Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Syft cannot get license from package.json in nested node_modules dir #2330

Open
sasakiyuta84 opened this issue Nov 16, 2023 · 1 comment
Open

Syft cannot get license from package.json in nested node_modules dir #2330

sasakiyuta84 opened this issue Nov 16, 2023 · 1 comment
Labels
bug Something isn't working

Comments

@sasakiyuta84
Copy link

What happened:
Syft cannot get a license from a package.json file in a nested node_modules dir.
If library A is in a nested node_module dir, like following, then Syft cannot output its license.

| --- yarn.lock <--- including library A as a dependency
| --- node_modules
       | --- library B
              | --- node_modules
                    | --- library A
                          | --- package.json <--- including a license field

What you expected to happen:
The license of library A is also included in the output.

Steps to reproduce the issue:
I happen to this issue when I use @storybook/addon-docs@6.5.16.
Following steps can reproduce this issue.

$ pwd
/path/to/YOUR_TEST_DIR
$ yarn init -y
$ yarn add @storybook/addon-docs@6.5.16                                                              
$ syft . -o spdx-json | jq '.packages[] | select(.licenseDeclared == "NOASSERTION") | {name, sourceInfo, licenseDeclared, licenseConclude} '
{
  "name": "babel-plugin-apply-mdx-type-prop",
  "sourceInfo": "acquired package info from installed node module manifest file: /yarn.lock",
  "licenseDeclared": "NOASSERTION",
  "licenseConclude": null
}
{
  "name": "trim",
  "sourceInfo": "acquired package info from installed node module manifest file: /yarn.lock",
  "licenseDeclared": "NOASSERTION",
  "licenseConclude": null
}
$ cat node_modules/@mdx-js/mdx/node_modules/babel-plugin-apply-mdx-type-prop/package.json | jq .license
"MIT"

Anything else we need to know?:
This issue does not occur when I use npm i @storybook/addon-docs@6.5.16 instead of yarn add.

And yarn version is:

$  yarn -v   
1.22.19

Environment:

  • Output of syft version:
$ syft version
Application: syft
Version:    0.96.0
BuildDate:  2023-11-09T14:04:09Z
GitCommit:  0891d35e0774f175e3a3f170edcce9ad2f4f015b
GitDescription: v0.96.0
Platform:   darwin/arm64
GoVersion:  go1.21.3
Compiler:   gc
  • OS (e.g: cat /etc/os-release or similar):
$ sw_vers
ProductName:		macOS
ProductVersion:		13.4.1
BuildVersion:		22F82
@sasakiyuta84 sasakiyuta84 added the bug Something isn't working label Nov 16, 2023
@tgerla
Copy link
Contributor

tgerla commented Jan 11, 2024

Hi @sasakiyuta84, thanks for the report and great reproduction steps and sorry it took a while to reply. We will take a closer look and see if we can tell what's going on here.

@tgerla tgerla moved this to Backlog in OSS Jan 11, 2024
@kzantow kzantow mentioned this issue May 9, 2024
Open
44 tasks
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tgerla @sasakiyuta84