https://deps.dev/ - is an open source handled by google, which contains data on packages.
it also includes data on licenses, which not always can be extracted in syft.
my suggestion is to integrate with deps.dev and use this information to fill missing licenses of packages.
it can support: npm. go, maven, pypi, nuget & cargo.
https://deps.dev/ - is an open source handled by google, which contains data on packages. it also includes data on licenses, which not always can be extracted in syft. my suggestion is to integrate with deps.dev and use this information to fill missing licenses of packages. it can support: npm. go, maven, pypi, nuget & cargo.
as far as i can see, it is an open-source that grant can use - https://github.com/google/deps.dev?tab=Apache-2.0-1-ov-file#readme
let me know what do you think :)