search

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Apache License 2.0
5.92k stars 545 forks source link

LicenseDeclared not as per SPDX License List #3030

Open aniketdn opened 1 month ago

aniketdn commented 1 month ago

What happened: For the following package, the licenseDeclared is not as per the SPDX license list https://spdx.org/licenses/

        {
            "name": "libbsd",
            "SPDXID": "SPDXRef-Package-rpm-libbsd-bfec4299ebaea3ed",
            "versionInfo": "0.11.7-2.el7",
            "supplier": "Organization: Fedora Project",
            "originator": "Organization: Fedora Project",
            "downloadLocation": "NOASSERTION",
            "filesAnalyzed": true,
            "packageVerificationCode": {
                "packageVerificationCodeValue": "755d51732dcefe93fa28bb52e42df740e8aca0a0"
            },
            "sourceInfo": "acquired package info from RPM DB: /var/lib/rpm/Packages",
            "licenseConcluded": "NOASSERTION",
            "licenseDeclared": "(Beerware AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND ISC AND libutil-David-Nugent AND MIT AND LicenseRef-Fedora-Public-Domain)",
            "copyrightText": "NOASSERTION",
            "externalRefs": [
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:a:fedoraproject:libbsd:0.11.7-2.el7:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:a:libbsd:libbsd:0.11.7-2.el7:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceType": "purl",
                    "referenceLocator": "pkg:rpm/centos/libbsd@0.11.7-2.el7?arch=x86_64&upstream=libbsd-0.11.7-2.el7.src.rpm&distro=centos-7"
                }
            ]
        }

The value LicenseRef-Fedora-Public-Domain does not match any of the SPDX identifiers listed.

This value is causing the ntia-checker to generate a ValidationMessage Unrecognized license reference: LicenseRef-Fedora-Public-Domain.

What you expected to happen: licenseDeclared field to have license values as per SPDX identifiers list. If its a valid license, it can also be submitted to SPDX for its consideration as per: https://github.com/spdx/license-list-XML/blob/main/CONTRIBUTING.md

Steps to reproduce the issue:

Anything else we need to know?:

Environment:

kzantow commented 1 month ago

The prefix LicenseRef- indicates that this is a reference to a license in the other licenses section, which has not resolved to a known SPDX License ID. This is valid to do in SPDX -- I think the validator might be incorrect here. The NTIA Minimum requirements doc only says this about licenses, nothing indicating these must be valid SPDX license IDs:

License Information. License management was an early use case for SBOM, helping organizations with large and complex software portfolios track the licenses and terms of their diverse software components, especially for open source software. SBOMs can convey data about the licenses for each component. This data can also allow the user or purchaser to know if the software can be used as a component of another application without creating legal risk. 16

16 Both CycloneDX and SPDX support the expression of licenses in several ways, including a license ID on the SPDX license list, or using SPDX license expressions. See SPDX License List, SPDX https://spdx.org/licenses/ (May 20, 2021).

Is there anything I'm missing?

aniketdn commented 1 month ago

Thanks to pointing me to this. I did check the hasExtractedLicensingInfos section of the generated SBOM and there's no mention of the LicenseRef-Fedora-Public-Domain license. Hence, the ntia-checker generated a vailidationMessage. I manually added the below block and now the checker does not complain about invalid licenses

       {
            "licenseId": "LicenseRef-Fedora-Public-Domain",
            "extractedText": "Fedora Public Domain"

        }

For other licenses that didn't resolve to a known SPDX License ID, this information was already extracted. Do you know why it failed to add extractionInfo for this?

kzantow commented 1 month ago

@aniketdn -- I can't say why this entry wasn't added. Is there a public image or other reproduction steps you could share to get an SBOM in this state?

aniketdn commented 1 month ago

Unfortunately I do not have a public image I can point you to. I generated the SBOM using standard syft command syft <imageName> -o spdx-json=fileName.json