Scanning a repository does not pick up any licenses

[danielpomfjuk]

Description

When trying to scan a public repository https://github.com/prometheus/node_exporter, trivy does not include any licenses in the resulting SBOM file

# trivy version
builduser@LAPTOP-1SGEE6KN:~$ trivy -v
Version: 0.59.1

# generating the sbom
builduser@LAPTOP-1SGEE6KN:~$ trivy repository https://github.com/prometheus/node_exporter --format spdx-json --license-full --scanners license -o /sboms-2/test.spdx.json
2025-02-07T16:56:09Z    INFO    [license] Full license scanning is enabled
Enumerating objects: 7581, done.
Counting objects: 100% (7581/7581), done.
Compressing objects: 100% (3924/3924), done.
Total 7581 (delta 4145), reused 6333 (delta 3149), pack-reused 0 (from 0)
2025-02-07T16:56:11Z    INFO    Number of language-specific files       num=1

# checking for licenses
builduser@LAPTOP-1SGEE6KN:~$ cat /sboms-2/test.spdx.json | grep license -i
  "dataLicense": "CC0-1.0",
      "licenseConcluded": "NOASSERTION",
      "licenseDeclared": "NOASSERTION",
      "licenseConcluded": "NOASSERTION",
      "licenseDeclared": "NOASSERTION",
....

The repo contains LICENSE in its root and that file contains Apache-2 License , which isn't mentioned anywhere in the output file

Desired Behavior

Running trivy against a repository with LICENSE file includes the license from that file in the resulting SBOM

Actual Behavior

Running trivy against a repository with LICENSE file ignores the license of the repository

Reproduction Steps

1.trivy repository https://github.com/prometheus/node_exporter --format spdx-json --license-full --scanners license -o /sboms-2/test.spdx.json
2.cat /sboms-2/test.spdx.json | grep license -i

Target

Git Repository

Scanner

License

Output Format

SPDX

Mode

None

Debug Output

builduser@LAPTOP-1SGEE6KN:~$ trivy repository https://github.com/prometheus/node_exporter --format spdx-json --license-full --scanners license -o /sboms-2/test.spdx.json --debug
2025-02-07T16:56:09Z    DEBUG   No plugins loaded
2025-02-07T16:56:09Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-02-07T16:56:09Z    DEBUG   Cache dir       dir="/home/builduser/.cache/trivy"
2025-02-07T16:56:09Z    DEBUG   Cache dir       dir="/home/builduser/.cache/trivy"
2025-02-07T16:56:09Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-02-07T16:56:09Z    DEBUG   Ignore statuses statuses=[]
2025-02-07T16:56:09Z    DEBUG   [pkg] Package types     types=[library]
2025-02-07T16:56:09Z    DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2025-02-07T16:56:09Z    INFO    [license] Full license scanning is enabled
2025-02-07T16:56:09Z    DEBUG   Initializing scan cache...      type="fs"
Enumerating objects: 7581, done.
Counting objects: 100% (7581/7581), done.
Compressing objects: 100% (3924/3924), done.
Total 7581 (delta 4145), reused 6333 (delta 3149), pack-reused 0 (from 0)
2025-02-07T16:56:11Z    DEBUG   [repo] Analyzing...     root="/tmp/trivy-remote-repo30190174" original="https://github.com/prometheus/node_exporter"
2025-02-07T16:56:11Z    DEBUG   [repo] Using the latest commit hash for calculating cache key   commit_hash="5340ad60c08b6d42e8231b7e140bbd04f4e0eea4"
2025-02-07T16:56:11Z    DEBUG   [repo] Cache hit        key="sha256:3763eb6fcbbb68a1da593ca258ce64de4f8c703daf4f64a3e077a80f6d028c97"
2025-02-07T16:56:11Z    DEBUG   OS is not detected.
2025-02-07T16:56:11Z    INFO    Number of language-specific files       num=1
2025-02-07T16:56:11Z    DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-02-07T16:56:11Z    DEBUG   [vex] VEX filtering is disabled

Operating System

Linux, Ubuntu 20.04

Version

0.59.1

Checklist

• Run trivy clean --all
• Read the troubleshooting

[danielpomfjuk]

seems like this might be related #7993
Just ran without format flag and it seems to have picked up the license

builduser@LAPTOP-1SGEE6KN:~$ trivy repository https://github.com/prometheus/node_exporter  --license-full --scanners license
2025-02-07T17:14:04Z    INFO    [license] Full license scanning is enabled
Enumerating objects: 7581, done.
Counting objects: 100% (7581/7581), done.
Compressing objects: 100% (3924/3924), done.
Total 7581 (delta 4145), reused 6333 (delta 3149), pack-reused 0 (from 0)

Loose File License(s) (license)

Total: 5 (UNKNOWN: 0, LOW: 5, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌────────────────┬──────────┬────────────┬─────────────────────────────┐
│ Classification │ Severity │  License   │        File Location        │
├────────────────┼──────────┼────────────┼─────────────────────────────┤
│ Notice         │ LOW      │ Apache-2.0 │ LICENSE                     │
│                │          │            ├─────────────────────────────┤
│                │          │            │ collector/devstat_freebsd.c │
│                │          │            ├─────────────────────────────┤
│                │          │            │ collector/devstat_freebsd.h │
│                │          │            ├─────────────────────────────┤
│                │          │            │ collector/kvm_bsd.c         │
│                │          │            ├─────────────────────────────┤
│                │          │            │ collector/kvm_bsd.h         │
└────────────────┴──────────┴────────────┴─────────────────────────────┘

[DmitriyLewen]

Hello @danielpomfjuk
To see licenses for go.mod file - you need to run go mod tidy - https://trivy.dev/latest/docs/coverage/language/golang/#license
After that Trivy will able to find license without --license-full flag:

FROM golang:1.22-alpine

RUN apk add git curl

RUN git clone https://github.com/prometheus/node_exporter && cd ./node_exporter && go mod tidy

RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.59.1 

ENTRYPOINT ["trivy"]

➜  8375 docker run -it --rm 8375 -d fs --scanners license -f spdx-json . | grep licenseConcluded | sort | uniq
      "licenseConcluded": "Apache-2.0 AND BSD-3-Clause AND MIT",
      "licenseConcluded": "Apache-2.0 AND MIT",
      "licenseConcluded": "Apache-2.0",
      "licenseConcluded": "BSD-2-Clause AND BSD-3-Clause",
      "licenseConcluded": "BSD-2-Clause",
      "licenseConcluded": "BSD-3-Clause",
      "licenseConcluded": "ISC",
      "licenseConcluded": "MIT",
      "licenseConcluded": "MPL-2.0",
      "licenseConcluded": "NOASSERTION",

Regards, Dmitriy