When generating spdx.json, the sbom-tool generate failse to parse the licenses from these packages:
jest-axe, @tweakpane/core
this is the command I ran:
sbom-tool generate \
-b . \
-bc . \
-pn PT \
-pv 1111 \
-ps comp-name \
-Li true \
-m .
This is what is generated inside the manifest.spdx.json:
{
"name": "@tweakpane/core",
"SPDXID": "SPDXRef-Package-233BBB1E38AED862C42010D043346FBD57F2573A75F5DB51A4B734BCDA608FF6",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION",
"versionInfo": "2.0.5",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:npm/@tweakpane/core@2.0.5"
}
],
"supplier": "Organization: cocopon"
},
{
"name": "jest-axe",
"SPDXID": "SPDXRef-Package-8E1BEED975030F9EFED50A4E7A0C5E9AA9E33FECCDFAAFDEB19933A257E333C7",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"licenseConcluded": "LicenseRef-scancode-proprietary-license AND MIT",
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION",
"versionInfo": "10.0.0",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:npm/jest-axe@10.0.0"
}
],
"supplier": "Organization: Nick Colley"
},
The lisences should be MIT (you can see them defined in the package.json of the libraries) but it is not in the file :(
Steps to reproduce:
package.json
{
"name": "sbom-test",
"version": "1.0.0",
"author": "",
"license": "ISC",
"description": "",
"dependencies": {
"@tweakpane/core": "^2.0.5",
"jest-axe": "^10.0.0",
}
}
- run npm i
- run the sbom command
- inspect _manifest folder for the spdx.json
When generating spdx.json, the sbom-tool generate failse to parse the licenses from these packages:
jest-axe, @tweakpane/core
this is the command I ran:
This is what is generated inside the
manifest.spdx.json:The lisences should be MIT (you can see them defined in the package.json of the libraries) but it is not in the file :(
Steps to reproduce: