The Gradle project generates SBOM without component licenses

nexB / scancode-toolkit

:mag: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!

https://github.com/nexB/scancode-toolkit/releases/

2.02k stars 533 forks source link

The Gradle project generates SBOM without component licenses #3803

Open wujunhuge opened 3 weeks ago

wujunhuge commented 3 weeks ago

Use scancode -- license -- copyright -- package -- ignore "*. Java" -- cyclonedx bom.json Command to generate SBOM without component licenses for the Gradle project

windows
ScanCode version: 32.1.0 ScanCode Output Format version: 3.1.0 SPDX License list version: 3.23

pombredanne commented 2 weeks ago

Thanks. This is a bug! ScanCode.io does handle this correctly, but ScanCode Toolkit needs updating.