No licenses extracted for node project (0.50.4) #6623
black-snow
started this conversation in
Bugs
Replies: 2 comments 3 replies
-
Here are some of the dependencies: "dependencies": {
"@angular/animations": "~16.2.10",
"@angular/cdk": "~16.2.9",
"@angular/common": "~16.2.10",
"@angular/compiler": "~16.2.10",
"@angular/core": "~16.2.10",
"@angular/forms": "~16.2.10",
"@angular/localize": "~16.2.10",
"@angular/platform-browser": "~16.2.10",
"@angular/platform-browser-dynamic": "~16.2.10",
"@angular/router": "~16.2.10",
"@ngneat/transloco": "^4.2.6",
"@ngneat/transloco-locale": "^4.0.0",
"@ngneat/transloco-messageformat": "^4.1.0",
"@ngneat/until-destroy": "^10.0.0",
"@popperjs/core": "^2.11.6",
"@sentry/angular-ivy": "^7.108.0",
"bootstrap": "^5.3.2",
"dayjs": "^1.11.8",
"rxjs": "^7.8.1",
"tslib": "^2.5.0",
"zone.js": "~0.13.0"
} And
|
Beta Was this translation helpful? Give feedback.
0 replies
-
Hello @black-snow I can't reproduce your error: ➜ trivy -v
Version: 0.50.4
...
➜ npm -y init
Wrote to /Users/work/work/temp/6623/package.json:
{
"name": "6623",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC"
}
➜ npm add dayjs
added 1 package, and audited 2 packages in 704ms
found 0 vulnerabilities
➜ trivy fs --scanners license --license-full --format=cyclonedx . > sbom
2024-05-06T12:23:22.127+0600 INFO Full license scanning is enabled
➜ grep '"license"' sbom -A 2
"license": {
"name": "MIT"
} Can you post more information or is it better to create a test image with a reproducible error? Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
3 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Description
I run
on a node project but it fails to even extract a single license information. This used to work before. Trivy notifies me, that it requires a
package-lock.json
as well as thenode_modules
installed but both is the case. Tried it on several projects and with the project root (.
) or pointing at thepackage-lock.json
directly.In the debug output seems a bit unexpected.
Desired Behavior
cyclonedx SBOM should contain extracted / detected license information
Actual Behavior
no license information
Reproduction Steps
Target
Filesystem
Scanner
License
Output Format
CycloneDX
Mode
Standalone
Debug Output
Operating System
macOS
Version
Checklist
trivy image --reset
Beta Was this translation helpful? Give feedback.
All reactions