Thanks to visit codestin.com
Credit goes to github.com

Skip to content

python cataloger: adding a support additionally to classify licenses by License-File field in metadata file #2923

New issue
New issue
Open
Open
python cataloger: adding a support additionally to classify licenses by License-File field in metadata file#2923
Labels
enhancementNew feature or requestlicenserelating to software licensing
@Annamikhlin

Description

@Annamikhlin
Annamikhlin
opened on Jun 3, 2024

What would you like to be added:
Today the metadata cataloger will look for licenses by searching for declarations within packaging manifests locally in the following files in License field only.:

syft/syft/pkg/cataloger/python/cataloger.go

Lines 39 to 42 in fe0b78b

"**/*dist-info/METADATA",
"**/*egg-info/PKG-INFO",
"**/*DIST-INFO/METADATA",
"**/*EGG-INFO/PKG-INFO",

The python cataloger does have the ability to look in additional sibling files that the metadata file might reference too.
Adding a support additionally to classify licenses by License-File field as well.

Why is this needed:
in our case, in the SBOM scan report (cyclonedx-json format) the license shown as "UNKNOWN"

{
      "bom-ref": "pkg:pypi/[email protected]?package-id=c14a69f4da463c44",
      "type": "library",
      "author": "ScyllaDB",
      "name": "scylla-api-client",
      "version": "1.0",
      "licenses": [
        {
          "license": {
            "name": "UNKNOWN"
          }
        }
      ],

according to cat ./venv/lib/python3.11/site-packages/scylla_api_client-1.0.dist-info/METADATA | grep License

The license declaration shown under License-File filed

License: UNKNOWN
License-File: LICENSE.AGPL

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestlicenserelating to software licensing

    Type

    No type

    Projects

    OSS

    Status

    Ready

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions