Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecated license: GFDL-1.2+ #1899

Closed
vargenau opened this issue Jun 27, 2023 · 3 comments · Fixed by #1907
Closed

Deprecated license: GFDL-1.2+ #1899

vargenau opened this issue Jun 27, 2023 · 3 comments · Fixed by #1907
Assignees
Labels
bug Something isn't working

Comments

@vargenau
Copy link
Contributor

What happened:

Output contains deprecated license GFDL-1.2+

What you expected to happen:

It should be: GFDL-1.2-or-later

Steps to reproduce the issue:

syft docker:bitnami/mongodb-sharded:6.0-debian-11 --scope all-layers -o spdx-tag-value > bitnami-mongodb-sharded-6.0-debian-11.spdx

bitnami-mongodb-sharded-6.0-debian-11.spdx.txt

Anything else we need to know?:

Environment:

  • Output of syft version: 0.84.0
  • OS (e.g: cat /etc/os-release or similar): Ubuntu 23.04
@vargenau vargenau added the bug Something isn't working label Jun 27, 2023
@spiffcs
Copy link
Contributor

spiffcs commented Jun 28, 2023

Thanks @vargenau - I'll add this to the license and format specific chores I have today and try and get an updated license list PR added

@spiffcs spiffcs added this to OSS Jun 28, 2023
@spiffcs spiffcs moved this to In Progress in OSS Jun 28, 2023
@spiffcs
Copy link
Contributor

spiffcs commented Jun 29, 2023

Following up on this - we are using the latest license list - however when processing spdx license expressions syft does not do any kind of upgrade path for expressions lifted from source files

##### Package: libunistring2

PackageName: libunistring2
SPDXID: SPDXRef-Package-deb-libunistring2-69fdd66f467e3a25
PackageVersion: 0.9.10-4
PackageOriginator: Person: Jörg Frings-Fürst <[email protected]>
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageSourceInfo: acquired package info from DPKG DB: /usr/share/doc/libunistring2/copyright, /var/lib/dpkg/info/libunistring2:amd64.md5sums, /var/lib/dpkg/status
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: LicenseRef-FreeSoftware AND GFDL-1.2-only AND GFDL-1.2+ AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-3.0-only AND LGPL-3.0-or-later AND MIT
PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:libunistring2:libunistring2:0.9.10-4:*:*:*:*:*:*:*
ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/[email protected]?arch=amd64&upstream=libunistring&distro=debian-11

I think the correct course of action here is to have the maintainer of libunitstring2 upgrade their license expression to use a non deprecated license. I'm also looking at our deprecated license logic and noted that gfdl is not being captured so that might be an edge case worth adding to our generation logic.

Let me know if you have other thoughts @vargenau and I can take a look at what kind of edits we would need to modify package license expressions.

Here is the license file where the offending depreciated license is being picked up:
https://metadata.ftp-master.debian.org/changelogs//main/libu/libunistring/libunistring_1.0-2_copyright

@vargenau
Copy link
Contributor Author

@spiffcs
Thank you very much for the fix.
I confirm it works as expected in syft 0.85.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

2 participants