Declared license not collected

nexB / purldb

Tools to create and expose a database of purls (Package URLs). This project is sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase/ and nexB for https://www.aboutcode.org/ Chat is at https://gitter.im/aboutcode-org/discuss

https://purldb.readthedocs.io/

29 stars 20 forks source link

Declared license not collected #496

Open pombredanne opened 1 week ago

pombredanne commented 1 week ago

I collect pkg:maven/com.carrotsearch/hppc@0.7.1 using the collect/index_packages API endpoint. The declared license is never filled in, even though the parent POM has it. The other_license_expression is populated though when doing a look up on the "enhanced" endpoint.

Here are the URLs:

https://repo1.maven.org/maven2/com/carrotsearch/hppc/0.7.1/
https://repo1.maven.org/maven2/com/carrotsearch/hppc/0.7.1/hppc-0.7.1.pom (no license)
https://repo1.maven.org/maven2/com/carrotsearch/hppc-parent/0.7.1/hppc-parent-0.7.1.pom (parent with license)
https://repo1.maven.org/maven2/org/sonatype/oss/oss-parent/9/oss-parent-9.pom (parent's parent that MUST be ignored)

pombredanne commented 1 week ago

Another example:

pkg:maven/com.amazonaws/aws-java-sdk-kms@1.11.277
POM has no license https://repo1.maven.org/maven2/com/amazonaws/aws-java-sdk-s3/1.11.277/aws-java-sdk-s3-1.11.277.pom
https://repo1.maven.org/maven2/com/amazonaws/aws-java-sdk-pom/1.11.277/aws-java-sdk-pom-1.11.277.pom parent has a license

If I post this to collect/index_packages:

{
  "packages": [
    {
      "purl": "pkg:maven/com.amazonaws/aws-java-sdk-kms@1.11.277"
    }
  ],
  "reindex": true,
  "reindex_set": true
}

The re collected seems still incorrect

pombredanne commented 1 week ago

The issue is that the scans overrides the available values with empties