search

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Apache License 2.0
5.93k stars 546 forks source link

syft outputs incorrect license LicenseRef-AND #2899

Open makotosato-at opened 3 months ago

makotosato-at commented 3 months ago

What happened: License BSD-2-Clause AND BSD-3-Clause AND Public-Domain becomes LicenseRef-AND AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Public-Domain

What you expected to happen: It should be: (BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Public-Domain)

Steps to reproduce the issue: On alpine linux

# apk add libarchive
# export SYFT_FORMAT_SPDX_JSON_PRETTY=true
# syft -o spdx-json@2.2 / > spdx.json

spdx.json

{                                                                                
   "name": "libarchive",                                                           
...
   "licenseDeclared": "LicenseRef-AND AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Public-Domain",

Anything else we need to know?:

Environment:

tgerla commented 3 months ago

Hi @makotosato-at, thanks for the report. We will take a look!