Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SPDX PackageLicenseDeclared should be NOASSERTION #660

Closed
rnjudge opened this issue Dec 9, 2021 · 2 comments · Fixed by #1184
Closed

SPDX PackageLicenseDeclared should be NOASSERTION #660

rnjudge opened this issue Dec 9, 2021 · 2 comments · Fixed by #1184
Assignees
@kzantow
Labels
bug Something isn't working good-first-issue Good for newcomers license relating to software licensing

Comments

@rnjudge
Copy link

rnjudge commented Dec 9, 2021
edited
Loading

What happened:
Running syft photon:3.0 -o spdx the PackageLicenseDeclared for all packages is listed as NONE. According to the SPDX spec, however, NONE should only be used if "the package contains no license information whatsoever". The photon packages do contain license information, however, so NOASSERTION should be the value of PackageLicenseDeclared since a license is available but not provided.

PackageName: bash
SPDXID: SPDXRef-Package-rpm-bash
PackageVersion: 4.4.18-2.ph3
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: NONE
PackageLicenseDeclared: NONE
PackageCopyrightText: NOASSERTION

What you expected to happen:
At a minimum, NOASSERTION should be the value of PackageLicenseDeclared (and probably PackageLicenseConcluded). Ideally, the License or LicenseRef for the package would be listed since the license is provided in the json format:

"purl": "pkg:rpm/photon/bash@4.4.18-2.ph3?arch=x86_64",
   "metadataType": "RpmdbMetadata",
   "metadata": {
    "name": "bash",
    "version": "4.4.18",
    "epoch": null,
    "architecture": "x86_64",
    "release": "2.ph3",
    "sourceRpm": "bash-4.4.18-2.ph3.src.rpm",
    "size": 3315720,
    "license": "GPLv3",
    "vendor": "VMware, Inc.",

How to reproduce it (as minimally and precisely as possible):
syft photon:3.0 -o spdx

Anything else we need to know?:
https://spdx.github.io/spdx-spec/package-information/
Version: 0.32.0
@rnjudge rnjudge added the bug Something isn't working label Dec 9, 2021
@spiffcs
Copy link
Contributor

spiffcs commented Dec 9, 2021

Thanks @rnjudge for the find here!

We've got some work in-flight regarding identifying and propagating license information info the SPDX format/base syft data shape.

I think we can do a quick patch that gets NOASSERTION into place as the default rather than using NONE in the meantime.

I can get this in when I have some bandwidth this week. Also, if it seems small enough and you're interested in becoming a contributor, feel free to throw a PR up. I'd be happy to review it and help merge it in for our next release.

@rnjudge
Copy link
Author

rnjudge commented Dec 9, 2021

@spiffcs sounds good! I can do that before vacation next week :)

@wagoodman wagoodman added the license relating to software licensing label Apr 28, 2022
@spiffcs spiffcs added the good-first-issue Good for newcomers label Jul 12, 2022
@kzantow kzantow self-assigned this Aug 30, 2022
@kzantow kzantow mentioned this issue Aug 30, 2022
Merged
This was referenced Sep 26, 2022
Closed
Closed
Closed
Closed
This was referenced Oct 3, 2022
Closed
Closed
Closed
@dependabot dependabot bot mentioned this issue Oct 17, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kzantow kzantow

Labels
bug Something isn't working good-first-issue Good for newcomers license relating to software licensing
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix RPM DB license handling kzantow-anchore/syft
4 participants
@wagoodman @kzantow @rnjudge @spiffcs