search

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Apache License 2.0
6.01k stars 554 forks source link

Get licenses for NuGet packages #1227

Open fg-j opened 1 year ago

fg-j commented 1 year ago

What would you like to be added:

726 brought initial support for generating SBOMs for NuGet packages šŸŽ‰ . One significant gap in the metadata in those SBOMs is license information. It'd be awesome if licenses for NuGet packages were included.

Why is this needed: License information is a key value proposition for compliance-minded users who are building .NET apps with NuGet dependencies.

Additional context:

The file that project.assets.json that Syft scans for SBOM info doesn't include license information, but I wonder if it's possible to get it from somewhere else.

Here's a snippet of a SPDX SBOM generated with syft for a NuGet package:

...
  {
   "SPDXID": "SPDXRef-99c6488b6206ecc1",
   "downloadLocation": "NOASSERTION",
   "externalRefs": [
    {
     "referenceCategory": "SECURITY",
     "referenceLocator": "cpe:2.3:a:Humanizer:Humanizer:2.14.1:*:*:*:*:*:*:*",
     "referenceType": "cpe23Type"
    },
    {
     "referenceCategory": "PACKAGE_MANAGER",
     "referenceLocator": "pkg:dotnet/Humanizer@2.14.1",
     "referenceType": "purl"
    }
   ],
   "filesAnalyzed": false,
   "licenseConcluded": "NONE",
   "licenseDeclared": "NONE",
   "name": "Humanizer",
   "sourceInfo": "acquired package info from dotnet project assets file: NugetBenchmarking.deps.json",
   "versionInfo": "2.14.1"
  },
...

the corresponding NuGet package, Humanizer.Core uses the MIT license.

spiffcs commented 1 year ago

Thanks so much for the issue @fg-j!

I also added the good first issue label since the write-up you did was so good.

If we have the bandwidth in the coming week/s we'll try and get this in, but also anyone who comes across this issue consider this fair game to attempt as a contribution.

Feel free to tag me in a draft PR if you do and I can always help with testing or cleanup!

vanthome commented 1 year ago

I have the exact same issue but with Rust Crates. Here is an example output of the Toml files:

[package]
edition = "2018"
name = "actix-server"
version = "2.1.1"
authors = ["Nikolay Kim <fafhrd91@gmail.com>", "fakeshadow <24548779@qq.com>", "Rob Ede <robjtede@icloud.com>", "Ali MJ Al-Nasrawy <alimjalnasrawy@gmail.com>"]
description = "General purpose TCP server built for the Actix ecosystem"
homepage = "https://actix.rs"
keywords = ["network", "tcp", "server", "framework", "async"]
categories = ["network-programming", "asynchronous"]
license = "MIT OR Apache-2.0"

They do include the license. Is it planned to also output them for Rust packages?

jeremytbrun commented 10 months ago

Really interested in seeing license info added for NuGet packages as well. Our organization is evaluating syft to integrate into our CI/CD processes to generate SBOM's that can be imported into Dependency-Track for analysis. Having this license data for NuGet packages would be šŸ˜ŽšŸ‘Œ