feat: add option for including full license content in the SBOM#3856
Closed
feat: add option for including full license content in the SBOM#3856
Conversation
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
* main: annotate hidden paths in all-layers scope (#3855)
…uction Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
* main: chore: update license sort to be stable with contents field (#3860)
spiffcs
changed the title
Contributor
Author
|
Superseded by #3876 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR adds the option for users to configure syft to return the full text of licenses it comes across during scanning.
Currently, syft can be configured to return the
contentsfor licenses that do not return a valid SPDX ID. This PR adds an additional config option calledinclude-full-text.By default syft does not return any contents of any license in any SBOM.
If a user sets
include-unknown-license-contentthen syft will ONLY include content when an SPDX license ID cannot be determined.If a user sets
include-full-textthen syft will try to include available content for all license objects it returns.NOTE: this config option can lead to very large SBOM.
Reviewer Notes
This new option gives more nuance to the license scanner which could result in different amounts of licenses being returned for a package. Consider the new test case where multiple versions of
MITare being returned from scanning a single file where different content offsets denote the different instances of the license being discovered.In a previous scan users would just see a single
MITinstance in the licenses. With this new option the licenses ID are no longer deduplicated because of differences in theircontentfields. This part of the design should considered before merge.Imagine a license file where multiple ID are extracted from the same text. Each ID would lead to a separate license being created. To make sure we're not creating multiple licenses with identical content fields we use the returned
Offsetto read the file at the points of discovery for the given ID. This allows us to be more discerning in our license objects at the cost of increased SBOM size.Depends on #3857
Fixes #3088
Checklist:
Todo