Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
BSD 2-Clause "Simplified" License
960
stars
188
forks
source link
Include license info for deb pkgs in SPDX reports #1194
Tern must scan the copyright files to gather any type of license information for Debian packages and uses the debian-inspector[1] library to do this. Once scanned, Debian licenses found are stored in the pkg_licenses field in the package data model (vs pkg_license field for packages found using the package manager). This was causing them not to be reported in SPDX documents.
This commit enables Tern to report pkg_licenses found in Debian packages as LicenseRefs for both tag value and json SPDX formats.
Tern must scan the copyright files to gather any type of license information for Debian packages and uses the debian-inspector[1] library to do this. Once scanned, Debian licenses found are stored in the
pkg_licenses
field in the package data model (vspkg_license
field for packages found using the package manager). This was causing them not to be reported in SPDX documents.This commit enables Tern to report
pkg_licenses
found in Debian packages asLicenseRefs
for both tag value and json SPDX formats.Resolves #1188
[1] https://github.com/nexB/debian-inspector
Signed-off-by: Rose Judge rjudge@vmware.com