Add license support for Maven dependencies

[gongomgra]

Description

We are running both image and filesystem actions against the official Tomcat 9.0.73 docker image, and source code, generating the SPDX JSON output in both cases.

We noticed that maven dependencies, although detected, don't include the license information (always showing NONE as licenseDeclared and licenseConcluded fields). Can you tell us if this is intentional or if there is any known issue here? Find below a sample package detected

{
        "SPDXID": "SPDXRef-Package-79342d7ea6c63a4d",
        "attributionTexts": [
                "LayerDigest: sha256:3f7b260ecc2ebebee9b40b9ad57127036392d88c02230e64faa5ccc948a90f67",
                "LayerDiffID: sha256:171e6d2e103079468ced6267cba6e8939172c29bd923802bcd25da09210077fb"
        ],
        "externalRefs": [
                {
                        "referenceCategory": "PACKAGE-MANAGER",
                        "referenceLocator": "pkg:maven/org.apache.tomcat/tomcat-jdbc@9.0.73",
                        "referenceType": "purl"
                }
        ],
        "filesAnalyzed": false,
        "hasFiles": [
                "SPDXRef-File-6095f0a07b2494da"
        ],
        "licenseConcluded": "NONE",
        "licenseDeclared": "NONE",
        "name": "org.apache.tomcat:tomcat-jdbc",
        "versionInfo": "9.0.73"
},

Also, this is the output of trivy -v version, and the command used to install it.

$ curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
aquasecurity/trivy info checking GitHub for latest tag
aquasecurity/trivy info found version: 0.38.2 for v0.38.2/Linux/64bit
aquasecurity/trivy info installed /usr/local/bin/trivy
$ /usr/local/bin/trivy -v
Version: 0.38.2

What did you expect to happen?

Maven dependencies get their license fields properly detected

What happened instead?

All of them are set as NONE.

Output of run with -debug:

/usr/local/bin/trivy image --format spdx-json --list-all-pkgs --license-full --debug --output /tmp/image.json tomcat:9.0.73
2023-03-10T10:15:15.025Z        DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-03-10T10:15:15.026Z        INFO    "--format spdx" and "--format spdx-json" disable security scanning
2023-03-10T10:15:15.027Z        DEBUG   cache dir:  /.cache/trivy
2023-03-10T10:15:15.255Z        DEBUG   Image ID: sha256:be5e49a711aed97ebc12746fca050d54c2c0226cba5b0f2f6a1d7f8363ca75f5
2023-03-10T10:15:15.255Z        DEBUG   Diff IDs: [sha256:202fe64c3ce39b94d8beda7d7506ccdfcf7a59f02f17c915078e4c62b5c2ed11 sha256:a75d61c24821a8aaa413866dce857e5716e38fd2415298cebb0a5abfa619712f sha256:e277856021daeaacaeb77210a3e465800d0d6b4a8c6117b619e2bf278cfa4139 sha256:e1af3e94baee5f9aabe106640bf25f3cf35e735a179d61ea74843188ec260147 sha256:fabc0774a4f29b24b41f6f92745cc63cb3303251c3a5a85e6f16d73ba706cba1 sha256:171e6d2e103079468ced6267cba6e8939172c29bd923802bcd25da09210077fb sha256:cc973c0390e9791bcfb762161f55e7ac449e2f4492f5eb2502b949338bf5686d]
2023-03-10T10:15:15.255Z        DEBUG   Base Layers: [sha256:202fe64c3ce39b94d8beda7d7506ccdfcf7a59f02f17c915078e4c62b5c2ed11 sha256:a75d61c24821a8aaa413866dce857e5716e38fd2415298cebb0a5abfa619712f sha256:e277856021daeaacaeb77210a3e465800d0d6b4a8c6117b619e2bf278cfa4139 sha256:e1af3e94baee5f9aabe106640bf25f3cf35e735a179d61ea74843188ec260147]
2023-03-10T10:15:15.255Z        DEBUG   Missing image ID in cache: sha256:be5e49a711aed97ebc12746fca050d54c2c0226cba5b0f2f6a1d7f8363ca75f5
2023-03-10T10:15:15.255Z        DEBUG   Missing diff ID in cache: sha256:fabc0774a4f29b24b41f6f92745cc63cb3303251c3a5a85e6f16d73ba706cba1
2023-03-10T10:15:15.255Z        DEBUG   Missing diff ID in cache: sha256:a75d61c24821a8aaa413866dce857e5716e38fd2415298cebb0a5abfa619712f
2023-03-10T10:15:15.255Z        DEBUG   Missing diff ID in cache: sha256:e277856021daeaacaeb77210a3e465800d0d6b4a8c6117b619e2bf278cfa4139
2023-03-10T10:15:15.255Z        DEBUG   Missing diff ID in cache: sha256:202fe64c3ce39b94d8beda7d7506ccdfcf7a59f02f17c915078e4c62b5c2ed11
2023-03-10T10:15:15.255Z        DEBUG   Missing diff ID in cache: sha256:e1af3e94baee5f9aabe106640bf25f3cf35e735a179d61ea74843188ec260147
2023-03-10T10:15:15.305Z        DEBUG   Missing diff ID in cache: sha256:171e6d2e103079468ced6267cba6e8939172c29bd923802bcd25da09210077fb
2023-03-10T10:15:15.334Z        DEBUG   Missing diff ID in cache: sha256:cc973c0390e9791bcfb762161f55e7ac449e2f4492f5eb2502b949338bf5686d
2023-03-10T10:15:15.581Z        DEBUG   Loading the default license classifier...
2023-03-10T10:15:15.713Z        INFO    JAR files found
2023-03-10T10:15:15.714Z        INFO    Java DB Repository: ghcr.io/aquasecurity/trivy-java-db:1
2023-03-10T10:15:15.714Z        INFO    Downloading the Java DB...
411.63 MiB / 411.63 MiB [---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 44.30 MiB p/s 9.5s
2023-03-10T10:15:25.788Z        INFO    The Java DB is cached for 3 days. If you want to update the database more frequently, the '--reset' flag clears the DB cache.
2023-03-10T10:15:25.788Z        INFO    Analyzing JAR files takes a while...
2023-03-10T10:15:25.789Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/bin/bootstrap.jar"}
2023-03-10T10:15:25.789Z        DEBUG   Parsing Java artifacts...       {"file": "opt/java/openjdk/lib/jrt-fs.jar"}
2023-03-10T10:15:25.789Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/catalina.jar"}
2023-03-10T10:15:25.789Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/bin/commons-daemon.jar"}
2023-03-10T10:15:25.789Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/bin/tomcat-juli.jar"}
2023-03-10T10:15:25.790Z        DEBUG   No such POM in the central repositories {"file": "bootstrap.jar"}
2023-03-10T10:15:25.790Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/ecj-4.20.jar"}
2023-03-10T10:15:25.789Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/annotations-api.jar"}
2023-03-10T10:15:25.791Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/el-api.jar"}

Output of trivy -v:

$ /usr/local/bin/trivy -v
Version: 0.38.2

Additional details (base image name, container registry info...):

Apache Tomcat 9.0.73 image: tomcat:9.0.73
Apache Tomcat 9.0.73 source code: https://dlcdn.apache.org/tomcat/tomcat-9/v9.0.73/src/apache-tomcat-9.0.73-src.tar.gz

[DmitriyLewen]

Hello @gongomgra
Thanks for your report!

Trivy currently doesn't support searching for licenses from jar files.

If you have time and desire - we are always glad to new contributors!

[coheigea]

Would this task involve:

a) Find the associated pom file in Maven Central (e.g. https://repo1.maven.org/maven2/org/apache/tomcat/tomcat-jdbc/9.0.73/tomcat-jdbc-9.0.73.pom) and read the licenses information from the maven pom.
or
b) Inspect the jar file to see if a LICENSE file is contained in the root directory or META-INF and then match this against a known license?

[DmitriyLewen]

Hello @coheigea
Sorry for late answer.

Find the associated pom file in Maven Central

We use trivy-java-db for some cases when scanning jar files. Will be better add licenses to this db, but we need to check size of db after changes.

Inspect the jar file to see if a LICENSE file is contained in the root directory or META-INF

It way looks prefer, but i am not sure, that all jars contain LICENSE file. Then we need to use 1st point.

---

At the moment we are focusing to adding licenses only for pom.xml files.

[coheigea]

@DmitriyLewen Thanks for the update, I agree adding license information to the DB would be great. Is there any way that I can track the work for this? I might be able to help out a bit on it.

[DmitriyLewen]

@coheigea i created #4734 for this task.

[knqyf263]

• pom.xml: feat(java): capture licenses from pom.xml #4681 (done)
• JAR: feat(java): add license support for jar files #4734 (in progress)

I'll close this issue.