scout-cli icon indicating copy to clipboard operation
scout-cli copied to clipboard

Published 20 hours ago verified publisher icon docker

SPDX license expressions incorrectly represented in CycloneDX SBOMs

Open kholmanskikh opened this issue 8 months ago • 0 comments
trafficstars

Hello.

Docker scout version is 1.16.1.

If a license of a component of the image is encoded as a SPDX license expression, in the generated CycloneDX SBOM for the image this expression is put into the licenses[0]["license"]["id"] tag (i.e. as an existing SPDX identifier) instead of putting it into the expression tag.

For example, consider this sbom:

docker scout sbom --format cyclonedx -o lrc_scout_cdx.json --platform linux/amd64 bellsoft/liberica-runtime-container:jdk-21-glibc

The image contains components licensed as GPL-2.0 WITH Classpath-Exception-2.0. In the generated json we will see:

      "licenses": [
        {
          "license": {
            "id": "GPL-2.0 WITH Classpath-Exception-2.0"
          }
        }
      ],

whereas in accordance to the CycloneDX doc (https://cyclonedx.org/use-cases/open-source-licensing/) it should be something like:

      "licenses": [
        {
          "license": {
            "expression": "GPL-2.0 WITH Classpath-Exception-2.0"
          }
        }
      ],

kholmanskikh avatar Mar 17 '25 13:03 kholmanskikh