scylla-apiclient is missing license

[mykaul]

From https://s3.amazonaws.com/downloads.scylladb.com/downloads/scylla-enterprise/relocatable/scylladb-branch-2024.1/scylladb_sbom_report_2024.1.3.txt :

Package Name: scylla-api-client
Version: 1.0
Type: python
License: UNKNOWN

[mykaul]

2024.1.4 CSV, still not OK:

type	name	version	licenses
library	scylla-api-client	1	[{'license': {'name': 'UNKNOWN'}}]
library	scylla-apiclient	1	

[Annamikhlin]

@benipeled - could you please take a look? seems it is related to - https://pypi.org/project/scylla-api-client/ or https://github.com/scylladb/scylla-api-client
The license info is not recognized by syft. Maybe something is missing in the license definition?

[benipeled]

• scylla-apiclient is a typo I'm not sure where it comes from
• scylla-api-client the repo has license, we need to figure out how syft is looking for licensees and check what is missing in this check

[mykaul]

scylla-apiclient

https://github.com/scylladb/scylla-jmx/tree/master/scylla-apiclient

[benipeled]

scylla-apiclient

https://github.com/scylladb/scylla-jmx/tree/master/scylla-apiclient

What's this product? Is the old api used by nodetool?
The pom.xml under this folder has no license attribute, we can try adding it but again - we need to figure out based on what syft recognizes/looking for a license

[mykaul]

scylla-apiclient

https://github.com/scylladb/scylla-jmx/tree/master/scylla-apiclient

What's this product? Is the old api used by nodetool? The pom.xml under this folder has no license attribute, we can try adding it but again - we need to figure out based on what syft recognizes/looking for a license

Before my time. If I had to guess - just a library. We can run syft just on that JAR, I reckon.

[Annamikhlin]

accoding to syft tool the metadata cataloger will look for licenses by searching for declarations within packaging manifests locally in the following files in License field:
https://github.com/anchore/syft/blob/fe0b78b7fe73b92ad76deed288d3b9b091a14d27/syft/pkg/cataloger/python/cataloger.go#L39-L42 (thanks to syft support for helping to find it)

in our case the files are:

find . | grep dist-info | grep scylla
./venv/lib/python3.11/site-packages/scylla_api_client-1.0.dist-info
./venv/lib/python3.11/site-packages/scylla_api_client-1.0.dist-info/RECORD
./venv/lib/python3.11/site-packages/scylla_api_client-1.0.dist-info/WHEEL
./venv/lib/python3.11/site-packages/scylla_api_client-1.0.dist-info/entry_points.txt
./venv/lib/python3.11/site-packages/scylla_api_client-1.0.dist-info/LICENSE.AGPL
./venv/lib/python3.11/site-packages/scylla_api_client-1.0.dist-info/top_level.txt
./venv/lib/python3.11/site-packages/scylla_api_client-1.0.dist-info/REQUESTED
./venv/lib/python3.11/site-packages/scylla_api_client-1.0.dist-info/INSTALLER
./venv/lib/python3.11/site-packages/scylla_api_client-1.0.dist-info/METADATA

and the License field is shown as UNKNOWN

❯ cat ./venv/lib/python3.11/site-packages/scylla_api_client-1.0.dist-info/METADATA | grep License
License: UNKNOWN
License-File: LICENSE.AGPL

Now we need somehow to update this field in ...dist-info/METADATA file :)

[mykaul]

@Annamikhlin - compare it to cqlsh which is also Python based.

[Annamikhlin]

@Annamikhlin - compare it to cqlsh which is also Python based.

By comparing scylla-cqlsh - https://github.com/scylladb/scylla-cqlsh/blob/master/pylib/setup.py
and scylla-api-client - https://github.com/scylladb/scylla-api-client/blob/master/setup.py

https://github.com/scylladb/scylla-cqlsh/blob/55aff236a924c65b64cab8a11da4b0b1d2356ae3/pylib/setup.py#L45
seem that the license=".." field is missing in scylla-api-client

[Annamikhlin]

Verification passed on master for scylla-api-client (python package):
library,scylla-api-client,1.1,[{'license': {'name': 'GNU AGPL 3.0'}}],pkg:pypi/[email protected]

for scylla-apiclient (java package) waiting for merge to 2024.1 for final verification