feat(java): add license support for jar files

[DmitriyLewen]

Description

We can try to add licenses for jar files.

I have 2 ideas:

1. Some jar files contains LICENSE file inside. We can try to parse these files.
2. Also we can find license information from *.pom files and add it to trivy-java-db to use when parsing jars in Trivy.

[coheigea]

Hi @DmitriyLewen ,

For the first point, some jars have the LICENSE file in the root of the jar, and sometimes in the META-INF directory, so it would be good to check for both.

OSGi jars also contain a manifest META-INF/MANIFEST.MF with license information which could be checked, e.g:

Manifest-Version: 1.0
Automatic-Module-Name: org.apache.cxf.binding.xml
Bnd-LastModified: 1686069936379
Build-Jdk-Spec: 17
Bundle-ActivationPolicy: lazy
Bundle-Description: Apache CXF Runtime XML Binding
Bundle-DocURL: http://cxf.apache.org
Bundle-License: https://www.apache.org/licenses/LICENSE-2.0.txt

[coheigea]

Any update on this - do you want any help with it?

[DmitriyLewen]

Hello @coheigea
We created #21 with changes for trivy-java-db.
If you want - you can take a look, perhaps you well see any problems/ideas.

[coheigea]

Thanks @DmitriyLewen - I am correct in thinking that the PR attempts to match the jar with a pom in Maven Central, and extracts the license from the pom if it's specified? It seems like a good approach, I'm happy to test it out once released.

[DmitriyLewen]

pom in Maven Central, and extracts the license from the pom if it's specified

You are right.

I'm happy to test it out once released.

it will be great!

[seth-priya]

We have been using trivy for generating the SBOM (and CVE) information for all the (several hundred) containers that we build and publish for the Linux on Power (ppc64le) platform and missing license information for JAR files is one of the common issues that we have run into several times and have had to make manual updates to address it. So, I am very interested in this as well and happy to test /help in any other way. @DmitriyLewen just checking, is there a plan to get the changes in any time soon or is there a lot of work still remaining? Thanks in advance!

[DmitriyLewen]

Hello @seth-priya
We have aquasecurity/trivy-java-db#21 to update trivy-java-db.
But we have other tasks and i can't tell you when we will be able to add these changes.

[gerrith3]

Hey @DmitriyLewen is there any update on this one? We run trivy pretty much daily and use the SBOM capabilities; having licenses for Jar files would be a huge win for us as well.

[DmitriyLewen]

Adding licenses to trivy-java-db is a big and time-consuming job. Unfortunately, we don't have time to finish it at the moment. 😞
You can check out the planned new functionality here - https://github.com/aquasecurity/trivy/milestones