Christopher Angelo Phillips

Similar issue linked here! Thanks for filing the bug. We'll take a look and see what needs to be done to get licenses populated for dir scans. https://github.com/anchore/syft/issues/845

Thanks for the clarification! It's an interesting case because it poses the question "Given some manifest file, should syft traverse extra noninput paths to find additional metadata information?" `package-lock.json` does...

I just went back to validate this and it looks like after running the reproduce steps above we do not get the license from just `package-lock.json`: The license IS picked...

If we do want this to work where node_modules is accounted for as a post catalog task I think we would need to rebuild the tree for this post process...

@tafli thank you for the issue! I added a label so we can take time to validate that this is still working as you described in the reproduction steps. Once...

@tofay I think that's correct - Integration tests that prove no collision and assert on packages being resolved as `imported` or detected as part of an SBOM and not asserted...

@wagoodman @tofay @patrikbeno @kzantow @tgerla I'd like to add this PR as the first topic for the next community meeting: https://calendar.google.com/calendar/u/0/r?cid=Y182OTM4dGt0MjRtajI0NnNzOThiaGtnM29qNEBncm91cC5jYWxlbmRhci5nb29nbGUuY29t @patrikbeno has been extremely diligent in keeping it inline...

@seabass-labrax are you on the community slack? If you pm me I can message you the zoom link directly

Thanks for filling the issue @arthur-hav! Just coming back to this issue and seeing it's been 3 months. Has dependency track updated their software to consume the valid PURLS produced...

Just ran this locally and confirmed we need to add support to the `cyclonedxhelpers` folder for the `goBuildSettings` This could be a good first issue for anyone who is curious...