Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get licenses for NuGet packages #1227

Open
fg-j opened this issue Sep 23, 2022 · 7 comments · May be fixed by #3329
Open

Get licenses for NuGet packages #1227

fg-j opened this issue Sep 23, 2022 · 7 comments · May be fixed by #3329
Labels
enhancement New feature or request good-first-issue Good for newcomers

Comments

@fg-j
Copy link
Contributor

fg-j commented Sep 23, 2022

What would you like to be added:
#726 brought initial support for generating SBOMs for NuGet packages 🎉 . One significant gap in the metadata in those SBOMs is license information. It'd be awesome if licenses for NuGet packages were included.

Why is this needed:
License information is a key value proposition for compliance-minded users who are building .NET apps with NuGet dependencies.

Additional context:

The file that project.assets.json that Syft scans for SBOM info doesn't include license information, but I wonder if it's possible to get it from somewhere else.

Here's a snippet of a SPDX SBOM generated with syft for a NuGet package:

...
  {
   "SPDXID": "SPDXRef-99c6488b6206ecc1",
   "downloadLocation": "NOASSERTION",
   "externalRefs": [
    {
     "referenceCategory": "SECURITY",
     "referenceLocator": "cpe:2.3:a:Humanizer:Humanizer:2.14.1:*:*:*:*:*:*:*",
     "referenceType": "cpe23Type"
    },
    {
     "referenceCategory": "PACKAGE_MANAGER",
     "referenceLocator": "pkg:dotnet/[email protected]",
     "referenceType": "purl"
    }
   ],
   "filesAnalyzed": false,
   "licenseConcluded": "NONE",
   "licenseDeclared": "NONE",
   "name": "Humanizer",
   "sourceInfo": "acquired package info from dotnet project assets file: NugetBenchmarking.deps.json",
   "versionInfo": "2.14.1"
  },
...

the corresponding NuGet package, Humanizer.Core uses the MIT license.
@fg-j fg-j added the enhancement New feature or request label Sep 23, 2022
@spiffcs spiffcs added the good-first-issue Good for newcomers label Sep 30, 2022
@spiffcs spiffcs added this to OSS Sep 30, 2022
@spiffcs
Copy link
Contributor

spiffcs commented Sep 30, 2022

Thanks so much for the issue @fg-j!

I also added the good first issue label since the write-up you did was so good.

If we have the bandwidth in the coming week/s we'll try and get this in, but also anyone who comes across this issue consider this fair game to attempt as a contribution.

Feel free to tag me in a draft PR if you do and I can always help with testing or cleanup!

@kzantow kzantow moved this to Parking Lot (Comments or Progress) in OSS Oct 6, 2022
@vanthome
Copy link

vanthome commented Jan 6, 2023

I have the exact same issue but with Rust Crates. Here is an example output of the Toml files:

[package]
edition = "2018"
name = "actix-server"
version = "2.1.1"
authors = ["Nikolay Kim <[email protected]>", "fakeshadow <[email protected]>", "Rob Ede <[email protected]>", "Ali MJ Al-Nasrawy <[email protected]>"]
description = "General purpose TCP server built for the Actix ecosystem"
homepage = "https://actix.rs"
keywords = ["network", "tcp", "server", "framework", "async"]
categories = ["network-programming", "asynchronous"]
license = "MIT OR Apache-2.0"

They do include the license. Is it planned to also output them for Rust packages?

@tgerla tgerla removed the status in OSS Aug 31, 2023
@tgerla tgerla moved this to Backlog in OSS Aug 31, 2023
@jeremytbrun
Copy link

Really interested in seeing license info added for NuGet packages as well. Our organization is evaluating syft to integrate into our CI/CD processes to generate SBOM's that can be imported into Dependency-Track for analysis. Having this license data for NuGet packages would be 😎👌

@kzantow kzantow mentioned this issue May 9, 2024
Open
44 tasks
@HeyeOpenSource
Copy link
Contributor

HeyeOpenSource commented Oct 1, 2024
edited
Loading

I'll give it a shot, if I may...
https://github.com/HeyeOpenSource/syft

This was referenced Oct 14, 2024
Closed
Open
@timg83
Copy link

timg83 commented Jan 2, 2025

I'd like to know when @HeyeOpenSource's PR will be merged. It seems latest comment was 2nd of november. We are eagerly awaiting this in Syft. For now we'll fallback on dotnet cyclonedx. But I'd rather like Syft. Thanks!

@kzantow
Copy link
Contributor

kzantow commented Jan 2, 2025

The only thing holding up getting the PR merged is that it requires shelling out to the dotnet CLI. If there was a way to implement this without requiring shelling out here, it would probably be much closer to getting merged, but it sounds like it's difficult to get the same information by just reading files on the filesystem.

Before we can merge this, we need to agree as a team how to identify and enable/disable enrichment that requires certain binaries to be available, we have avoided shelling out to tools intentionally to this point (with one notable exception of cosign that has a lot of history I won't get into).

@timg83
Copy link

timg83 commented Jan 3, 2025
edited
Loading

Thank you for the explanation @kzantow.

NuGet config can be available on 3 locations:

Project-specific nuget.config: A nuget.config file located in the current directory or any parent directory of the project.
User-specific configuration: This is typically located in the user's profile directory (e.g., ~/.nuget/NuGet/NuGet.Config on Linux/Mac or %AppData%\NuGet\NuGet.Config on Windows).
Global configuration: Located in the .nuget folder or as configured during the installation of NuGet tooling.

There you should be able to get the sources of the nuget packages in XML format without the use of the dotnet cli.

I'm no go developer so for me it would be difficult to add this to Syft unfortunately, else I would be glad to do it! I hope someone else is more capable than me to do this.

Thanks for the work in Syft though!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request good-first-issue Good for newcomers
Projects
OSS
Status: Backlog
Milestone
No milestone
7 participants
@timg83 @kzantow @vanthome @fg-j @jeremytbrun @spiffcs @HeyeOpenSource