search

CycloneDX / cdxgen

Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. Slack: https://cyclonedx.slack.com/archives/C04NFFE1962
https://cyclonedx.github.io/cdxgen/
Apache License 2.0
462 stars 133 forks source link

[license] Multiple license expressions error #1023

Open prabhu opened 2 weeks ago

prabhu commented 2 weeks ago

Repo: https://github.com/DefectDojo/django-DefectDojo

docker pull ghcr.io/appthreat/cdxgen-python:v10
docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app -it ghcr.io/appthreat/cdxgen-python:v10 -r -o /app/bom.json /app -t python --deep
cdxgen will now attempt to generate an SBOM for 'build' lifecycle phase for Python. This would take some time ...
To speed up this step, invoke cdxgen from within a virtual environment with all the dependencies installed.
Alternatively, pass the argument '--lifecycle pre-build' to generate a faster but less precise SBOM without installing the dependencies in case of any build issues.
Using virtual environment in /tmp/cdxgen-venv-Slusqf
About to construct the pip dependency tree. Please wait ...
Using virtual environment in /tmp/cdxgen-venv-Slusqf
About to construct the pip dependency tree. Please wait ...
Executing node /root/.nvm/versions/node/v22.0.0/lib/node_modules/@cyclonedx/cdxgen/node_modules/@appthreat/atom/index.js parsedeps -l python -o /tmp/atom-deps-ny6kbj/app.atom --slice-outfile /deps.slices.json /app
Slices have been successfully written to /deps.slices.json

multiple license expressions found [
  { expression: 'GNU Library or Lesser General Public License (LGPL)' },
  { expression: 'LGPL 3' }
]
prabhu commented 2 weeks ago

For scipy

cupy-backends is not found on PyPI.
If this package is available from PyPI or a registry, its name might be different from the module name. Raise a ticket at https://github.com/CycloneDX/cdxgen/issues so that this can be added to the mapping file pypi-pkg-aliases.json
Alternatively, if this is a package that gets installed directly in your environment and offers a python binding, then track such packages manually.
Assuming the version as latest for the package cupy-backends
cupyx is not found on PyPI.
If this package is available from PyPI or a registry, its name might be different from the module name. Raise a ticket at https://github.com/CycloneDX/cdxgen/issues so that this can be added to the mapping file pypi-pkg-aliases.json
Alternatively, if this is a package that gets installed directly in your environment and offers a python binding, then track such packages manually.
Assuming the version as latest for the package cupyx
multiple license expressions found [
  { expression: 'GNU General Public License (GPL)' },
  { expression: 'Public Domain' }
]