Missing License Info in SBOMs #8083
-
DescriptionI'm creating SBOMs for diverse images and directories (via rootfs). These SBOMs contain only license info for Redhat components. For all other components (e.g. JARs), there is no license info. The behavior is identical for CycloneDX and SPDX. The option license-full option does not help. Desired BehaviorLicense infos are contained in SBOMs. Actual BehaviorLicense infos are not contained in SBOMs (except Redhat). Reproduction Steps1. Create an SBOM (e.g. for the image jboss/wildfly:latest) and search for license info in the generated file.TargetSBOM ScannerLicense Output FormatCycloneDX ModeNone Debug Output-Operating SystemWindows and Linux Version0.58.0Checklist
|
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 1 reply
-
|
Hello @tetzla Trivy doesn't support detecting licenses for any language files. You can check the supported language files on the language pages - https://trivy.dev/latest/docs/coverage/language/ e.g. Trivy detects license for ➜ co cat package.json | grep license
"license": "MIT",
➜ co trivy -q rootfs -f cyclonedx ./package.json | grep '"license"' -A 1
"license": {
"name": "MIT"Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
-
|
Hello, many thanks for your quick response. Is the license detection for jar/war/ear archives planned for future releases? Does it make sense to submit a feature request? I find it a bit surprising that license detection is supported for pom files but not for jar/war/ear archives, since these archives usually contain a pom file. Regards, Aline |
Beta Was this translation helpful? Give feedback.
-
|
Issue about licenses for
This is not always correct.
|
Beta Was this translation helpful? Give feedback.
-
|
Thank's a lot. I'll be waiting for #4734. |
Beta Was this translation helpful? Give feedback.
Issue about licenses for
jarfiles - #4734This is not always correct.
gradlemay not have POM files