scylla-tools-java icon indicating copy to clipboard operation
scylla-tools-java copied to clipboard

Published 20 hours ago verified publisher icon scylladb

SBOM - 2024.1.4: scylla-tools package is missing license

Open mykaul opened this issue 9 months ago • 2 comments

From https://downloads.scylladb.com/downloads/scylla-enterprise/sbom/scylladb-2024.1/scylladb_sbom_report_2024.1.4.csv :

type	name	version	licenses
library	scylla-tools	2024.1.4-0.20240428.67dd10537f78

mykaul avatar May 08 '24 07:05 mykaul

image

Is it ok that in scylla-enterprise we have scylla-tools and scylla-jmx and they are not scylla-enterprise-tools/jmx for java pkg?

Annamikhlin avatar Jun 27 '24 09:06 Annamikhlin

It's a bit strange that we have them both - also notice the same build ID / pkg. Probably a duplicate.

mykaul avatar Jun 27 '24 14:06 mykaul

I think real problem is on this issue is not about missing license, but detected scylla-enterprise-tools and scylla-enterprise-jmx twice. And I guess why it duplicated is, syft tool detects software metadata both from package manager (dpkg) and Java metadata information stored on .jar (it's under META-INF/MANIFEST.MF and META-INF/maven/). I checked metadata on .jar file of scylla-tools and scylla-jmx, I found that both are not using "scylla-enterprise-" prefix, but using "scylla-" prefix. I guess this is why it duplicated.

syuu1228 avatar Sep 24 '24 15:09 syuu1228

And the product name on Java metadata is probably defined on build.xml (Apache Ant) or pom.xml (Maven). I guess license is also specified on some way, but I do not know how.

syuu1228 avatar Sep 24 '24 15:09 syuu1228

And the product name on Java metadata is probably defined on build.xml (Apache Ant) or pom.xml (Maven). I guess license is also specified on some way, but I do not know how.

@syuu1228 Thanks for the information.

scylla-tools and jmx already removed in latest versions but we still have it in 2024.1 and 2023.1 @tchaikov - maybe you can help.. Do you know where and how we can update the missing license in scylla-tools?

Annamikhlin avatar Sep 30 '24 08:09 Annamikhlin

And the product name on Java metadata is probably defined on build.xml (Apache Ant) or pom.xml (Maven). I guess license is also specified on some way, but I do not know how.

@syuu1228 Thanks for the information.

scylla-tools and jmx already removed in latest versions but we still have it in 2024.1 and 2023.1 @tchaikov - maybe you can help.. Do you know where and how we can update the missing license in scylla-tools?

@Annamikhlin probably you could give following patch a try?

diff --git a/build.xml b/build.xml
index fd5c5cb885..e448afa649 100644
--- a/build.xml
+++ b/build.xml
@@ -924,6 +924,12 @@
           <exclude name="org/apache/**"/>
         </fileset>
         <manifest>
+          <attribute name="Bundle-DocURL" value="http://www.scylladb.com"/>
+          <attribute name="Bundle-License" value="Apache-2.0"/>
+          <attribute name="Bundle-ManifestVersion" value="2"/>
+          <attribute name="Bundle-Name" value="Scylla-Tools"/>
+          <attribute name="Bundle-Vendor" value="ScyllaDB"/>
+          <attribute name="Bundle-Version" value="${version}"/>
           <attribute name="Implementation-Title" value="Scylla-Tools"/>
           <attribute name="Implementation-Version" value="${version}"/>
           <attribute name="Implementation-Vendor" value="ScyllaDB"/>

tchaikov avatar Sep 30 '24 13:09 tchaikov

And the product name on Java metadata is probably defined on build.xml (Apache Ant) or pom.xml (Maven). I guess license is also specified on some way, but I do not know how.

@syuu1228 Thanks for the information. scylla-tools and jmx already removed in latest versions but we still have it in 2024.1 and 2023.1 @tchaikov - maybe you can help.. Do you know where and how we can update the missing license in scylla-tools?

@Annamikhlin probably you could give following patch a try?

diff --git a/build.xml b/build.xml
index fd5c5cb885..e448afa649 100644
--- a/build.xml
+++ b/build.xml
@@ -924,6 +924,12 @@
           <exclude name="org/apache/**"/>
         </fileset>
         <manifest>
+          <attribute name="Bundle-DocURL" value="http://www.scylladb.com"/>
+          <attribute name="Bundle-License" value="Apache-2.0"/>
+          <attribute name="Bundle-ManifestVersion" value="2"/>
+          <attribute name="Bundle-Name" value="Scylla-Tools"/>
+          <attribute name="Bundle-Vendor" value="ScyllaDB"/>
+          <attribute name="Bundle-Version" value="${version}"/>
           <attribute name="Implementation-Title" value="Scylla-Tools"/>
           <attribute name="Implementation-Version" value="${version}"/>
           <attribute name="Implementation-Vendor" value="ScyllaDB"/>

Thank you @tchaikov - it worked! :+1:

type     name           version                                 license                                 purl
library	scylla-tools	2024.1.7-0.20240930.ef2ea9879a60	[{'license': {'id': 'Apache-2.0'}}]	pkg:maven/scylla-tools/[email protected]

Annamikhlin avatar Sep 30 '24 21:09 Annamikhlin