dependency-graph/sbom shows wrong license information

[Loki-Afro]

Select Topic Area

Question

Body

hi,

I'm using the dependency-review-action and got an issue where during a dependency update the license of a dependency may have changed

so digged into the code and found out how the action is doing its magic:

it is using the github apis dependency-graph, like so:

gh api repos/hpi-schul-cloud/schulcloud-client/dependency-graph/compare/a5e6c977a0b1408a37c89fd72529fae1501aade4...87c371d6b59380bd4be83cd59451696e4514291b

resulting in

[
  {
    "change_type": "removed",
    "manifest": "package-lock.json",
    "ecosystem": "npm",
    "name": "elliptic",
    "version": "6.5.4",
    "package_url": "pkg:npm/[email protected]",
    "license": "MIT",
    "source_repository_url": "https://github.com/indutny/elliptic",
    "scope": "runtime",
    "vulnerabilities": [
      {
        "severity": "low",
        "advisory_ghsa_id": "GHSA-f7q4-pwc6-w24p",
        "advisory_summary": "Elliptic's EDDSA missing signature length check",
        "advisory_url": "https://github.com/advisories/GHSA-f7q4-pwc6-w24p"
      },
      {
        "severity": "low",
        "advisory_ghsa_id": "GHSA-977x-g7h5-7qgw",
        "advisory_summary": "Elliptic's ECDSA missing check for whether leading bit of r and s is zero",
        "advisory_url": "https://github.com/advisories/GHSA-977x-g7h5-7qgw"
      },
      {
        "severity": "low",
        "advisory_ghsa_id": "GHSA-49q7-c7j4-3p7m",
        "advisory_summary": "Elliptic allows BER-encoded signatures",
        "advisory_url": "https://github.com/advisories/GHSA-49q7-c7j4-3p7m"
      },
      {
        "severity": "low",
        "advisory_ghsa_id": "GHSA-434g-2637-qmqr",
        "advisory_summary": "Elliptic's verify function omits uniqueness validation",
        "advisory_url": "https://github.com/advisories/GHSA-434g-2637-qmqr"
      },
      {
        "severity": "low",
        "advisory_ghsa_id": "GHSA-fc9h-whq2-v747",
        "advisory_summary": "Valid ECDSA signatures erroneously rejected in Elliptic",
        "advisory_url": "https://github.com/advisories/GHSA-fc9h-whq2-v747"
      }
    ]
  },
  {
    "change_type": "added",
    "manifest": "package-lock.json",
    "ecosystem": "npm",
    "name": "elliptic",
    "version": "6.6.1",
    "package_url": "pkg:npm/[email protected]",
    "license": "MIT AND OFL-1.1",
    "source_repository_url": "https://github.com/indutny/elliptic",
    "scope": "runtime",
    "vulnerabilities": []
  }
]

the logic if that should fail at all if MIT and/or OFL-1.1 is already allowed is out of question here

but it got me wondering, where does OFL-1.1 come from? looking at the repository, it doesn't have a license file but shows it in the readme: MIT

that is why returns 404, as far as i understand

 gh api repos/indutny/elliptic/license
{
gh: Not Found (HTTP 404)
  "message": "Not Found",
  "documentation_url": "https://docs.github.com/rest/licenses/licenses#get-the-license-for-a-repository",
  "status": "404"
}

the string OFL-1.1 doesn't exist in the repo either, so it must be a dependency right?
so i used

gh api repos/indutny/elliptic/dependency-graph/sbom

elliptic.dependencygraph.txt
which does not contain any OFL-1.1 either

so finally my question is: where does the OFL-1.1 license come from? :)