SPDX: Invalid license identifiers

[klasvo]

Description

Hi, I noticed that the SPDX output of Trivy does not adhere to the specification. It includes license identifiers that are not on the SPDX license list.
For example, I scanned the image registry.access.redhat.com/ubi9/ubi-minimal:9.4 and for package audit-libs the license is listed as LGPLv2 which is not a valid license for SPDX. It should be LGPL-2.0-or-later, I guess.

I found issue #3267 that was closed/resolved in Mar 2023 that should have fixed it. But maybe there was a regression.

The complete list of invalid licenses in the SBOM of the scan is as follows:

ASL-2.0
Boost
GFDL
Inner-Net
LGPLv2
LGPLv3
pubkey

Cheers
Volker

Desired Behavior

The SBOM contains valid license references:

      "sourceInfo": "built package from: audit 3.1.2-2.el9",
      "licenseConcluded": "LGPL-2.0-or-later",
      "licenseDeclared": "LGPL-2.0-or-later",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:rpm/redhat/[email protected]?arch=x86_64\u0026distro=redhat-9.4"
        }
      ],

Actual Behavior

The SBOM contains invalid license references:

      "sourceInfo": "built package from: audit 3.1.2-2.el9",
      "licenseConcluded": "LGPLv2+",
      "licenseDeclared": "LGPLv2+",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:rpm/redhat/[email protected]?arch=x86_64\u0026distro=redhat-9.4"
        }
      ],

Reproduction Steps

1. Scan image `registry.access.redhat.com/ubi9/ubi-minimal:9.4` with `--format spdx-json`
2. Look a the result and check for licenses not listed in the specs

Target

Container Image

Scanner

License

Output Format

SPDX

Mode

Standalone

Debug Output

+ trivy image --db-repository aquasecurity/trivy-db --checks-bundle-repository aquasecurity/trivy-checks:0 --java-db-repository aquasecurity/trivy-java-db:1 --scanners vuln,secret,license --image-config-scanners misconfig,secret ubi9/ubi-minimal:9.4 --debug --format spdx-json -o trivy-release-image.spdx.json
2024-08-21T10:50:01Z	DEBUG	Cache dir	dir="/usr/local/workdir/.cache/trivy"
2024-08-21T10:50:01Z	INFO	Adding schema version to the DB repository for backward compatibility	repository="aquasecurity/trivy-db:2"
2024-08-21T10:50:01Z	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-08-21T10:50:01Z	DEBUG	Ignore statuses	statuses=[]
2024-08-21T10:50:01Z	DEBUG	There is no valid metadata file	err="unable to open a file: open /usr/local/workdir/.cache/trivy/db/metadata.json: no such file or directory"
2024-08-21T10:50:01Z	INFO	[db] Need to update DB
2024-08-21T10:50:01Z	INFO	[db] Downloading DB...	repository="aquasecurity/trivy-db:2"
2024-08-21T10:50:01Z	DEBUG	No metadata file
37.59 MiB / 51.71 MiB [-------------------------------------------->________________] 72.70% ? p/s ?51.71 MiB / 51.71 MiB [----------------------------------------------------------->] 100.00% ? p/s ?51.71 MiB / 51.71 MiB [----------------------------------------------------------->] 100.00% ? p/s ?51.71 MiB / 51.71 MiB [---------------------------------------------->] 100.00% 23.50 MiB p/s ETA 0s51.71 MiB / 51.71 MiB [---------------------------------------------->] 100.00% 23.50 MiB p/s ETA 0s51.71 MiB / 51.71 MiB [---------------------------------------------->] 100.00% 23.50 MiB p/s ETA 0s51.71 MiB / 51.71 MiB [---------------------------------------------->] 100.00% 21.98 MiB p/s ETA 0s51.71 MiB / 51.71 MiB [---------------------------------------------->] 100.00% 21.98 MiB p/s ETA 0s51.71 MiB / 51.71 MiB [-------------------------------------------------] 100.00% 36.02 MiB p/s 1.6s2024-08-21T10:50:10Z	DEBUG	Updating database metadata...
2024-08-21T10:50:10Z	DEBUG	DB info	schema=2 updated_at=2024-08-21T00:22:42.519232484Z next_update=2024-08-21T06:22:42.519231913Z downloaded_at=2024-08-21T10:50:10.460871845Z
2024-08-21T10:50:10Z	INFO	[image] Container image config scanners	scanners=[misconfig secret]
2024-08-21T10:50:10Z	DEBUG	[pkg] Package types	types=[os library]
2024-08-21T10:50:10Z	DEBUG	[pkg] Package relationships	relationships=[unknown root direct indirect]
2024-08-21T10:50:10Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-21T10:50:10Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-21T10:50:10Z	DEBUG	Failed to open the check metadata	err="open /usr/local/workdir/.cache/trivy/policy/metadata.json: no such file or directory"
2024-08-21T10:50:10Z	INFO	Need to update the built-in policies
2024-08-21T10:50:10Z	INFO	Downloading the built-in policies...
2024-08-21T10:50:10Z	DEBUG	Loading check bundle	repository="aquasecurity/trivy-checks:0"
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-21T10:50:17Z	DEBUG	Digest of the built-in policies	digest="sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3"
2024-08-21T10:50:17Z	DEBUG	[misconfig] Policies successfully loaded from disk
2024-08-21T10:50:17Z	INFO	[secret] Secret scanning is enabled
2024-08-21T10:50:17Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-21T10:50:17Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-21T10:50:17Z	INFO	[license] License scanning is enabled
2024-08-21T10:50:17Z	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-08-21T10:50:17Z	DEBUG	Initializing scan cache...	type="fs"
2024-08-21T10:50:23Z	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-08-21T10:50:23Z	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-08-21T10:50:25Z	DEBUG	[image] Detected image ID	image_id="sha256:9e74a726167b225b2c3d295684801426149133510ce1a75cee354b408f8f4973"
2024-08-21T10:50:25Z	DEBUG	[image] Detected diff ID	diff_ids=[sha256:6aa7c734bdf18d74c9aacd71a0fca1c93346879de7b5f743bbb7e4979777b401]
2024-08-21T10:50:25Z	DEBUG	[image] Detected base layers	diff_ids=[]
2024-08-21T10:50:25Z	DEBUG	[image] Missing image ID in cache	image_id="sha256:9e74a726167b225b2c3d295684801426149133510ce1a75cee354b408f8f4973"
2024-08-21T10:50:25Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:6aa7c734bdf18d74c9aacd71a0fca1c93346879de7b5f743bbb7e4979777b401"
2024-08-21T10:50:28Z	DEBUG	Scanning files for misconfigurations...	scanner="Dockerfile"
2024-08-21T10:50:28Z	DEBUG	[misconf] 50:28.758055526 dockerfile.scanner.rego          Overriding filesystem for checks!
2024-08-21T10:50:28Z	DEBUG	[misconf] 50:28.759222016 dockerfile.scanner.rego          Loaded 3 embedded libraries.
2024-08-21T10:50:28Z	DEBUG	[misconf] 50:28.821699279 dockerfile.scanner.rego          Loaded 192 embedded policies.
2024-08-21T10:50:28Z	DEBUG	[misconf] 50:28.891301238 dockerfile.scanner.rego          Loaded 195 checks from disk.
2024-08-21T10:50:28Z	DEBUG	[misconf] 50:28.891841337 dockerfile.scanner.rego          Overriding filesystem for data!
2024-08-21T10:50:29Z	DEBUG	[misconf] 50:29.280809884 dockerfile.scanner.rego          Scanning 1 inputs...
2024-08-21T10:50:29Z	DEBUG	No secrets found in container image config
2024-08-21T10:50:29Z	INFO	Detected OS	family="redhat" version="9.4"
2024-08-21T10:50:29Z	INFO	[redhat] Detecting RHEL/CentOS vulnerabilities...	os_version="9" pkg_num=104
2024-08-21T10:50:29Z	INFO	Number of language-specific files	num=0
2024-08-21T10:50:29Z	INFO	Detected config files	num=1
2024-08-21T10:50:29Z	DEBUG	Scanned config file	file_path="ubi9/ubi-minimal:9.4"
2024-08-21T10:50:29Z	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.54/docs/scanner/vulnerability#severity-selection for details.
2024-08-21T10:50:29Z	DEBUG	[vex] VEX filtering is disabled

Operating System

Kubernetes

Version

Version: 0.54.1

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @klasvo
Thanks for your report!

Unfortunately, rpm packages don't always use the SPDX format for licenses.
There is #7131 which should solve your problem.

Regards, Dmitriy

[DmitriyLewen]

Close this as duplicate of #7189

[klasvo]

Hello @DmitriyLewen,

I tested the changes in #7131, however, there are still invalid licenses in the SPDX json:

Public-Domain
Inner-Net
pubkey

According to the SPDX specification, unknown licenses have to be defined:
https://spdx.github.io/spdx-spec/v2.3/other-licensing-information-detected/#101-license-identifier-field
I found an example of how it looks like (key hasExtractedLicensingInfos).

Cheers
Volker

[DmitriyLewen]

hm... You are right.
Thanks for information!
Created #7423