Multiple licenses are not shown

[oej]

Current Behavior

With a license list in the input SBOM like this:

"licenses": [ { "license": { "id": "Apache-1.0" } }, { "license": { "id": "BSD-2-Clause" } }, { "license": { "id": "BSD-3-Clause" } }, { "license": { "name": "Expat" } }, { "license": { "id": "GPL-2.0-only" } }, { "license": { "id": "GPL-2.0-or-later" } }, { "license": { "id": "GPL-2.0-or-later" } }, { "license": { "id": "ISC" } }, { "license": { "id": "MIT" } }, { "license": { "id": "OpenSSL" } }, { "license": { "name": "RSA-MD5" } }, { "license": { "name": "public-domain" } } ], Dependency-track only shows the "openssl" license in the UI. When exporting, only the "openssl" license remains.

Steps to Reproduce

1.Full component: { "bom-ref": "pkg:deb/debian/[email protected]+bpo10?arch=amd64&distro=debian-10&package-id=5f2965b05f718253", "type": "library", "publisher": "Debian VoIP Team <[email protected]>", "name": "kamailio", "version": "5.3.9+bpo10", "licenses": [ { "license": { "id": "Apache-1.0" } }, { "license": { "id": "BSD-2-Clause" } }, { "license": { "id": "BSD-3-Clause" } }, { "license": { "name": "Expat" } }, { "license": { "id": "GPL-2.0-only" } }, { "license": { "id": "GPL-2.0-or-later" } }, { "license": { "id": "GPL-2.0-or-later" } }, { "license": { "id": "ISC" } }, { "license": { "id": "MIT" } }, { "license": { "id": "OpenSSL" } }, { "license": { "name": "RSA-MD5" } }, { "license": { "name": "public-domain" } } ], "cpe": "cpe:2.3:a:kamailio:kamailio:5.3.9\\+bpo10:*:*:*:*:*:*:*", "purl": "pkg:deb/debian/[email protected]+bpo10?arch=amd64&distro=debian-10", "properties": [ { "name": "syft:package:foundBy", "value": "dpkgdb-cataloger" }, { "name": "syft:package:metadataType", "value": "DpkgMetadata" }, { "name": "syft:package:type", "value": "deb" }, { "name": "syft:location:0:path", "value": "/usr/share/doc/kamailio/copyright" }, { "name": "syft:location:1:path", "value": "/var/lib/dpkg/info/kamailio.conffiles" }, { "name": "syft:location:2:path", "value": "/var/lib/dpkg/info/kamailio.md5sums" }, { "name": "syft:location:3:path", "value": "/var/lib/dpkg/status" }, { "name": "syft:metadata:installedSize", "value": "29095" } ] },

Expected Behavior

List all licenses, keep all licenses in DB

Dependency-Track Version

4.8.x

Dependency-Track Distribution

Executable WAR

Database Server

PostgreSQL

Database Server Version

No response

Browser

Apple Safari

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this defect was already reported

[rkg-mm]

Additional request: When we support multi-licensed components, also the Policy Violations should be ensured to support it. E.g. if a component is dual-licensed and one of the license is in the whitelist, no policy violation should be triggered.

[flemminglau]

As a first step if at least DT would avoid loosing the additional licenses. I.e. so that an SBOM imported into DT would preserve the license information when exporting as an SBOM.

Ideally the processing of resolving licenses should also work on the list so that each license in the list is treated as one item to resolve. As it is currently done for the single license that survives.