search

scylladb / scylla-tools-java

Apache Cassandra, supplying tools for Scylla
Apache License 2.0
53 stars 85 forks source link

SBOM - 2024.1.4: scylla-tools package is missing license #392

Closed mykaul closed 1 month ago

mykaul commented 6 months ago

From https://downloads.scylladb.com/downloads/scylla-enterprise/sbom/scylladb-2024.1/scylladb_sbom_report_2024.1.4.csv : 

type    name    version licenses
library scylla-tools    2024.1.4-0.20240428.67dd10537f78
Annamikhlin commented 5 months ago

image

Is it ok that in scylla-enterprise we have scylla-tools and scylla-jmx and they are not scylla-enterprise-tools/jmx for java pkg?

mykaul commented 5 months ago

It's a bit strange that we have them both - also notice the same build ID / pkg. Probably a duplicate.

syuu1228 commented 2 months ago

I think real problem is on this issue is not about missing license, but detected scylla-enterprise-tools and scylla-enterprise-jmx twice. And I guess why it duplicated is, syft tool detects software metadata both from package manager (dpkg) and Java metadata information stored on .jar (it's under META-INF/MANIFEST.MF and META-INF/maven/). I checked metadata on .jar file of scylla-tools and scylla-jmx, I found that both are not using "scylla-enterprise-" prefix, but using "scylla-" prefix. I guess this is why it duplicated.

syuu1228 commented 2 months ago

And the product name on Java metadata is probably defined on build.xml (Apache Ant) or pom.xml (Maven). I guess license is also specified on some way, but I do not know how.

Annamikhlin commented 1 month ago

And the product name on Java metadata is probably defined on build.xml (Apache Ant) or pom.xml (Maven). I guess license is also specified on some way, but I do not know how.

@syuu1228 Thanks for the information.

scylla-tools and jmx already removed in latest versions but we still have it in 2024.1 and 2023.1 @tchaikov - maybe you can help.. Do you know where and how we can update the missing license in scylla-tools?

tchaikov commented 1 month ago

And the product name on Java metadata is probably defined on build.xml (Apache Ant) or pom.xml (Maven). I guess license is also specified on some way, but I do not know how.

@syuu1228 Thanks for the information.

scylla-tools and jmx already removed in latest versions but we still have it in 2024.1 and 2023.1 @tchaikov - maybe you can help.. Do you know where and how we can update the missing license in scylla-tools?

@Annamikhlin probably you could give following patch a try?

diff --git a/build.xml b/build.xml
index fd5c5cb885..e448afa649 100644
--- a/build.xml
+++ b/build.xml
@@ -924,6 +924,12 @@
           <exclude name="org/apache/**"/>
         </fileset>
         <manifest>
+          <attribute name="Bundle-DocURL" value="http://www.scylladb.com"/>
+          <attribute name="Bundle-License" value="Apache-2.0"/>
+          <attribute name="Bundle-ManifestVersion" value="2"/>
+          <attribute name="Bundle-Name" value="Scylla-Tools"/>
+          <attribute name="Bundle-Vendor" value="ScyllaDB"/>
+          <attribute name="Bundle-Version" value="${version}"/>
           <attribute name="Implementation-Title" value="Scylla-Tools"/>
           <attribute name="Implementation-Version" value="${version}"/>
           <attribute name="Implementation-Vendor" value="ScyllaDB"/>
Annamikhlin commented 1 month ago

And the product name on Java metadata is probably defined on build.xml (Apache Ant) or pom.xml (Maven). I guess license is also specified on some way, but I do not know how.

@syuu1228 Thanks for the information. scylla-tools and jmx already removed in latest versions but we still have it in 2024.1 and 2023.1 @tchaikov - maybe you can help.. Do you know where and how we can update the missing license in scylla-tools?

@Annamikhlin probably you could give following patch a try?

diff --git a/build.xml b/build.xml
index fd5c5cb885..e448afa649 100644
--- a/build.xml
+++ b/build.xml
@@ -924,6 +924,12 @@
           <exclude name="org/apache/**"/>
         </fileset>
         <manifest>
+          <attribute name="Bundle-DocURL" value="http://www.scylladb.com"/>
+          <attribute name="Bundle-License" value="Apache-2.0"/>
+          <attribute name="Bundle-ManifestVersion" value="2"/>
+          <attribute name="Bundle-Name" value="Scylla-Tools"/>
+          <attribute name="Bundle-Vendor" value="ScyllaDB"/>
+          <attribute name="Bundle-Version" value="${version}"/>
           <attribute name="Implementation-Title" value="Scylla-Tools"/>
           <attribute name="Implementation-Version" value="${version}"/>
           <attribute name="Implementation-Vendor" value="ScyllaDB"/>

Thank you @tchaikov - it worked! :+1: 

type     name           version                                 license                                 purl
library scylla-tools    2024.1.7-0.20240930.ef2ea9879a60    [{'license': {'id': 'Apache-2.0'}}] pkg:maven/scylla-tools/scylla-tools@2024.1.7-0.20240930.ef2ea9879a60