What happened:
Try to generate an SBOM for a project that contains for example ch.qos.logback.logback-core
logback-core has its license defined in parent pom (ch.qos.logback.logback-parent) as well as inside the MANIFEST.MF. License data from parent pom is ignored at the moment.
See https://repo1.maven.org/maven2/ch/qos/logback/logback-core/1.5.18/logback-core-1.5.18.pom for example.
What you expected to happen:
License data from parent pom is taken, because it is often more precise. pom.xml has better ways of representing multi-license projects. See https://repo1.maven.org/maven2/ch/qos/logback/logback-parent/1.5.18/logback-parent-1.5.18.pom for example.
License data from MANIFEST.MF is not as good, because Syft just takes the value as-is and does not enrich it.
Best output would be a valid license EXPRESSION: For logback-core, it should be something like this:
"licenses": [
{
"expression": "EPL-1.0 OR LGPL-2.1-only"
}
]
MANIFEST.MF from logback-core:
This is the Syft output:
Syft thinks that there is only one license available.
{
"bom-ref": "pkg:maven/ch.qos.logback/[email protected]?package-id=c389ecb99d8108eb",
"type": "library",
"group": "ch.qos.logback",
"name": "logback-core",
"version": "1.5.18",
"licenses": [
{
"license": {
"name": "http://www.eclipse.org/legal/epl-v10.html, http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html"
}
}
],
"cpe": "cpe:2.3:a:logback-core:logback-core:1.5.18:*:*:*:*:*:*:*",
"purl": "pkg:maven/ch.qos.logback/[email protected]",
"externalReferences": [
{
"url": "",
"hashes": [
{
"alg": "SHA-1",
"content": "6c0375624f6f36b4e089e2488ba21334a11ef13f"
}
],
"type": "build-meta"
}
],
"properties": [
{
"name": "syft:package:foundBy",
"value": "java-archive-cataloger"
},
{
"name": "syft:package:language",
"value": "java"
},
{
"name": "syft:package:type",
"value": "java-archive"
},
{
"name": "syft:package:metadataType",
"value": "java-archive"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:logback-core:logback_core:1.5.18:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:logback_core:logback-core:1.5.18:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:logback_core:logback_core:1.5.18:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:logback:logback-core:1.5.18:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:logback:logback_core:1.5.18:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:qos-ch:logback-core:1.5.18:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:qos-ch:logback_core:1.5.18:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:qos_ch:logback-core:1.5.18:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:qos_ch:logback_core:1.5.18:*:*:*:*:*:*:*"
},
{
"name": "syft:location:0:layerID",
"value": "sha256:e9ef3023efd7d4b4dccc5964a23f5c674cb62bde4bbc7d0fae5c8a09fe6ead74"
},
{
"name": "syft:location:0:path",
"value": "/opt/app/detact-apps.jar"
},
{
"name": "syft:metadata:-:artifactID",
"value": "logback-core"
},
{
"name": "syft:metadata:-:groupID",
"value": "ch.qos.logback"
},
{
"name": "syft:metadata:virtualPath",
"value": "/opt/app/detact-apps.jar:BOOT-INF/lib/logback-core-1.5.18.jar"
}
]
}
Steps to reproduce the issue:
Create project/image containing logback-core 1.5.18
Create Syft CycloneDX SBOM using the following syft config:
# https://oss.anchore.com/docs/reference/syft/configuration/
log:
level: trace
javascript:
include-dev-dependencies: false
file:
metadata:
selection: none # we don't want any files in out SBOMs as of now
select-catalogers:
- +javascript-lock-cataloger
java:
resolve-transitive-dependencies: true
max-parent-recursive-depth: -1 # no limit
use-network: true
maven-url: "https://repo1.maven.org/maven2,https://packages.confluent.io/maven"
enrich: "all"
Anything else we need to know?:
I found #4260 earlier and thought this bug is present again, but logback-core has a pom.properties. That's the reason why I think the MANIFEST.MF file is the reason for the parent pom not being used.
Environment:
EDIT: another good example is the usage of the maven package antlr4-runtime
MANIFEST.MF contains some unusable URL, but parent pom.xml of the project actually contains a usable SPDX identifier.
What happened:
Try to generate an SBOM for a project that contains for example
ch.qos.logback.logback-corelogback-corehas its license defined in parent pom (ch.qos.logback.logback-parent) as well as inside theMANIFEST.MF. License data from parent pom is ignored at the moment.See https://repo1.maven.org/maven2/ch/qos/logback/logback-core/1.5.18/logback-core-1.5.18.pom for example.
What you expected to happen:
License data from parent pom is taken, because it is often more precise.
pom.xmlhas better ways of representing multi-license projects. See https://repo1.maven.org/maven2/ch/qos/logback/logback-parent/1.5.18/logback-parent-1.5.18.pom forexample.License data from
MANIFEST.MFis not as good, because Syft just takes the value as-is and does not enrich it.Best output would be a valid license EXPRESSION: For logback-core, it should be something like this:
MANIFEST.MFfromlogback-core:This is the Syft output:
Syft thinks that there is only one license available.
Steps to reproduce the issue:
Create project/image containing logback-core 1.5.18
Create Syft CycloneDX SBOM using the following syft config:
Anything else we need to know?:
I found #4260 earlier and thought this bug is present again, but
logback-corehas apom.properties. That's the reason why I think the MANIFEST.MF file is the reason for the parent pom not being used.Environment:
EDIT: another good example is the usage of the maven package
antlr4-runtimeMANIFEST.MFcontains some unusable URL, but parentpom.xmlof the project actually contains a usable SPDX identifier.