Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecated / unprocessable License in Syft SBOM #3674

Open
Garnaalkroket opened this issue Feb 20, 2025 · 1 comment
Open

Deprecated / unprocessable License in Syft SBOM #3674

Garnaalkroket opened this issue Feb 20, 2025 · 1 comment
Labels
bug Something isn't working

Comments

@Garnaalkroket
Copy link

What happened:
When generating an SBOM for the image kafbat/kafka-ui:49894b886dc97b67d49247dee26d3fe39bf262f3 we seem to get a weird declared license for the SPDXRef-Package-apk-zulu21-ca-jre-headless-afb82c60889cbcf4.

            "name": "zulu21-ca-jre-headless",
            "SPDXID": "SPDXRef-Package-apk-zulu21-ca-jre-headless-afb82c60889cbcf4",
            "versionInfo": "21.0.5-r3",
            "supplier": "Person: Azul Systems, Inc. ([email protected])",
            "originator": "Person: Azul Systems, Inc. ([email protected])",
            "downloadLocation": "https://www.azul.com/products/core/",
            "filesAnalyzed": true,
            "packageVerificationCode": {
                "packageVerificationCodeValue": "3efff23c0ac2a5d9554449bc3b78e09fe0b9245f"
            },
            "sourceInfo": "acquired package info from APK DB: /lib/apk/db/installed",
            "licenseConcluded": "NOASSERTION",
            "licenseDeclared": "(GPL-2.0-only WITH Classpath-exception-2.0)",

When checking https://spdx.org/licenses/GPL-2.0-with-classpath-exception.html this license seems deprecated.
We're trying to process this SBOM in Python but the spdx package is failing due to this license, as there's no ExtractedLicensingInfos either for this license.

What you expected to happen:
This license can properly be processed.

Steps to reproduce the issue:
syft scan -o spdx-json=kafbat ghcr.io/kafbat/kafka-ui:49894b886dc97b67d49247dee26d3fe39bf262f3

Anything else we need to know?:
We love syft <3

Environment:
Application: syft
Version: 1.19.0
BuildDate: 2025-01-22T19:44:54Z
GitCommit: Homebrew
GitDescription: [not provided]
Platform: linux/amd64
GoVersion: go1.23.5
Compiler: gc
@Garnaalkroket Garnaalkroket added the bug Something isn't working label Feb 20, 2025
@spiffcs
Copy link
Contributor

spiffcs commented Feb 20, 2025
edited
Loading

Thanks @Garnaalkroket - I'm looking at a few license issues in Syft at the moment so will add this one to the list.

On initial inspection this is the correct license as it's listed in the apk db Metadata so I'm not sure what we can do on the syft side since it's technically correct:

grep -A 10 'zulu21-ca-jre-headless' /lib/apk/db/installed
P:zulu21-ca-jre-headless
V:21.0.5-r3
A:aarch64
S:66395810
I:202809344
T:Azul Zulu 21.38+21 (21.0.5-b11) CA Headless JRE
U:https://www.azul.com/products/core/
L:GPL-2.0-only WITH Classpath-exception-2.0 <-------
o:zulu21-ca
m:Azul Systems, Inc. <[email protected]>
t:1729073533
--
D:zulu21-ca-jre-headless=21.0.5-r3

We're trying to process this SBOM in Python but the spdx package is failing due to this license, as there's no ExtractedLicensingInfos either for this license.

What specifically is failing? Is there some validator or spdx tool your using that says the document is invalid?
Is there a way you can turn off/enable it to accept deprecated licenses given that this is what the package declares as it's license?
If syft encounters this kind of license in the container metadata for a given package what does "This license can properly be processed." mean in this case?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@spiffcs @Garnaalkroket