Comments (4)
Dear team,
I understand that this ask/issue is tagged for enhancement. Until that change is delivered in the product, I still need the license names to be picked up by syft in my processes. Is there any change or manual work around I can do at my send to overcome this? - such as in which folder should I keep the LICENSE file for these downloaded binaries to make syft pick it up. WIll be much helpful!
from syft.
Hi @mithunms333, unfortunately we don't have a ready workaround for you in this case. We are discussing some improvements the binary catalogers and how to handle some special cases like the JDK and JRE. We do have another issue discussing a possible framework for "hints" that would give you some tools to customize the output of the SBOM on a per cataloger basis: #31
I will go ahead and keep this issue open for you until we have a resolution, and if you need anything else please feel free to open another issue.
from syft.
Developer note: after a discussion about implementing this feature, we think the following approach may work reasonably well and help to scale the binary classifiers without the need to add individual catalogers for each case:
- Add a configuration to the binary classifiers which allows post-processing after a package has been identified
- Specifically for licenses, a function to locate and identify license may be added that allows a relative path (and/or possibly absolute path) to be specified to find license information present on the system.
An example of how this might look is (naming and exact details TBD, of course):
{
Class: "java-binary-oracle",
FileGlob: "**/java",
EvidenceMatcher: FileContentsVersionMatcher(
`(?m)\x00(?P<version>[0-9]+[.0-9]+[+][-0-9]+)\x00`),
Package: "java/jre",
PURL: mustPURL("pkg:generic/java/jre@version"),
CPEs: singleCPE("cpe:2.3:a:oracle:jre:*:*:*:*:*:*:*:*"),
Append: licenseFromFiles("../legal/java.base/LICENSE", "./LICENSE"),
},
So, in the event that a matching package is discovered by this cataloger, a secondary set of functions may run to append additional information to the package, in this example appending any license information found based on the paths relative to where the binary was located.
from syft.
Hi @kzantow
Sharing the path locations for openjdk:
In openjdk downloaded tar from github, the LICENSE file will present at:
.../openjdk/legal/java.base/LICENSE
java binary executable will be foudn at:
.../openjdk/bin/java
there would be few other supporting jars- probably applicable to same LICENSE at:
.../openjdk/lib/*.jar
from syft.
Related Issues (20)
- Binary copied to image omitted from SBOM HOT 4
- Relationships / Dependencies are present in Syft json and SPDX json files but not in Cyclonedx json file format HOT 3
- Not all the packages are getting imported in Blackduck scanner HOT 5
- Scanning a git repository folder present in /tmp produce an empty sbom HOT 1
- Capture licenses for all packages HOT 6
- Install Issue - Ubuntu Image on Mac M1 Pro HOT 3
- SBOM generated for JAR doesn't parsing all pom.xml HOT 2
- SBOM generation is missing a few Python packages listed in the requirements.txt file
- Option in parameter or configuration to set value in metadata > authors in SBOM (CycloneDX) HOT 3
- Syft incorrectly identifying jruby jar files
- Parameter confirmation of docker _registry scanning HOT 1
- install.sh: check checksums file's signature HOT 2
- Reverse conversion of metadata mode is broken HOT 2
- syft does not find anything in archives if /tmp is a tmpfs HOT 1
- Support cataloging dlopen ELF metadata
- Syft Directory Source: Git Tag and Metadata Information
- syft outputs incorrect license LicenseRef-AND HOT 1
- Detect fluent-bit binaries
- Binary detection workflow enhancements
- SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP=false is not working HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from syft.