Open aniketdn opened 1 month ago
The prefix LicenseRef-
indicates that this is a reference to a license in the other licenses section, which has not resolved to a known SPDX License ID. This is valid to do in SPDX -- I think the validator might be incorrect here. The NTIA Minimum requirements doc only says this about licenses, nothing indicating these must be valid SPDX license IDs:
License Information. License management was an early use case for SBOM, helping organizations with large and complex software portfolios track the licenses and terms of their diverse software components, especially for open source software. SBOMs can convey data about the licenses for each component. This data can also allow the user or purchaser to know if the software can be used as a component of another application without creating legal risk. 16
16 Both CycloneDX and SPDX support the expression of licenses in several ways, including a license ID on the SPDX license list, or using SPDX license expressions. See SPDX License List, SPDX https://spdx.org/licenses/ (May 20, 2021).
Is there anything I'm missing?
Thanks to pointing me to this. I did check the hasExtractedLicensingInfos
section of the generated SBOM and there's no mention of the LicenseRef-Fedora-Public-Domain
license. Hence, the ntia-checker generated a vailidationMessage. I manually added the below block and now the checker does not complain about invalid licenses
{
"licenseId": "LicenseRef-Fedora-Public-Domain",
"extractedText": "Fedora Public Domain"
}
For other licenses that didn't resolve to a known SPDX License ID, this information was already extracted. Do you know why it failed to add extractionInfo for this?
@aniketdn -- I can't say why this entry wasn't added. Is there a public image or other reproduction steps you could share to get an SBOM in this state?
Unfortunately I do not have a public image I can point you to.
I generated the SBOM using standard syft command syft <imageName> -o spdx-json=fileName.json
What happened: For the following package, the licenseDeclared is not as per the SPDX license list https://spdx.org/licenses/
The value
LicenseRef-Fedora-Public-Domain
does not match any of the SPDX identifiers listed.This value is causing the
ntia-checker
to generate a ValidationMessageUnrecognized license reference: LicenseRef-Fedora-Public-Domain
.What you expected to happen: licenseDeclared field to have license values as per SPDX identifiers list. If its a valid license, it can also be submitted to SPDX for its consideration as per: https://github.com/spdx/license-list-XML/blob/main/CONTRIBUTING.md
Steps to reproduce the issue:
Anything else we need to know?:
Environment:
syft version
: syft 1.9.0cat /etc/os-release
or similar): Darwin Kernel Version 23.2.0: Wed Nov 15 21:54:10 PST 2023; root:xnu-10002.61.3~2/RELEASE_X86_64 x86_64