search

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Apache License 2.0
5.73k stars 526 forks source link

Python libraries licenses are not gathered #2970

Open templier2 opened 1 week ago

templier2 commented 1 week ago

What happened: syft shows python packages, but doesn't collect licenses.

What you expected to happen: I want to see licenses for packages

Steps to reproduce the issue: I run anchore_syft packages . -o cyclonedx-xml=bom.xml

Anything else we need to know?: unsure

Environment:

kzantow commented 1 week ago

Hi @templier2, what type of python packages are you scanning? It looks like today Syft is only able to find licenses from wheel/egg files, and perhaps the license information isn't present in other packaging formats? Could you provide a reproducible case, such as a public docker image we could look at to help understand what's there and let us know what you expect?

templier2 commented 1 week ago

Hi @templier2, what type of python packages are you scanning? It looks like today Syft is only able to find licenses from wheel/egg files, and perhaps the license information isn't present in other packaging formats? Could you provide a reproducible case, such as a public docker image we could look at to help understand what's there and let us know what you expect?

Hi, It is a list of libraries from requirements.txt, I suppose that every library has appropriate information about the license at pypi.org (i.e. https://pypi.org/project/rdflib/) databricks-connect==14.3.2 rdflib==7.0.0 SPARQLWrapper==2.0.0 azure-search-documents==11.4.0 pyspark==3.5.1 lxml==5.2.2

It isn't a docker image, it is just a python application.