mykaul
commented
5 months ago 2024.1.4 CSV, still not OK:
type name version licenses
library scylla-api-client 1 [{'license': {'name': 'UNKNOWN'}}]
library scylla-apiclient 1 Closed mykaul closed 3 months ago
mykaul
commented
5 months ago 2024.1.4 CSV, still not OK:
type name version licenses
library scylla-api-client 1 [{'license': {'name': 'UNKNOWN'}}]
library scylla-apiclient 1 
Annamikhlin
commented
4 months ago @benipeled - could you please take a look? seems it is related to - https://pypi.org/project/scylla-api-client/ or https://github.com/scylladb/scylla-api-client The license info is not recognized by syft. Maybe something is missing in the license definition?
benipeled
commented
4 months ago mykaul
commented
4 months ago scylla-apiclient
https://github.com/scylladb/scylla-jmx/tree/master/scylla-apiclient
benipeled
commented
4 months ago scylla-apiclient
https://github.com/scylladb/scylla-jmx/tree/master/scylla-apiclient
What's this product? Is the old api used by nodetool? The pom.xml under this folder has no license attribute, we can try adding it but again - we need to figure out based on what syft recognizes/looking for a license
mykaul
commented
4 months ago scylla-apiclient
https://github.com/scylladb/scylla-jmx/tree/master/scylla-apiclient
What's this product? Is the old api used by nodetool? The pom.xml under this folder has no license attribute, we can try adding it but again - we need to figure out based on what syft recognizes/looking for a license
Before my time. If I had to guess - just a library. We can run syft just on that JAR, I reckon.
Annamikhlin
commented
4 months ago accoding to syft tool the metadata cataloger will look for licenses by searching for declarations within packaging manifests locally in the following files in License field:
https://github.com/anchore/syft/blob/fe0b78b7fe73b92ad76deed288d3b9b091a14d27/syft/pkg/cataloger/python/cataloger.go#L39-L42 (thanks to syft support for helping to find it)
in our case the files are:
find . | grep dist-info | grep scylla
./venv/lib/python3.11/site-packages/scylla_api_client-1.0.dist-info
./venv/lib/python3.11/site-packages/scylla_api_client-1.0.dist-info/RECORD
./venv/lib/python3.11/site-packages/scylla_api_client-1.0.dist-info/WHEEL
./venv/lib/python3.11/site-packages/scylla_api_client-1.0.dist-info/entry_points.txt
./venv/lib/python3.11/site-packages/scylla_api_client-1.0.dist-info/LICENSE.AGPL
./venv/lib/python3.11/site-packages/scylla_api_client-1.0.dist-info/top_level.txt
./venv/lib/python3.11/site-packages/scylla_api_client-1.0.dist-info/REQUESTED
./venv/lib/python3.11/site-packages/scylla_api_client-1.0.dist-info/INSTALLER
./venv/lib/python3.11/site-packages/scylla_api_client-1.0.dist-info/METADATA
and the License field is shown as UNKNOWN
❯ cat ./venv/lib/python3.11/site-packages/scylla_api_client-1.0.dist-info/METADATA | grep License
License: UNKNOWN
License-File: LICENSE.AGPLNow we need somehow to update this field in ...dist-info/METADATA file :)
mykaul
commented
4 months ago @Annamikhlin - compare it to cqlsh which is also Python based.
Annamikhlin
commented
4 months ago @Annamikhlin - compare it to cqlsh which is also Python based.
By comparing scylla-cqlsh - https://github.com/scylladb/scylla-cqlsh/blob/master/pylib/setup.py
and scylla-api-client - https://github.com/scylladb/scylla-api-client/blob/master/setup.py
https://github.com/scylladb/scylla-cqlsh/blob/55aff236a924c65b64cab8a11da4b0b1d2356ae3/pylib/setup.py#L45
seem that the license=".." field is missing in scylla-api-client
Annamikhlin
commented
3 months ago Verification passed on master for scylla-api-client (python package):
library,scylla-api-client,1.1,[{'license': {'name': 'GNU AGPL 3.0'}}],pkg:pypi/scylla-api-client@1.1
for scylla-apiclient (java package) waiting for merge to 2024.1 for final verification
From https://s3.amazonaws.com/downloads.scylladb.com/downloads/scylla-enterprise/relocatable/scylladb-branch-2024.1/scylladb_sbom_report_2024.1.3.txt :
Package Name: scylla-api-client Version: 1.0 Type: python License: UNKNOWN