Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(java): add license support for jar files #4734

Open
DmitriyLewen opened this issue Jun 29, 2023 · 9 comments
Open

feat(java): add license support for jar files #4734

DmitriyLewen opened this issue Jun 29, 2023 · 9 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/license Issues relating to license scanning

Comments

@DmitriyLewen
Copy link
Contributor

Description

We can try to add licenses for jar files.

I have 2 ideas:

  1. Some jar files contains LICENSE file inside. We can try to parse these files.
  2. Also we can find license information from *.pom files and add it to trivy-java-db to use when parsing jars in Trivy.
@DmitriyLewen DmitriyLewen added kind/feature Categorizes issue or PR as related to a new feature. scan/license Issues relating to license scanning labels Jun 29, 2023
@coheigea
Copy link
Contributor

Hi @DmitriyLewen ,

For the first point, some jars have the LICENSE file in the root of the jar, and sometimes in the META-INF directory, so it would be good to check for both.

OSGi jars also contain a manifest META-INF/MANIFEST.MF with license information which could be checked, e.g:

Manifest-Version: 1.0
Automatic-Module-Name: org.apache.cxf.binding.xml
Bnd-LastModified: 1686069936379
Build-Jdk-Spec: 17
Bundle-ActivationPolicy: lazy
Bundle-Description: Apache CXF Runtime XML Binding
Bundle-DocURL: http://cxf.apache.org
Bundle-License: https://www.apache.org/licenses/LICENSE-2.0.txt

@coheigea
Copy link
Contributor

Any update on this - do you want any help with it?

@DmitriyLewen
Copy link
Contributor Author

Hello @coheigea
We created #21 with changes for trivy-java-db.
If you want - you can take a look, perhaps you well see any problems/ideas.

@coheigea
Copy link
Contributor

Thanks @DmitriyLewen - I am correct in thinking that the PR attempts to match the jar with a pom in Maven Central, and extracts the license from the pom if it's specified? It seems like a good approach, I'm happy to test it out once released.

@DmitriyLewen
Copy link
Contributor Author

pom in Maven Central, and extracts the license from the pom if it's specified

You are right.

I'm happy to test it out once released.

it will be great!

@seth-priya
Copy link

We have been using trivy for generating the SBOM (and CVE) information for all the (several hundred) containers that we build and publish for the Linux on Power (ppc64le) platform and missing license information for JAR files is one of the common issues that we have run into several times and have had to make manual updates to address it. So, I am very interested in this as well and happy to test /help in any other way. @DmitriyLewen just checking, is there a plan to get the changes in any time soon or is there a lot of work still remaining? Thanks in advance!

@DmitriyLewen
Copy link
Contributor Author

Hello @seth-priya
We have aquasecurity/trivy-java-db#21 to update trivy-java-db.
But we have other tasks and i can't tell you when we will be able to add these changes.

@gerrith3
Copy link

Hey @DmitriyLewen is there any update on this one? We run trivy pretty much daily and use the SBOM capabilities; having licenses for Jar files would be a huge win for us as well.

@DmitriyLewen
Copy link
Contributor Author

Adding licenses to trivy-java-db is a big and time-consuming job. Unfortunately, we don't have time to finish it at the moment. 😞
You can check out the planned new functionality here - https://github.com/aquasecurity/trivy/milestones

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/license Issues relating to license scanning
Projects
None yet
Development

No branches or pull requests

4 participants