Multiple licenses as string instead of list #3430
Comments
|
I believe that multiple licenses are to be considered "AND" clauses, so we can't split out the "OR" licenses as you've described. Since we can't really describe a boolean tree without a more complex data structure, this is expected. If there are other options, we could always discuss those! |
|
@dariozachow I didn't have time to get back to this, but also have another comment. Here is how the license is stated in the project's (type-fest) package.json. When a license is stated like this in the SPDX expression it is NOT equivalent to [SPDX Expressions Explained]https://spdx.github.io/spdx-spec/v2-draft/SPDX-license-expressions/
That choice is up to the consumer of the software. When generating an SBOM we make sure to carry through that indication of choice when describing the package. The way we do this is through the OR expression provided by the author. |
What happened:
When using syft to create a sbom containing the npm package https://www.npmjs.com/package/type-fest, the license entry contains one entry instead of two. Furthermore the value and spdxExpression for this licenseentry are both licenses concatenated with OR. This makes displaying the values and spdxExpression harder.
SBOM output:
"licenses": [ { "value": "(MIT OR CC0-1.0)", "spdxExpression": "(MIT OR CC0-1.0)", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] }What you expected to happen:
I would expect two license entries, each containing one license, in this cases MIT and CCO-1.0
Steps to reproduce the issue:
syft scan . -o json=syft.sbom.json --select-catalogers "+sbom-cataloger"Anything else we need to know?:
Environment:
syft version: syft 1.16.0cat /etc/os-releaseor similar): System Version: macOS 15.1 (24B83) Kernel Version: Darwin 24.1.0The text was updated successfully, but these errors were encountered: