No licenses extracted for node project (0.50.4)

[black-snow]

Description

I run

trivy fs --scanners license --license-full --format=cyclonedx . > sbom

on a node project but it fails to even extract a single license information. This used to work before. Trivy notifies me, that it requires a package-lock.json as well as the node_modules installed but both is the case. Tried it on several projects and with the project root (.) or pointing at the package-lock.json directly.

Skipping directory: node_modules

In the debug output seems a bit unexpected.

Desired Behavior

cyclonedx SBOM should contain extracted / detected license information

Actual Behavior

no license information

Reproduction Steps

1. pick a random node project
2. `trivy fs --scanners license --license-full --format=cyclonedx . > sbom`
3. `grep license sbom` with 0 hits

Target

Filesystem

Scanner

License

Output Format

CycloneDX

Mode

Standalone

Debug Output

2024-05-03T15:30:22.936+0200	INFO	Loaded trivy.yaml
2024-05-03T15:30:22.937+0200	DEBUG	["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2024-05-03T15:30:22.937+0200	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-05-03T15:30:22.937+0200	DEBUG	Ignore statuses	{"statuses": null}
2024-05-03T15:30:22.945+0200	DEBUG	cache dir:  /Users/xxx/Library/Caches/trivy
2024-05-03T15:30:22.945+0200	INFO	Full license scanning is enabled
2024-05-03T15:30:22.945+0200	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-05-03T15:30:22.945+0200	DEBUG	The nuget packages directory couldn't be found. License search disabled
2024-05-03T15:30:22.945+0200	DEBUG	Walk the file tree rooted at '.' in parallel
2024-05-03T15:30:22.945+0200	DEBUG	Skipping directory: node_modules
2024-05-03T15:30:22.946+0200	DEBUG	License scanning: README.md
2024-05-03T15:30:22.946+0200	DEBUG	Loading the default license classifier...
2024-05-03T15:30:22.946+0200	DEBUG	License scanning: ...files
...
024-05-03T15:30:25.008+0200	INFO	To collect the license information of packages in "package-lock.json", "npm install" needs to be performed beforehand
2024-05-03T15:30:25.049+0200	DEBUG	OS is not detected.
2024-05-03T15:30:25.049+0200	INFO	Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2024-05-03T15:30:25.053+0200	DEBUG	Found an ignore file: .trivyignore

Operating System

macOS

Version

0.50.4

Checklist

• Run trivy image --reset
• Read the troubleshooting

[black-snow]

--license-confidence-level=0.1 didn't help either.

Here are some of the dependencies:

 "dependencies": {
    "@angular/animations": "~16.2.10",
    "@angular/cdk": "~16.2.9",
    "@angular/common": "~16.2.10",
    "@angular/compiler": "~16.2.10",
    "@angular/core": "~16.2.10",
    "@angular/forms": "~16.2.10",
    "@angular/localize": "~16.2.10",
    "@angular/platform-browser": "~16.2.10",
    "@angular/platform-browser-dynamic": "~16.2.10",
    "@angular/router": "~16.2.10",
    "@ngneat/transloco": "^4.2.6",
    "@ngneat/transloco-locale": "^4.0.0",
    "@ngneat/transloco-messageformat": "^4.1.0",
    "@ngneat/until-destroy": "^10.0.0",
    "@popperjs/core": "^2.11.6",
    "@sentry/angular-ivy": "^7.108.0",
    "bootstrap": "^5.3.2",
    "dayjs": "^1.11.8",
    "rxjs": "^7.8.1",
    "tslib": "^2.5.0",
    "zone.js": "~0.13.0"
}

And cat node_modules/dayjs/LICENSE :

MIT License

Copyright (c) 2018-present, iamkun

Permission is hereby granted...

[DmitriyLewen]

Hello @black-snow
Thanks for your report!

I can't reproduce your error:

➜ trivy -v
Version: 0.50.4
...

➜ npm -y init  
Wrote to /Users/work/work/temp/6623/package.json:

{
  "name": "6623",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC"
}


➜ npm add dayjs

added 1 package, and audited 2 packages in 704ms

found 0 vulnerabilities

➜ trivy fs --scanners license --license-full --format=cyclonedx . > sbom
2024-05-06T12:23:22.127+0600	INFO	Full license scanning is enabled

➜ grep '"license"' sbom -A 2
          "license": {
            "name": "MIT"
          }

Can you post more information or is it better to create a test image with a reproducible error?

Regards, Dmitriy

[DmitriyLewen]

By the way, you don't need use --license-full flag, because Trivy takes licenses from node_modules/*/package.json files.

[black-snow]

Well, seems to be fine with 0.51.1 again, so nvm.

Thanks for looking into this @DmitriyLewen!
So results won't improve by using --license-full? What about Python projects?

[DmitriyLewen]

We skip scanning the LICENSE files from node_modules because searching for licenses in package.json files is faster and less resource intensive than using a license Classifier.

Same for some other dirs.