syft icon indicating copy to clipboard operation
syft copied to clipboard
verified publisher icon anchore

Allow correction / overwrite of license information

Open markussiebert opened this issue 1 year ago • 3 comments

What would you like to be added:

It would be beneficial to have a feature in Syft that allows users to override and correct license information for packages. Looking at the configuration options, I couldn't find any option related to correcting license information.

Why is this needed:

In cases where no license or incorrect license information is found. I have observed this issue particularly with npm packages. Generally, this is due to package publishers not maintaining correct license information in their package.json files. However, a glance at the repository or the node_modules folder often reveals the correct license under which the package is published.

Of course it would be good to solve this at the source - in the repositories of the package maintainers, but it would only affect future package versions and might be outside the sphere of influence.

I found other inconsistency, were license information were wrong or misleading. So I think a solution to overwrite might be a valid solution?

What do you think?

Additional context:

I could imagine something like:

licenseOverwrite:
- purl: pkg:npm/%40ogma/[email protected]     # Maybe allow things like 1.x >1.0.0<1.5.0
  data:
    value: "MIT"
    spdxExpression: "MIT"
    type: "declared"                                           # Maybe "concluded"
    urls:
      - https://www.npmjs.com/package/@ogma/common?activeTab=code

markussiebert avatar Jan 15 '25 12:01 markussiebert

This doesn't help for this particular package, but syft will reach out to npm and populate license data with the following setting: SYFT_JAVASCRIPT_SEARCH_REMOTE_LICENSE=true

This issue asks for cases where even the npm data is incorrect and we want to override. This would also be useful if someone wishes to record the license of some proprietary library that is not available online or who's license data is not available to syft by other means.

spiffcs avatar Jan 15 '25 15:01 spiffcs

yes, was aware of the flag SYFT_JAVASCRIPT_SEARCH_REMOTE_LICENSE but still there are information missing and I have the need to overwrite licenses.

markussiebert avatar Jan 15 '25 15:01 markussiebert

this feature is much needed if only to correct information that syft is not providing, e.g. #4099 #4100 #4101

jakub-bochenski avatar Jul 30 '25 16:07 jakub-bochenski