False positive: Unexpected license detected in package(libzstd1)

[JwishPark]

Checklist

• [v] I've read the documentation regarding wrong detection.
• [v] I've confirmed that a security advisory in data sources was correct.
  • Run Trivy with -f json that shows data sources and make sure that the security advisory is correct.

Description

Hello, I scanned the license in my image(ubuntu:22.04) with Trivy. And I found several licenses in libzstd1 package such as BSD-3-Clause, GPL-2.0, Zlib, Expat. However, the licenses posted on github of the libzstd1 package are as follows. (https://github.com/facebook/zstd/blob/dev/LICENSE) So I want to know why trivy detected more licenses.

Output of run with -debug:

$ sudo trivy -d image --scanners license ubuntu:22.04

Output of trivy -v:

Version: 0.37.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-01-27 00:12:18.671601555 +0000 UTC
  NextUpdate: 2023-01-27 06:12:18.671601255 +0000 UTC
  DownloadedAt: 0001-01-01 00:00:00 +0000 UTC

Additional details (base image name, container registry info...):

image name: ubuntu:22.04

[DmitriyLewen]

Hello @JwishPark Thanks for your report!

Trivy gets licenses from dpkg copyright files. It your case:

➜  ~ docker run -it --rm ubuntu:22.04
root@9937f970e058:/# cat /usr/share/doc/libzstd1/copyright | grep License:
License: BSD-3-clause and GPL-2
License: zlib
License: zlib
License: zlib
License: Expat
License: BSD-3-clause and GPL-2
License: Expat
License: Expat
License: GPL-2
License: BSD-3-clause

Regards, Dmitriy

[github-actions[bot]]

This issue is stale because it has been labeled with inactivity.