Replies: 1 comment
-
|
Hello @ssmirr Created #5835 for this task. Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Description
when generating SBOM (
trivy fs --format spdx-json --output sbom.spdx.json .) using the fs scanner, Trivy is not reporting license for NPM dependencies that has a scoped name (for example@sinonjs/commonswhich defines license in both package.json as well as a separate LICENSE file). In contrast, Trivy does report license for an NPM dependency if the name is not scoped (for exampleuuid).In the logs, Trivy also shows:
Here is a complete output for an example of scoped vs unscoped NPM dependency:
{ "name": "@sinonjs/commons", "SPDXID": "SPDXRef-Package-26728168fa41267f", "versionInfo": "3.0.0", "supplier": "NOASSERTION", "downloadLocation": "NONE", "filesAnalyzed": false, "licenseConcluded": "NONE", "licenseDeclared": "NONE", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/%40sinonjs/commons@3.0.0" } ], "attributionTexts": [ "PkgID: @sinonjs/commons@3.0.0" ], "primaryPackagePurpose": "LIBRARY" },{ "name": "uuid", "SPDXID": "SPDXRef-Package-9033ad1a4034696", "versionInfo": "9.0.0", "supplier": "NOASSERTION", "downloadLocation": "NONE", "filesAnalyzed": false, "licenseConcluded": "MIT", "licenseDeclared": "MIT", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/uuid@9.0.0" } ], "attributionTexts": [ "PkgID: uuid@9.0.0" ], "primaryPackagePurpose": "LIBRARY" },Please note that NPM dependencies are already downloaded locally (with
npm install, innode_modules/).Desired Behavior
Trivy should be able to detect license information for scoped NPM packages similar to how it detects it for unscoped ones.
Actual Behavior
Trivy is not able to detect license information for scoped NPM packages.
Reproduction Steps
git clone https://github.com/serverless/serverlesscd serverless && npm installtrivy fs --format spdx-json --output sbom.spdx.json .sbom.spdx.jsonfile, search for@serverless/dashboard-pluginand compare it to what you find when searching forajv-formats{ "name": "@serverless/dashboard-plugin", "SPDXID": "SPDXRef-Package-d92563869902266a", "versionInfo": "7.2.0", "supplier": "NOASSERTION", "downloadLocation": "NONE", "filesAnalyzed": false, "licenseConcluded": "NONE", "licenseDeclared": "NONE",{ "name": "ajv-formats", "SPDXID": "SPDXRef-Package-3c934e5916ce5d9f", "versionInfo": "2.1.1", "supplier": "NOASSERTION", "downloadLocation": "NONE", "filesAnalyzed": false, "licenseConcluded": "MIT", "licenseDeclared": "MIT",Target
SBOM
Scanner
None
Output Format
SPDX
Mode
Standalone
Debug Output
Operating System
macOS Sonoma
Version
Checklist
trivy image --resetBeta Was this translation helpful? Give feedback.
All reactions