search

tern-tools / tern

Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
BSD 2-Clause "Simplified" License
967 stars 188 forks source link

Commas included in SPDX license expressions instead of 'AND' #1223

Closed rnjudge closed 1 year ago

rnjudge commented 1 year ago

When trying to validate an SPDX file from the ubuntu:latest image the resulting file does not validate due to error:

Analysis exception processing SPDX file: Invalid license expression.  Expecting more operands.
License expression: 'LGPL-2.1+, GPL-2.0+, LGPL-2.0+'

This is because the license expression should use AND instead of commas: LGPL-2.1+ AND GPL-2.0+ AND LGPL-2.0+

PackageName: libprocps8
SPDXID: SPDXRef-libprocps8-2-3.3.17-6ubuntu2
PackageVersion: 2:3.3.17-6ubuntu2
PackageSupplier: Organization: Ubuntu
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: LGPL-2.1+, GPL-2.0+, LGPL-2.0+
PackageCopyrightText:<text>