Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: --non-spdx behaves differently between list and check #188

Open
domWalters opened this issue Feb 24, 2025 · 2 comments
Open

Bug: --non-spdx behaves differently between list and check #188

domWalters opened this issue Feb 24, 2025 · 2 comments
Labels
bug Something isn't working

Comments

@domWalters
Copy link

domWalters commented Feb 24, 2025
edited
Loading

What happened:

  1. When you run grant list it returns the full list of all licenses (SPDX and non-SPDX).
  2. When you run grant list --non-spdx it returns the list of all non-SPDX licenses.
  3. When you run grant check it checks the SPDX licenses ONLY.
  4. When you run grant check --non-spdx it checks the non-SPDX licenses ONLY.

Point 3 here is a problem. I assumed that because grant list worked on all licenses, that grant check would as well.

What you expected to happen:

I expected grant check to run on the same licenses that grant list showed me, no matter the value of non-spdx.

Steps to reproduce the issue:
Run grant on the SBOM below (note: I have removed the metadata.component field, but grant was still happy to run on this).

Syft generated SBOM 
{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:c1fe0b1d-c4a8-4544-812c-55894fbf1051",
  "version": 1,
  "metadata": {
    "timestamp": "2025-02-19T16:13:26Z",
    "tools": {
      "components": [
        {
          "type": "application",
          "author": "anchore",
          "name": "syft",
          "version": "1.19.0"
        }
      ]
    }
  },
  "components": [
    {
      "bom-ref": "pkg:pypi/[email protected]?package-id=37dc1dec0f90d313",
      "type": "library",
      "author": "Kenneth Reitz <[email protected]>",
      "name": "certifi",
      "version": "2025.1.31",
      "licenses": [
        {
          "license": {
            "id": "MPL-2.0"
          }
        }
      ],
      "cpe": "cpe:2.3:a:kennethreitz:certifi:2025.1.31:*:*:*:*:python:*:*",
      "purl": "pkg:pypi/[email protected]",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "python-installed-package-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "python"
        },
        {
          "name": "syft:package:type",
          "value": "python"
        },
        {
          "name": "syft:package:metadataType",
          "value": "python-package"
        },
        {
          "name": "syft:location:0:path",
          "value": "/lib/python3.8/site-packages/certifi-2025.1.31.dist-info/METADATA"
        },
        {
          "name": "syft:location:1:path",
          "value": "/lib/python3.8/site-packages/certifi-2025.1.31.dist-info/RECORD"
        },
        {
          "name": "syft:location:2:path",
          "value": "/lib/python3.8/site-packages/certifi-2025.1.31.dist-info/top_level.txt"
        }
      ]
    },
    {
      "bom-ref": "pkg:pypi/[email protected]?package-id=e1e4dcc20a2c4a32",
      "type": "library",
      "author": "Daniel Blanchard <[email protected]>",
      "name": "chardet",
      "version": "3.0.4",
      "licenses": [
        {
          "license": {
            "name": "LGPL"
          }
        }
      ],
      "cpe": "cpe:2.3:a:daniel_blanchard_project:python-chardet:3.0.4:*:*:*:*:*:*:*",
      "purl": "pkg:pypi/[email protected]",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "python-installed-package-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "python"
        },
        {
          "name": "syft:package:type",
          "value": "python"
        },
        {
          "name": "syft:package:metadataType",
          "value": "python-package"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:daniel_blanchard_project:python_chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:daniel_blanchardproject:python-chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:daniel_blanchardproject:python_chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:dan_blanchard_project:python-chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:dan_blanchard_project:python_chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:dan_blanchardproject:python-chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:dan_blanchardproject:python_chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:daniel_blanchard_project:chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:daniel_blanchard:python-chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:daniel_blanchard:python_chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:daniel_blanchardproject:chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:dan_blanchard_project:chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-chardet:python-chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-chardet:python_chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_chardet:python-chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_chardet:python_chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:dan-blanchard:python-chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:dan-blanchard:python_chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:dan_blanchard:python-chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:dan_blanchard:python_chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:dan_blanchardproject:chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:daniel_blanchard:chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:chardet:python-chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:chardet:python_chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-chardet:chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_chardet:chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:dan-blanchard:chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:dan_blanchard:chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python:python-chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python:python_chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:chardet:chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python:chardet:3.0.4:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:location:0:path",
          "value": "/lib/python3.8/site-packages/chardet-3.0.4.dist-info/METADATA"
        },
        {
          "name": "syft:location:1:path",
          "value": "/lib/python3.8/site-packages/chardet-3.0.4.dist-info/RECORD"
        },
        {
          "name": "syft:location:2:path",
          "value": "/lib/python3.8/site-packages/chardet-3.0.4.dist-info/top_level.txt"
        }
      ]
    },
    {
      "bom-ref": "pkg:pypi/[email protected]?package-id=8ddf19a91f4eb133",
      "type": "library",
      "author": "Kim Davies <[email protected]>",
      "name": "idna",
      "version": "2.6",
      "licenses": [
        {
          "license": {
            "name": "BSD-like"
          }
        }
      ],
      "cpe": "cpe:2.3:a:kim_davies_project:python-idna:2.6:*:*:*:*:*:*:*",
      "purl": "pkg:pypi/[email protected]",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "python-installed-package-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "python"
        },
        {
          "name": "syft:package:type",
          "value": "python"
        },
        {
          "name": "syft:package:metadataType",
          "value": "python-package"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kim_davies_project:python_idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kim_daviesproject:python-idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kim_daviesproject:python_idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kim_davies_project:idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kim_project:python-idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kim_project:python_idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-idna:python-idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-idna:python_idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_idna:python-idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_idna:python_idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kim_davies:python-idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kim_davies:python_idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kim_daviesproject:idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kimproject:python-idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kimproject:python_idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python:python-idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python:python_idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:idna:python-idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:idna:python_idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kim_project:idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-idna:idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_idna:idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kim:python-idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kim:python_idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kim_davies:idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kimproject:idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python:idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:idna:idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:kim:idna:2.6:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:location:0:path",
          "value": "/lib/python3.8/site-packages/idna-2.6.dist-info/METADATA"
        },
        {
          "name": "syft:location:1:path",
          "value": "/lib/python3.8/site-packages/idna-2.6.dist-info/RECORD"
        },
        {
          "name": "syft:location:2:path",
          "value": "/lib/python3.8/site-packages/idna-2.6.dist-info/top_level.txt"
        }
      ]
    },
    {
      "bom-ref": "pkg:pypi/[email protected]?package-id=1e956fd99751d8fb",
      "type": "library",
      "author": "The pip developers <[email protected]>",
      "name": "pip",
      "version": "20.0.2",
      "licenses": [
        {
          "license": {
            "id": "MIT"
          }
        }
      ],
      "cpe": "cpe:2.3:a:pip_developers_project:python-pip:20.0.2:*:*:*:*:*:*:*",
      "purl": "pkg:pypi/[email protected]",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "python-installed-package-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "python"
        },
        {
          "name": "syft:package:type",
          "value": "python"
        },
        {
          "name": "syft:package:metadataType",
          "value": "python-package"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pip_developers_project:python_pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pip_developersproject:python-pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pip_developersproject:python_pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa_dev_project:python-pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa_dev_project:python_pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pip_developers_project:pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa_devproject:python-pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa_devproject:python_pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pip_developers:python-pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pip_developers:python_pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pip_developersproject:pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-pip:python-pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-pip:python_pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_pip:python-pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_pip:python_pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa_dev_project:pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa-dev:python-pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa-dev:python_pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa_dev:python-pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa_dev:python_pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa_devproject:pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pip_developers:pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python:python-pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python:python_pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa:python-pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa:python_pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pip:python-pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pip:python_pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-pip:pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_pip:pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa-dev:pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa_dev:pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python:pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pypa:pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pip:pip:20.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:location:0:path",
          "value": "/lib/python3.8/site-packages/pip-20.0.2.dist-info/METADATA"
        },
        {
          "name": "syft:location:1:path",
          "value": "/lib/python3.8/site-packages/pip-20.0.2.dist-info/RECORD"
        },
        {
          "name": "syft:location:2:path",
          "value": "/lib/python3.8/site-packages/pip-20.0.2.dist-info/top_level.txt"
        }
      ]
    },
    {
      "bom-ref": "pkg:pypi/[email protected]?package-id=ba08cb0cf64eb7b4",
      "type": "library",
      "author": "UNKNOWN <UNKNOWN>",
      "name": "pkg-resources",
      "version": "0.0.0",
      "licenses": [
        {
          "license": {
            "name": "UNKNOWN"
          }
        }
      ],
      "cpe": "cpe:2.3:a:python-pkg-resources:python-pkg-resources:0.0.0:*:*:*:*:*:*:*",
      "purl": "pkg:pypi/[email protected]",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "python-installed-package-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "python"
        },
        {
          "name": "syft:package:type",
          "value": "python"
        },
        {
          "name": "syft:package:metadataType",
          "value": "python-package"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-pkg-resources:python_pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_pkg_resources:python-pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_pkg_resources:python_pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:unknown_project:python-pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:unknown_project:python_pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:unknownproject:python-pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:unknownproject:python_pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pkg-resources:python-pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pkg-resources:python_pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pkg_resources:python-pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pkg_resources:python_pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-pkg-resources:pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-pkg-resources:pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_pkg_resources:pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_pkg_resources:pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-pkg:python-pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-pkg:python_pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_pkg:python-pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_pkg:python_pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:unknown_project:pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:unknown_project:pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:unknown:python-pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:unknown:python_pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:unknownproject:pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:unknownproject:pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pkg-resources:pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pkg-resources:pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pkg_resources:pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pkg_resources:pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python:python-pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python:python_pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pkg:python-pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pkg:python_pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-pkg:pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python-pkg:pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_pkg:pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python_pkg:pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:unknown:pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:unknown:pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python:pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:python:pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pkg:pkg-resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:pkg:pkg_resources:0.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:location:0:path",
          "value": "/lib/python3.8/site-packages/pkg_resources-0.0.0.dist-info/METADATA"
        },
        {
          "name": "syft:location:1:path",
          "value": "/lib/python3.8/site-packages/pkg_resources-0.0.0.dist-info/RECORD"
        }
      ]
    },
    {
      "bom-ref": "pkg:pypi/[email protected]?package-id=1d449c7353690259",
      "type": "library",
      "author": "Kenneth Reitz <[email protected]>",
      "name": "requests",
      "version": "2.18.4",
      "licenses": [
        {
          "license": {
            "name": "Apache 2.0"
          }
        }
      ],
      "cpe": "cpe:2.3:a:python:requests:2.18.4:*:*:*:*:*:*:*",
      "purl": "pkg:pypi/[email protected]",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "python-installed-package-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "python"
        },
        {
          "name": "syft:package:type",
          "value": "python"
        },
        {
          "name": "syft:package:metadataType",
          "value": "python-package"
        },
        {
          "name": "syft:location:0:path",
          "value": "/lib/python3.8/site-packages/requests-2.18.4.dist-info/METADATA"
        },
        {
          "name": "syft:location:1:path",
          "value": "/lib/python3.8/site-packages/requests-2.18.4.dist-info/RECORD"
        },
        {
          "name": "syft:location:2:path",
          "value": "/lib/python3.8/site-packages/requests-2.18.4.dist-info/top_level.txt"
        }
      ]
    },
    {
      "bom-ref": "pkg:pypi/[email protected]?package-id=c5c0f3b1788bb21b",
      "type": "library",
      "author": "Python Packaging Authority <[email protected]>",
      "name": "setuptools",
      "version": "44.0.0",
      "licenses": [
        {
          "license": {
            "name": "UNKNOWN"
          }
        }
      ],
      "cpe": "cpe:2.3:a:python:setuptools:44.0.0:*:*:*:*:*:*:*",
      "purl": "pkg:pypi/[email protected]",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "python-installed-package-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "python"
        },
        {
          "name": "syft:package:type",
          "value": "python"
        },
        {
          "name": "syft:package:metadataType",
          "value": "python-package"
        },
        {
          "name": "syft:location:0:path",
          "value": "/lib/python3.8/site-packages/setuptools-44.0.0.dist-info/METADATA"
        },
        {
          "name": "syft:location:1:path",
          "value": "/lib/python3.8/site-packages/setuptools-44.0.0.dist-info/RECORD"
        },
        {
          "name": "syft:location:2:path",
          "value": "/lib/python3.8/site-packages/setuptools-44.0.0.dist-info/top_level.txt"
        }
      ]
    },
    {
      "bom-ref": "pkg:pypi/[email protected]?package-id=e526a4149bb4995f",
      "type": "library",
      "author": "Andrey Petrov <[email protected]>",
      "name": "urllib3",
      "version": "1.22",
      "licenses": [
        {
          "license": {
            "id": "MIT"
          }
        }
      ],
      "cpe": "cpe:2.3:a:python:urllib3:1.22:*:*:*:*:*:*:*",
      "purl": "pkg:pypi/[email protected]",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "python-installed-package-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "python"
        },
        {
          "name": "syft:package:type",
          "value": "python"
        },
        {
          "name": "syft:package:metadataType",
          "value": "python-package"
        },
        {
          "name": "syft:location:0:path",
          "value": "/lib/python3.8/site-packages/urllib3-1.22.dist-info/METADATA"
        },
        {
          "name": "syft:location:1:path",
          "value": "/lib/python3.8/site-packages/urllib3-1.22.dist-info/RECORD"
        },
        {
          "name": "syft:location:2:path",
          "value": "/lib/python3.8/site-packages/urllib3-1.22.dist-info/top_level.txt"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:pypi/[email protected]?package-id=1d449c7353690259",
      "dependsOn": [
        "pkg:pypi/[email protected]?package-id=37dc1dec0f90d313",
        "pkg:pypi/[email protected]?package-id=e1e4dcc20a2c4a32",
        "pkg:pypi/[email protected]?package-id=8ddf19a91f4eb133",
        "pkg:pypi/[email protected]?package-id=e526a4149bb4995f"
      ]
    },
    {
      "ref": "pkg:pypi/[email protected]?package-id=e526a4149bb4995f",
      "dependsOn": [
        "pkg:pypi/[email protected]?package-id=37dc1dec0f90d313"
      ]
    }
  ]
}
`grant` configuration file 
format: table
show-packages: true
non-spdx: false
osi-approved: false
rules:
  - pattern: "Apache *"
    name: "allow-all-non-spdx-apache"
    mode: "allow"
  - pattern: "BSD-*"
    name: "allow-all-bsd"
    mode: "allow"
  - pattern: "LGPL*"
    name: "allow-all-LGPL"
    mode: "allow"
  - pattern: "MIT"
    name: "allow-mit"
    mode: "allow"
  - pattern: "MPL-*"
    name: "allow-mpl"
    mode: "allow"
  - pattern: "OpenSSL"
    name: "allow-openssl"
    mode: "allow"
  - pattern: "Zlib"
    name: "allow-zlib"
    mode: "allow"
  # Reject the rest.
  - pattern: "*"
    name: "default-deny-all"
    mode: "deny"
    reason: "All licenses need to be explicitly allowed"
    exceptions:
      - "pkg-resources"   # Inclusion of this is an Ubuntu bug
      - "setuptools"      # Setuptools is MIT, it just doesn't detect it

For completeness, this SBOM was generated using syft on a Python .venv which was created from this requirements.txt:

# Direct
requests==2.18.4

# Inherited
certifi==2025.1.31
chardet==3.0.4
idna==2.6
urllib3==1.22

Note: Yes, I'm aware these versions are ancient. This was used to demo the functionality of syft / grype / grant to senior colleagues so I can push for adoption of the whole suite of tools 😊

FYI, syft does not correctly identify the licenses of these versions of:

  • requests
    • "Apache 2.0" instead of "Apache-2.0"
  • chardet
    • "LGPL" instead of "LGPL-2.1-only" (I think)
  • idna
    • "BSD-like" instead of "BSD-3-Clause"

But I've put that down to the licenses in those repos not being the exact SPDX license match.

requests and chardet have since changed their LICENSE text to more closely match the actual license, so I imagine those should match properly in newer versions.

Anything else we need to know?:

Environment:

  • Output of grant version: 0.2.6
  • OS:
NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
@domWalters domWalters added the bug Something isn't working label Feb 24, 2025
@wagoodman wagoodman moved this to Ready in OSS Feb 24, 2025
@spiffcs
Copy link
Collaborator

spiffcs commented Feb 24, 2025
edited
Loading

Thanks @domWalters! Also I appreciate the callout for the licenses not exactly matching for those packages. I'll take a look over in syft when I have a second.

I'll get this reported bug fixed asap.

Thank you for trying out the tools!

For some stuff coming down the pipe in grant please see:
#176

@domWalters
Copy link
Author

domWalters commented Feb 24, 2025
edited
Loading

Providing one concrete example:

This license is "Apache 2.0" for some reason, not "Apache-2.0": https://github.com/psf/requests/blob/v2.18.4/LICENSE

I didn't try with the newest requests but it looks like they changed the license since the version I'm using, so it might get the right name in the newest version:

https://github.com/psf/requests/commits/main/LICENSE

One final thing I noticed, that is already reported.

syft on a python project only gets licenses if you call it on a venv. Calling on the requirements.txt file isn't enough. I think this should at least be documented somewhere. The requirements.txt is listed against python in the list of stuff you can call against, but it technically doesn't give you everything at the moment.

anchore/syft#2970

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Status: Ready
Milestone
No milestone
Development

No branches or pull requests
2 participants
@domWalters @spiffcs