Open Annamikhlin opened 1 month ago
I think this is a great candidate for something similarly proposed in #656 . The difference is that 656 is about a standalone cataloger for licenses that would be attached to file objects in the SBOM. This issue is more about enriching license information on the existing package object, which I think is more generally useful thus this should be prioritized ahead.
I think we could leverage https://github.com/google/licenseclassifier to do a lot of the heavy lifting here.
What would you like to be added: Today the metadata cataloger will look for licenses by searching for declarations within packaging manifests locally in the following files in
License
field only.: https://github.com/anchore/syft/blob/fe0b78b7fe73b92ad76deed288d3b9b091a14d27/syft/pkg/cataloger/python/cataloger.go#L39-L42 The python cataloger does have the ability to look in additional sibling files that the metadata file might reference too. Adding a support additionally to classify licenses byLicense-File
field as well.Why is this needed: in our case, in the SBOM scan report (cyclonedx-json format) the license shown as "UNKNOWN"
according to
cat ./venv/lib/python3.11/site-packages/scylla_api_client-1.0.dist-info/METADATA | grep License
The license declaration shown under
License-File
filed