-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(java): add license support for jar files #4734
Comments
Hi @DmitriyLewen , For the first point, some jars have the LICENSE file in the root of the jar, and sometimes in the META-INF directory, so it would be good to check for both. OSGi jars also contain a manifest META-INF/MANIFEST.MF with license information which could be checked, e.g:
|
Any update on this - do you want any help with it? |
Thanks @DmitriyLewen - I am correct in thinking that the PR attempts to match the jar with a pom in Maven Central, and extracts the license from the pom if it's specified? It seems like a good approach, I'm happy to test it out once released. |
You are right.
it will be great! |
We have been using trivy for generating the SBOM (and CVE) information for all the (several hundred) containers that we build and publish for the Linux on Power (ppc64le) platform and missing license information for JAR files is one of the common issues that we have run into several times and have had to make manual updates to address it. So, I am very interested in this as well and happy to test /help in any other way. @DmitriyLewen just checking, is there a plan to get the changes in any time soon or is there a lot of work still remaining? Thanks in advance! |
Hello @seth-priya |
Hey @DmitriyLewen is there any update on this one? We run trivy pretty much daily and use the SBOM capabilities; having licenses for Jar files would be a huge win for us as well. |
Adding licenses to trivy-java-db is a big and time-consuming job. Unfortunately, we don't have time to finish it at the moment. 😞 |
Description
We can try to add licenses for
jar
files.I have 2 ideas:
jar
files containsLICENSE
file inside. We can try to parse these files.*.pom
files and add it totrivy-java-db
to use when parsingjars
in Trivy.The text was updated successfully, but these errors were encountered: