Potential issue with `LicenseInfoFromFiles`

tern-tools / tern

Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.

BSD 2-Clause "Simplified" License

967 stars 188 forks source link

Potential issue with `LicenseInfoFromFiles` #1232

Open armintaenzertng opened 1 year ago

armintaenzertng commented 1 year ago

While perusing the SPDX generation code, I noticed that here all licenses from files are converted to LicenseRef-style license identifiers. This means that these should all show up in ExtractedLicensingInfo. However, for ExtractedLicensingInfo only non-valid licenses are written here and here, meaning that valid licenses would be referenced via LicenseRef-Identifiers that are never defined. I don't have a reproducible example yet, as the ones I tried so far don't contain LicenseInfoFromFiles. This may also be the reason why this hasn't come up yet?

rnjudge commented 1 year ago

Thanks for the heads up @armintaenzertng. In order to get license info in files try using the Scancode extension. In the mean time, I'll try to dig a little deeper in the code and make sure this is actually a bug.

armintaenzertng commented 1 year ago

I tried using the scancode extension, but ran into the bug described in #1202. I'll post my report there.

rnjudge commented 1 year ago

@armintaenzertng If you try with this branch you should be able to run it: https://github.com/rnjudge/tern/tree/issue-1202