Licenses not visible after SBOM upload #2226
Comments
|
Was able to reproduce it. It really is an issue with cyclonedx-core-java LicenceDeserializer (and maybe DT) which does not handle well nodes like {
"licenses": [
{
"license": {
"id": "GPL-2.0"
}
}
},
{
"expression": "GPL-2.0"
}
]
}
The cyclonedx-core-java license deserializer should surely be fixed. I'm not sure about Dependency Track handling license expressions. |
Yes, ideally it should. One of the early tickets that nobody has had a chance to work on yet.#170 |
|
OK, i'll try to work on it (deserializer part and DT handling of license expressions) |
|
Hi! Great that you found this issue. I will try again when this will be fixed. Thanks! |
|
encountered the same issue while uploading a SBOM generated by Aqua Trivy. The license info in SBOM json is of below format |
stevespringett
added
duplicate
|
Looking forward to a fix, would love to use trivy for the sbom-generation. |
|
@syalioune Do you have any news about fixing this issue? I've tried few tools for SBOM generation along with license info and have found trivy to be the best tool for my needs. Sadly due to this bug I cannot use trivy-generated SBOM files in dependency-track for licenses management :( |
|
I've verified things on trivy side and have found issues there regarding invalidity of generated SBOM files according to CycloneDX-JSON schema. Here is issue I've created for trivy: aquasecurity/trivy#4900 |
Current Behavior
If the attached SBOM is loaded into Dependency Track the licenses are not visible.
bom.txt
Steps to Reproduce
1.Load the file
2. Check the project and no licenses are shown
Expected Behavior
The licenses should be visible in the project for each component.
Dependency-Track Version
4.6.2
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
No response
Browser
Mozilla Firefox
Checklist
The text was updated successfully, but these errors were encountered: