Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecated license: GFDL-1.2+ #1899

Closed
vargenau opened this issue Jun 27, 2023 · 3 comments · Fixed by #1907
Closed

Deprecated license: GFDL-1.2+ #1899

vargenau opened this issue Jun 27, 2023 · 3 comments · Fixed by #1907
Assignees
@spiffcs
Labels
bug Something isn't working

Comments

@vargenau
Copy link
Contributor

What happened:

Output contains deprecated license GFDL-1.2+

What you expected to happen:

It should be: GFDL-1.2-or-later

Steps to reproduce the issue:

syft docker:bitnami/mongodb-sharded:6.0-debian-11 --scope all-layers -o spdx-tag-value > bitnami-mongodb-sharded-6.0-debian-11.spdx

bitnami-mongodb-sharded-6.0-debian-11.spdx.txt

Anything else we need to know?:

Environment:

  • Output of syft version: 0.84.0
  • OS (e.g: cat /etc/os-release or similar): Ubuntu 23.04
@vargenau vargenau added the bug Something isn't working label Jun 27, 2023
@spiffcs
Copy link
Contributor

spiffcs commented Jun 28, 2023

Thanks @vargenau - I'll add this to the license and format specific chores I have today and try and get an updated license list PR added

@spiffcs
Copy link
Contributor

spiffcs commented Jun 29, 2023
edited
Loading

Following up on this - we are using the latest license list - however when processing spdx license expressions syft does not do any kind of upgrade path for expressions lifted from source files

##### Package: libunistring2

PackageName: libunistring2
SPDXID: SPDXRef-Package-deb-libunistring2-69fdd66f467e3a25
PackageVersion: 0.9.10-4
PackageOriginator: Person: Jörg Frings-Fürst <[email protected]>
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageSourceInfo: acquired package info from DPKG DB: /usr/share/doc/libunistring2/copyright, /var/lib/dpkg/info/libunistring2:amd64.md5sums, /var/lib/dpkg/status
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: LicenseRef-FreeSoftware AND GFDL-1.2-only AND GFDL-1.2+ AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND MIT
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:libunistring2:libunistring2:0.9.10-4:*:*:*:*:*:*:*
ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/[email protected]?arch=amd64&upstream=libunistring&distro=debian-11

I think the correct course of action here is to have the maintainer of libunitstring2 upgrade their license expression to use a non deprecated license. I'm also looking at our deprecated license logic and noted that gfdl is not being captured so that might be an edge case worth adding to our generation logic.

Let me know if you have other thoughts @vargenau and I can take a look at what kind of edits we would need to modify package license expressions.

Here is the license file where the offending depreciated license is being picked up:
https://metadata.ftp-master.debian.org/changelogs//main/libu/libunistring/libunistring_1.0-2_copyright

@spiffcs spiffcs self-assigned this Jun 29, 2023
@spiffcs spiffcs mentioned this issue Jun 29, 2023
Merged
This was referenced Jul 12, 2023
Open
Closed
Merged
Closed
Open
Closed
Open
Closed
@vargenau
Copy link
Contributor Author

@spiffcs
Thank you very much for the fix.
I confirm it works as expected in syft 0.85.0

This was referenced Jul 28, 2023
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@spiffcs spiffcs

Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: "or-later" suffix updated to consider deprecated "+" operator anchore/syft
2 participants
@vargenau @spiffcs