anchore
SPDX PackageLicenseDeclared should be NOASSERTION
What happened:
Running syft photon:3.0 -o spdx the PackageLicenseDeclared for all packages is listed as NONE. According to the SPDX spec, however, NONE should only be used if "the package contains no license information whatsoever". The photon packages do contain license information, however, so NOASSERTION should be the value of PackageLicenseDeclared since a license is available but not provided.
PackageName: bash
SPDXID: SPDXRef-Package-rpm-bash
PackageVersion: 4.4.18-2.ph3
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: NONE
PackageLicenseDeclared: NONE
PackageCopyrightText: NOASSERTION
What you expected to happen:
At a minimum, NOASSERTION should be the value of PackageLicenseDeclared (and probably PackageLicenseConcluded). Ideally, the License or LicenseRef for the package would be listed since the license is provided in the json format:
"purl": "pkg:rpm/photon/[email protected]?arch=x86_64",
"metadataType": "RpmdbMetadata",
"metadata": {
"name": "bash",
"version": "4.4.18",
"epoch": null,
"architecture": "x86_64",
"release": "2.ph3",
"sourceRpm": "bash-4.4.18-2.ph3.src.rpm",
"size": 3315720,
"license": "GPLv3",
"vendor": "VMware, Inc.",
How to reproduce it (as minimally and precisely as possible):
syft photon:3.0 -o spdx
Anything else we need to know?: https://spdx.github.io/spdx-spec/package-information/ Version: 0.32.0
Thanks @rnjudge for the find here!
We've got some work in-flight regarding identifying and propagating license information info the SPDX format/base syft data shape.
I think we can do a quick patch that gets NOASSERTION into place as the default rather than using NONE in the meantime.
I can get this in when I have some bandwidth this week. Also, if it seems small enough and you're interested in becoming a contributor, feel free to throw a PR up. I'd be happy to review it and help merge it in for our next release.
