Detect when full license text has been provided and preserve as separate field #3450
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
b51f450 to
bbca5e5
Compare
wagoodman
reviewed
Nov 18, 2024
|
I just hit this case and maybe this could get picked up again as the new field would help me a lot :) |
Yep! This is in the queue of a few other PR I have to clean up and get merged for the next up coming release. Apologies for the delay on this one. |
* main: (117 commits) chore(deps): update CPE dictionary index (#3620) chore(deps): bump github.com/bmatcuk/doublestar/v4 from 4.8.0 to 4.8.1 (#3621) chore(deps): bump github/codeql-action from 3.28.4 to 3.28.5 (#3622) chore(deps): bump github/codeql-action from 3.28.3 to 3.28.4 (#3618) chore(deps): bump anchore/sbom-action from 0.17.9 to 0.18.0 (#3619) chore(deps): update tools to latest versions (#3607) chore(deps): bump github/codeql-action from 3.28.2 to 3.28.3 (#3608) chore(deps): bump github.com/go-git/go-git/v5 from 5.13.1 to 5.13.2 (#3609) chore(deps): bump github.com/docker/docker (#3610) chore(deps): bump actions/setup-go in /.github/actions/bootstrap (#3612) chore(deps): bump actions/cache in /.github/actions/bootstrap (#3613) chore(ci): fix composite GitHub action path in dependabot config (#3611) chore(deps): update tools to latest versions (#3602) chore(deps): bump github/codeql-action from 3.28.1 to 3.28.2 (#3604) chore(deps): bump github.com/hashicorp/hcl/v2 from 2.22.0 to 2.23.0 (#3605) chore(deps): bump github.com/aquasecurity/go-pep440-version (#3606) chore: bump stereoscope to v0.0.13 (#3601) feat(cataloger): add a terraform provider cataloger (#3378) chore(deps): update tools to latest versions (#3597) chore(deps): update CPE dictionary index (#3599) ... Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
|
Updating this in relation to #3366 |
* main: (150 commits) fix the fluent-bit regex detection pattern (#3817) chore(deps): bump anchore/sbom-action from 0.18.0 to 0.19.0 (#3832) chore(deps): update tools to latest versions (#3830) Resolve owned file paths when searching for overlaps (#3828) chore(deps): update anchore dependencies (#3827) fix: Make the fileresolver Support Prefix Match of Files (#3820) Add support for detecting javascript assets in .NET projects using libman (#3825) chore(deps): update tools to latest versions (#3823) (feat): support skipping archive extraction with file source (#3795) Consider DLL claims for dependencies of .NET packages from deps.json (#3822) PE cataloger should consider compile target paths from deps.json (#3821) Perf: skip license scanner injection (#3796) chore(deps): bump sigstore/cosign-installer from 3.8.1 to 3.8.2 (#3818) chore(deps): bump github/codeql-action from 3.28.15 to 3.28.16 (#3819) chore(deps): update tools to latest versions (#3815) docs: document test commands (#3816) Support detection of Chrome binaries (#3136) fix:allow golang tip image detection regex pattern (#3757) fix:Make the parse of the replace part in ```go.mod``` more compliant and traceable (#3812) (fix): delete collection name/type key entries when empty (#3797) ... Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
This comment has been minimized.
This comment has been minimized.
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com> Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
wagoodman
reviewed
May 1, 2025
wagoodman
reviewed
May 1, 2025
wagoodman
reviewed
May 1, 2025
wagoodman
approved these changes
May 1, 2025
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
spiffcs
added a commit
that referenced
this pull request
May 1, 2025
* main: (142 commits) feat: detect when full license text has been provided and preserve as separate field (#3450) chore(deps): bump github.com/Masterminds/semver/v3 from 3.3.0 to 3.3.1 (#3843) chore(deps): update tools to latest versions (#3841) Update github.com/Masterminds/semver to v3 (#3836) Add support for PHP Pear (#2775) fix: Improve detection of erlang binary in alpine Linux (#3839) fix:Resolve ancestral symlinks correctly (#3783) chore(deps): update CPE dictionary index (#3834) chore(deps): update tools to latest versions (#3835) chore(deps): bump github.com/charmbracelet/bubbletea from 1.3.4 to 1.3.5 (#3838) fix the fluent-bit regex detection pattern (#3817) chore(deps): bump anchore/sbom-action from 0.18.0 to 0.19.0 (#3832) chore(deps): update tools to latest versions (#3830) Resolve owned file paths when searching for overlaps (#3828) chore(deps): update anchore dependencies (#3827) fix: Make the fileresolver Support Prefix Match of Files (#3820) Add support for detecting javascript assets in .NET projects using libman (#3825) chore(deps): update tools to latest versions (#3823) (feat): support skipping archive extraction with file source (#3795) Consider DLL claims for dependencies of .NET packages from deps.json (#3822) ... Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR updates the syft
Licensemodel to include a newFullTextfield without any breaking changes to the current license behavior. We select candidates for this new field based on if the metadata being analyzed contains any new line characters. Because we still wantValueto be populated as it is a required field I've included a default string that will be added here whenFullTextis the selected outcome for a newly constructed license.Verification
Use the following
Dockerfileand build a test imagedocker build -t syft-3088:latest .Run the latest syft against this image using this branch:
go run cmd/syft/main.go -o json syft-3088 | jq '.artifacts[] | select(.name=="numpy") | { name: .name, licenses: .licenses }'The large license value extracted from the package should now be listed under the field
fullTextwithvaluebeing set toFullTextto keep the field required and not incur any breaking changes.Type of change
Checklist: