Include package licenses

[jeff-cook]

What would you like to be added:

Output to include license for each package.

Why is this needed:

Anchore inline scan includes the license for each package. Having this would allow for replacing all package info from the inline scan. Once in the output it can be used to determine if the license is allowed or not.

Additional context:

[wagoodman]

@jeff-cook today if you use the json output format (-o option) there are some catalogers that support populating the licenses field or a similar metadata.licenses field. We are continuing to enhance support for each cataloger, adding more fields as we go (including licenses), but depending on the ecosystem and the existence of the data in the image you should see at least some license fields be populated.

[jeff-cook]

The project I'm working with right now has the following types as found by syft.

"deb"
"egg"
"java-archive"
"python-requirements"
"wheel"

There are no licenses keys in the json output file.

curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
anchore/syft info checking GitHub for latest tag
anchore/syft info found version: 0.3.0 for v0.3.0/linux/amd64
anchore/syft info installed /usr/local/bin/syft

When a scan is run by anchore in-line scanner it finds the license for all packages except for java-archives.

[geertvanheusden]

@wagoodman First of all, thanks for providing this awesome tool! Any chance the Java library license information will be added in the near future?

[benken-parasoft]

Which catalogers now collect licenses? Just JavaScript or Java too?