Missing license information for Conan 2 dependencies

[rettichschnidi]

Problem

When building a CycloneDX SBOM for a repo that pulls in dependencies via Conan 2, the licensing information of the Conan 2 dependencies is missing from the resulting SBOM.

Reproducing

1. mkdir missing-conan-2-dependency-licenses && cd missing-conan-2-dependency-licenses
2. Create a simple dependency file:

   cat << EOF > conanfile.py
   from conan import ConanFile
   
   
   class Test(ConanFile):
      requires = "zlib/1.3"
   EOF

3. scanoss-py scan --dependencies . --format cyclonedx --output sbom.cdx
4. The resulting sbom.cdx does not contain any license:

   $ cat sbom.cdx
   {
     "bomFormat": "CycloneDX",
     "specVersion": "1.4",
     "serialNumber": "urn:uuid:6c81cb51-0e38-4f34-81ce-c79b841acc93",
     "version": 1,
     "metadata": {
       "timestamp": "2025-11-14T16:37:18Z",
       "tools": [
         {
           "vendor": "SCANOSS",
           "name": "scanoss-py",
           "version": "1.40.1"
         }
       ],
       "component": {
         "type": "application",
         "name": "NOASSERTION",
         "version": "NOASSERTION"
       }
     },
     "components": [
       {
         "type": "library",
         "name": "",
         "publisher": "",
         "version": "1.3",
         "purl": "pkg:conan/zlib",
         "bom-ref": "pkg:conan/zlib",
         "licenses": []
       }
     ],
     "vulnerabilities": []
   }

Hints

• OS: Debian 13 x64
• scanoss-py version: 1.40.1

[matiasdaloia]

Hi @rettichschnidi, we're releasing a new version of the license services, to handle conan packages.

I'm closing this ticket at this should be fixed