Open spiffcs opened 1 month ago
I've tracked down a couple data sources syft could use to identify non SPDX licenses - currently looking at ways to incorporate these to the licenses identification when generating the SBOM
https://github.com/nexB/scancode-toolkit https://github.com/nexB/scancode-licensedb
What happened: Sometimes syft can encounter a dpkg license where the regular expression used to match on contents cannot correctly identify the license.
In the following example we should find things like:
Reads contents of copyright: https://github.com/anchore/syft/blob/ca945d16e0949a41aa8786f55d21908242b224c8/syft/pkg/cataloger/debian/package.go#L252-L276
Sends contents for parsing
https://github.com/anchore/syft/blob/ca945d16e0949a41aa8786f55d21908242b224c8/syft/pkg/cataloger/debian/package.go#L101-L106
Searches for license clause
https://github.com/anchore/syft/blob/48f1e975f05183390d7c01718865f5f66e3f9012/syft/pkg/cataloger/debian/parse_copyright.go#L22-L41
What you expected to happen: Given a copyright file is found SOME license information should be created for a given package. No licenses is a bug.
Steps to reproduce the issue:
syft version
: devel (tip of main)cat /etc/os-release
or similar): OSX