we have an idea how to improve it. I'm trying to do it.

about 2. Honestly, I don't know what is the correct parse for this record BSD 3-Clause License or Apache License
should Trivy show 2 records BSD 3-Clause License and Apache License? I'm not sure.
wdyt?

thanks for the answers!

[afdesk]

This software is made available under the terms of *either* of the licenses
found in LICENSE.APACHE or LICENSE.BSD. Contributions to uritemplate are
made under the terms of *both* these licenses.

maybe I was wrong. will need to take another look )

[2020-ks]

Dear @afdesk
About 1. Thank you very much. I expect good news.
About 2. Yes. As you mentioned at second comment, Trivy should show 2 records that they are "BSD 3-Clause License" and "Apache License, Version 2.0"