Parlay doesn't seem to respect version number when determining license #87
Comments
|
Hey @stevensdavid |
|
Hey @mcombuechen ! I set up a simple POC for this with package.json {
"name": "parlay_test",
"version": "1.0.0",
"description": "",
"main": "index.js",
"author": "",
"license": "ISC",
"dependencies": {
"ua-parser-js": "^0.7.1"
}
}
Running (relevant section: {
"bom-ref": "pkg:npm/[email protected]?package-id=2b8805c8e3dad6be",
"type": "library",
"name": "ua-parser-js",
"version": "0.7.1",
"licenses": [
{
"license": {
"id": "MIT"
}
},
{
"license": {
"name": "GPLv2"
}
}
],
"cpe": "cpe:2.3:a:ua-parser-js_project:ua-parser-js:0.7.1:*:*:*:*:node.js:*:*",
"purl": "pkg:npm/[email protected]",
"properties": [
{
"name": "syft:package:foundBy",
"value": "javascript-lock-cataloger"
},
{
"name": "syft:package:language",
"value": "javascript"
},
{
"name": "syft:package:type",
"value": "npm"
},
{
"name": "syft:package:metadataType",
"value": "javascript-npm-package-lock-entry"
},
{
"name": "syft:location:0:path",
"value": "/package-lock.json"
}
]
}and then running (relevant section: {
"bom-ref": "pkg:npm/[email protected]?package-id=2b8805c8e3dad6be",
"type": "library",
"supplier": {
"name": "Faisal Salman"
},
"author": "Faisal Salman",
"name": "ua-parser-js",
"version": "0.7.1",
"description": "Detect Browser, Engine, OS, CPU, and Device type/model from User-Agent & Client Hints data. Supports browser & node.js environment",
"licenses": [
{
"expression": "AGPL-3.0-or-later"
}
],
"cpe": "cpe:2.3:a:ua-parser-js_project:ua-parser-js:0.7.1:*:*:*:*:node.js:*:*",
"purl": "pkg:npm/[email protected]",
"externalReferences": [
{
"url": "https://uaparser.dev",
"type": "website"
},
{
"url": "https://www.npmjs.com/package/ua-parser-js",
"type": "distribution"
},
{
"url": "https://github.com/faisalman/ua-parser-js",
"type": "vcs"
}
],
"properties": [
{
"name": "syft:package:foundBy",
"value": "javascript-lock-cataloger"
},
{
"name": "syft:package:language",
"value": "javascript"
},
{
"name": "syft:package:type",
"value": "npm"
},
{
"name": "syft:package:metadataType",
"value": "javascript-npm-package-lock-entry"
},
{
"name": "syft:location:0:path",
"value": "/package-lock.json"
},
{
"name": "ecosystems:first_release_published_at",
"value": "2012-07-28T20:54:44Z"
},
{
"name": "ecosystems:latest_release_published_at",
"value": "2024-11-18T01:27:23Z"
},
{
"name": "ecosystems:owner_location",
"value": "Bandung, Indonesia"
},
{
"name": "ecosystems:topic",
"value": "analytics"
},
{
"name": "ecosystems:topic",
"value": "bot-detection"
},
{
"name": "ecosystems:topic",
"value": "browser-detection"
},
{
"name": "ecosystems:topic",
"value": "client-hints"
},
{
"name": "ecosystems:topic",
"value": "device-detection"
},
{
"name": "ecosystems:topic",
"value": "mobile-detection"
},
{
"name": "ecosystems:topic",
"value": "user-agent"
},
{
"name": "ecosystems:topic",
"value": "user-agent-parser"
}
]
}Hope that helps! |
|
Thanks @stevensdavid for the additional context, this is very helpful. We took a look and were able to identify the issue (it's a bug!) |
|
Update: we depend on ecosyste.ms to make slight adjustments to their API in order for us to enrich with more accurate data. Specifically, we rely on |
Hello!
I've noticed an issue with NPM package
[email protected]. This package changed from the MIT license to AGPL in its v2.0.0 release.I'm running
syftto generate the SBOM for the project, and it concludesWhen I then run
parlay e enrichon the SBOM it overwrites the license to"expression": "AGPL-3.0-or-later"which is correct for v2.0.0 but not for"version": "0.7.1"which is the version referenced in the SBOM.Can this be fixed? I'm not sure if the issue is in parlay or in ecosyste.ms, and apologise if it's on their end.
Furthermore, is there some way to ensure that parlay doesn't overwrite the license field if it exists?
Thank you for the tool, it's been very helpful apart from this!
The text was updated successfully, but these errors were encountered: