diff --git a/syft/pkg/cataloger/java/archive_parser.go b/syft/pkg/cataloger/java/archive_parser.go index 109ea5bbcd7d..7d18f5abb90f 100644 --- a/syft/pkg/cataloger/java/archive_parser.go +++ b/syft/pkg/cataloger/java/archive_parser.go @@ -250,6 +250,24 @@ func (j *archiveParser) parseLicenses(manifest *pkg.JavaManifest) ([]pkg.License } } + // If we didn't find any liceneses in the archive so far, we'll try again in Maven Central using groupIDFromJavaMetadata + if len(licenses) == 0 && j.cfg.UseNetwork { + var groupID = name + if gID := groupIDFromJavaMetadata(name, pkg.JavaArchive{Manifest: manifest}); gID != "" { + groupID = gID + } + pomLicenses, err := recursivelyFindLicensesFromParentPom(groupID, name, version, j.cfg) + if err != nil { + log.Tracef("unable to get parent pom from Maven central: %v", err) + } + if len(pomLicenses) > 0 { + pkgLicenses := pkg.NewLicensesFromLocation(j.location, pomLicenses...) + if pkgLicenses != nil { + licenses = append(licenses, pkgLicenses...) + } + } + } + return licenses, name, version, nil }