Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get licenses for NuGet packages #1227

Open
fg-j opened this issue Sep 23, 2022 · 4 comments · May be fixed by #3329
Open

Get licenses for NuGet packages #1227

fg-j opened this issue Sep 23, 2022 · 4 comments · May be fixed by #3329
Labels
enhancement New feature or request good-first-issue Good for newcomers

Comments

@fg-j
Copy link
Contributor

fg-j commented Sep 23, 2022

What would you like to be added:
#726 brought initial support for generating SBOMs for NuGet packages 🎉 . One significant gap in the metadata in those SBOMs is license information. It'd be awesome if licenses for NuGet packages were included.

Why is this needed:
License information is a key value proposition for compliance-minded users who are building .NET apps with NuGet dependencies.

Additional context:

The file that project.assets.json that Syft scans for SBOM info doesn't include license information, but I wonder if it's possible to get it from somewhere else.

Here's a snippet of a SPDX SBOM generated with syft for a NuGet package:

...
  {
   "SPDXID": "SPDXRef-99c6488b6206ecc1",
   "downloadLocation": "NOASSERTION",
   "externalRefs": [
    {
     "referenceCategory": "SECURITY",
     "referenceLocator": "cpe:2.3:a:Humanizer:Humanizer:2.14.1:*:*:*:*:*:*:*",
     "referenceType": "cpe23Type"
    },
    {
     "referenceCategory": "PACKAGE_MANAGER",
     "referenceLocator": "pkg:dotnet/[email protected]",
     "referenceType": "purl"
    }
   ],
   "filesAnalyzed": false,
   "licenseConcluded": "NONE",
   "licenseDeclared": "NONE",
   "name": "Humanizer",
   "sourceInfo": "acquired package info from dotnet project assets file: NugetBenchmarking.deps.json",
   "versionInfo": "2.14.1"
  },
...

the corresponding NuGet package, Humanizer.Core uses the MIT license.
@fg-j fg-j added the enhancement New feature or request label Sep 23, 2022
@spiffcs spiffcs added the good-first-issue Good for newcomers label Sep 30, 2022
@spiffcs spiffcs added this to OSS Sep 30, 2022
@spiffcs
Copy link
Contributor

spiffcs commented Sep 30, 2022

Thanks so much for the issue @fg-j!

I also added the good first issue label since the write-up you did was so good.

If we have the bandwidth in the coming week/s we'll try and get this in, but also anyone who comes across this issue consider this fair game to attempt as a contribution.

Feel free to tag me in a draft PR if you do and I can always help with testing or cleanup!

@kzantow kzantow moved this to Parking Lot (Comments or Progress) in OSS Oct 6, 2022
@vanthome
Copy link

vanthome commented Jan 6, 2023

I have the exact same issue but with Rust Crates. Here is an example output of the Toml files:

[package]
edition = "2018"
name = "actix-server"
version = "2.1.1"
authors = ["Nikolay Kim <[email protected]>", "fakeshadow <[email protected]>", "Rob Ede <[email protected]>", "Ali MJ Al-Nasrawy <[email protected]>"]
description = "General purpose TCP server built for the Actix ecosystem"
homepage = "https://actix.rs"
keywords = ["network", "tcp", "server", "framework", "async"]
categories = ["network-programming", "asynchronous"]
license = "MIT OR Apache-2.0"

They do include the license. Is it planned to also output them for Rust packages?

@tgerla tgerla removed the status in OSS Aug 31, 2023
@tgerla tgerla moved this to Backlog in OSS Aug 31, 2023
@jeremytbrun
Copy link

Really interested in seeing license info added for NuGet packages as well. Our organization is evaluating syft to integrate into our CI/CD processes to generate SBOM's that can be imported into Dependency-Track for analysis. Having this license data for NuGet packages would be 😎👌

@kzantow kzantow mentioned this issue May 9, 2024
Open
44 tasks
@HeyeOpenSource
Copy link

HeyeOpenSource commented Oct 1, 2024
edited
Loading

I'll give it a shot, if I may...
https://github.com/HeyeOpenSource/syft

This was referenced Oct 14, 2024
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request good-first-issue Good for newcomers
Projects
OSS
Status: Backlog
Milestone
No milestone
5 participants
@vanthome @fg-j @jeremytbrun @spiffcs @HeyeOpenSource