Comments (4)
wagoodman
commented on June 14, 2024
2
There's also Classifier: License :: OSI Approved :: MIT License in the metadata.
I like that thought -- looks like there are two paths forward, where the canonical truth is the license file itself but we can also use the metadata as a shortcut (if it exists) when there is no license present.
from syft.
tgerla
commented on June 14, 2024
1
Hi @black-snow, thanks for your report. I've reproduced this issue and we'll do some more investigation and hopefully have an answer for you soon. Stay tuned!
from syft.
wagoodman
commented on June 14, 2024
This looks to be an enhancement request based off of what I'm seeing:
❯ docker run --rm -it python:3.10-slim-bookworm bash
root@bf7baffe51ed:/# find . | grep wheel | grep LICENSE
./usr/local/lib/python3.10/site-packages/wheel-0.42.0.dist-info/LICENSE.txt
root@bf7baffe51ed:/# cat ./usr/local/lib/python3.10/site-packages/wheel-0.42.0.dist-info/
INSTALLER LICENSE.txt METADATA RECORD REQUESTED WHEEL entry_points.txt
root@bf7baffe51ed:/# cat ./usr/local/lib/python3.10/site-packages/wheel-0.42.0.dist-info/METADATA
Metadata-Version: 2.1
Name: wheel
Version: 0.42.0
Summary: A built-package format for Python
Keywords: wheel,packaging
Author-email: Daniel Holth <[email protected]>
Maintainer-email: Alex Grönholm <[email protected]>
Requires-Python: >=3.7
Description-Content-Type: text/x-rst
Classifier: Development Status :: 5 - Production/Stable
Classifier: Intended Audience :: Developers
Classifier: Topic :: System :: Archiving :: Packaging
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 3 :: Only
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Requires-Dist: pytest >= 6.0.0 ; extra == "test"
Requires-Dist: setuptools >= 65 ; extra == "test"
Project-URL: Changelog, https://wheel.readthedocs.io/en/stable/news.html
Project-URL: Documentation, https://wheel.readthedocs.io/
Project-URL: Issue Tracker, https://github.com/pypa/wheel/issues
Project-URL: Source, https://github.com/pypa/wheel
Provides-Extra: test
wheel
=====
This library is the reference implementation of the Python wheel packaging
standard, as defined in `PEP 427`_.
It has two different roles:
#. A setuptools_ extension for building wheels that provides the
``bdist_wheel`` setuptools command
#. A command line tool for working with wheel files
It should be noted that wheel is **not** intended to be used as a library, and
as such there is no stable, public API.
.. _PEP 427: https://www.python.org/dev/peps/pep-0427/
.. _setuptools: https://pypi.org/project/setuptools/
Documentation
-------------
The documentation_ can be found on Read The Docs.
.. _documentation: https://wheel.readthedocs.io/
Code of Conduct
---------------
Everyone interacting in the wheel project's codebases, issue trackers, chat
rooms, and mailing lists is expected to follow the `PSF Code of Conduct`_.
.. _PSF Code of Conduct: https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md
root@bf7baffe51ed:/# cat ./usr/local/lib/python3.10/site-packages/wheel-0.42.0.dist-info/RECORD
../../../bin/wheel,sha256=hwKLi6v0PxFQWIn45e52s2IxgDsqNe19uE49Oi6uF-8,213
wheel-0.42.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4
wheel-0.42.0.dist-info/LICENSE.txt,sha256=MMI2GGeRCPPo6h0qZYx8pBe9_IkcmO8aifpP8MmChlQ,1107
wheel-0.42.0.dist-info/METADATA,sha256=QMZYvPF88F2lBnZ9cf7-ugqmkGDUN8j3FUvNHikLhck,2203
wheel-0.42.0.dist-info/RECORD,,
wheel-0.42.0.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
wheel-0.42.0.dist-info/WHEEL,sha256=EZbGkh7Ie4PoZfRQ8I0ZuP9VklN_TvcZ6DSE5Uar4z4,81
wheel-0.42.0.dist-info/entry_points.txt,sha256=rTY1BbkPHhkGMm4Q3F0pIzJBzW2kMxoG1oriffvGdA0,104
wheel/__init__.py,sha256=c5n4mea4NyUhMCk8GWbX4_O739E5ATPX23lTJRXf9ZI,59
wheel/__main__.py,sha256=NkMUnuTCGcOkgY0IBLgBCVC_BGGcWORx2K8jYGS12UE,455
wheel/_setuptools_logging.py,sha256=NoCnjJ4DFEZ45Eo-2BdXLsWJCwGkait1tp_17paleVw,746
wheel/bdist_wheel.py,sha256=Hrol9LUphvfapYo6Ro4RHhypq8iLew6jpp8NXd_CFw4,20943
wheel/cli/__init__.py,sha256=eBNhnPwWTtdKAJHy77lvz7gOQ5Eu3GavGugXxhSsn-U,4264
wheel/cli/convert.py,sha256=qJcpYGKqdfw1P6BelgN1Hn_suNgM6bvyEWFlZeuSWx0,9439
wheel/cli/pack.py,sha256=H6BZ8HyIYqP_2quRiczjHN08dykmdWTSLN0VMTYkzh8,3110
wheel/cli/tags.py,sha256=lHw-LaWrkS5Jy_qWcw-6pSjeNM6yAjDnqKI3E5JTTCU,4760
wheel/cli/unpack.py,sha256=Y_J7ynxPSoFFTT7H0fMgbBlVErwyDGcObgme5MBuz58,1021
wheel/macosx_libfile.py,sha256=mKH4GW3FILt0jLgm5LPgj7D5XyEvBU2Fgc-jCxMfSng,16143
wheel/metadata.py,sha256=jGDlp6IMblnujK4u1eni8VAdn2WYycSdQ-P6jaGBUMw,5882
wheel/util.py,sha256=e0jpnsbbM9QhaaMSyap-_ZgUxcxwpyLDk6RHcrduPLg,621
wheel/vendored/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
wheel/vendored/packaging/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
wheel/vendored/packaging/_elffile.py,sha256=hbmK8OD6Z7fY6hwinHEUcD1by7czkGiNYu7ShnFEk2k,3266
wheel/vendored/packaging/_manylinux.py,sha256=Rq6ppXAxH8XFtNf6tC-B-1SKuvCODPBvcCoSulMtbtk,9526
wheel/vendored/packaging/_musllinux.py,sha256=kgmBGLFybpy8609-KTvzmt2zChCPWYvhp5BWP4JX7dE,2676
wheel/vendored/packaging/_parser.py,sha256=5DhK_zYJE4U4yzSkgEBT4F7tT2xZ6Pkx4gSRKyvXneQ,10382
wheel/vendored/packaging/_structures.py,sha256=q3eVNmbWJGG_S0Dit_S3Ao8qQqz_5PYTXFAKBZe5yr4,1431
wheel/vendored/packaging/_tokenizer.py,sha256=alCtbwXhOFAmFGZ6BQ-wCTSFoRAJ2z-ysIf7__MTJ_k,5292
wheel/vendored/packaging/markers.py,sha256=eH-txS2zq1HdNpTd9LcZUcVIwewAiNU0grmq5wjKnOk,8208
wheel/vendored/packaging/requirements.py,sha256=wswG4mXHSgE9w4NjNnlSvgLGo6yYvfHVEFnWhuEmXxg,2952
wheel/vendored/packaging/specifiers.py,sha256=ZOpqL_w_Kj6ZF_OWdliQUzhEyHlDbi6989kr-sF5GHs,39206
wheel/vendored/packaging/tags.py,sha256=pkG6gQ28RlhS09VzymVhVpGrWF5doHXfK1VxG9cdhoY,18355
wheel/vendored/packaging/utils.py,sha256=XgdmP3yx9-wQEFjO7OvMj9RjEf5JlR5HFFR69v7SQ9E,5268
wheel/vendored/packaging/version.py,sha256=XjRBLNK17UMDgLeP8UHnqwiY3TdSi03xFQURtec211A,16236
wheel/vendored/vendor.txt,sha256=nMQ1MrIbjx7YcPQqZbwUPHLy08Q1lMPPL90HWSrazw0,16
wheel/wheelfile.py,sha256=A5QzHd3cpDBqDEr8O6R6jqwLKiqkLlde6VjfgdQXo5Q,7701
Note that though there is a record of LICENSE.txt, but there is not License field in the metadata.
The enhancement here is to be able to look at the owned files for this package (from RECORDS) and look for license like files and classify the contents.
from syft.
black-snow
commented on June 14, 2024
Might be - I have no idea what syft currently looks at. There's also Classifier: License :: OSI Approved :: MIT License in the metadata.
from syft.
Related Issues (20)
- Syft reports some fw* packages, which are nowhere to find HOT 4
- Add support for dnf packages HOT 1
- Support Swift Package Manager Package.resolved schema version 3 HOT 2
- Catalog TiDB binary
- Redis not listed in the artifact lists of the bitnami/redis image HOT 2
- License not pickedup for binaries like java (openjdk), node (nodejs) HOT 4
- Ignore Go compiler affecting CVE when Docker image only contains a binary compiled with Go HOT 2
- Pom parser not resolving all dependency versions
- SBOM is generated with empty name HOT 4
- components inside tar.gz / tgz not picked up HOT 2
- Golang: Search remote licenses not working in a CI pipeline when scanning Docker image HOT 5
- Clearly document the fact that CPE strings could be made up HOT 1
- Recognition of files in a folder works inconsistently between Linux distributions. HOT 1
- New version 1.3.0 leads to "too many open files" while scanning bigger images HOT 1
- Add `bun-lock-cataloger` & `bun-binary-cataloger` catalogers HOT 1
- Improve linting for `defer Close` type issues HOT 2
- Binary copied to image omitted from SBOM HOT 4
- Relationships / Dependencies are present in Syft json and SPDX json files but not in Cyclonedx json file format HOT 3
- Not all the packages are getting imported in Blackduck scanner HOT 5
- Scanning a git repository folder present in /tmp produce an empty sbom HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from syft.