Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alpine: license expression should be complete and not parsed out #1817

Closed
spiffcs opened this issue May 16, 2023 · 0 comments · Fixed by #1819
Closed

Alpine: license expression should be complete and not parsed out #1817

spiffcs opened this issue May 16, 2023 · 0 comments · Fixed by #1819
Assignees
@spiffcs
Labels
bug Something isn't working

Comments

@spiffcs
Copy link
Contributor

spiffcs commented May 16, 2023

What happened:
When inspecting the SBOM for syft -o json alpine:latest I noticed that ca-certificates-bundle had the following licenses

   "licenses": [
    {
     "value": "AND",
     "spdxExpression": "",
     "type": "declared",
     "url": [],
     "locations": [
      {
       "path": "/lib/apk/db/installed",
       "layerID": "sha256:bb01bd7e32b58b6694c8c3622c230171f1cec24001a82068a8d30d338f420d6c",
       "annotations": {
        "evidence": "primary"
       }
      }
     ]
    },
    {
     "value": "MIT",
     "spdxExpression": "MIT",
     "type": "declared",
     "url": [],
     "locations": [
      {
       "path": "/lib/apk/db/installed",
       "layerID": "sha256:bb01bd7e32b58b6694c8c3622c230171f1cec24001a82068a8d30d338f420d6c",
       "annotations": {
        "evidence": "primary"
       }
      }
     ]
    },
    {
     "value": "MPL-2.0",
     "spdxExpression": "MPL-2.0",
     "type": "declared",
     "url": [],
     "locations": [
      {
       "path": "/lib/apk/db/installed",
       "layerID": "sha256:bb01bd7e32b58b6694c8c3622c230171f1cec24001a82068a8d30d338f420d6c",
       "annotations": {
        "evidence": "primary"
       }
      }
     ]
    }
   ],

What you expected to happen:
WIth the new changes to licenses I expected a single license:

   "licenses": [
    {
     "value": "MIT AND MPL-2.0",
     "spdxExpression": "MIT AND MPL-2.0",
     "type": "declared",
     "url": [],
     "locations": [
      {
       "path": "/lib/apk/db/installed",
       "layerID": "sha256:bb01bd7e32b58b6694c8c3622c230171f1cec24001a82068a8d30d338f420d6c",
       "annotations": {
        "evidence": "primary"
       }
      }
     ]
    }
   ],

Steps to reproduce the issue:
Command included above with package name.

Environment:

  • Output of syft version: main
  • OS (e.g: cat /etc/os-release or similar): macOS Ventura 13.3.1
@spiffcs spiffcs added the bug Something isn't working label May 16, 2023
@spiffcs spiffcs added this to OSS May 16, 2023
@spiffcs spiffcs moved this to In Progress in OSS May 16, 2023
@spiffcs spiffcs self-assigned this May 16, 2023
@spiffcs spiffcs mentioned this issue May 16, 2023
Merged
@github-project-automation github-project-automation bot moved this from In Progress to Done in OSS May 16, 2023
This was referenced May 22, 2023
Merged
Closed
Closed
Merged
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@spiffcs spiffcs

Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: update cataloger to check for expressions before split anchore/syft
1 participant
@spiffcs