Support parsing license information in Maven projects via parent poms #2103
Labels
enhancement
New feature or request
Comments
|
Closing this as both PRs applied |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I noticed that Syft does not report a license for a Maven project if the license is contained in the parent pom instead. This is a pretty common thing in a lot of open-source projects, to have a single parent pom.xml which defines commons things (including license information), and then each module in the project inherits this pom.
For example, here are two examples of projects Syft does not detect the license, even though it's defined in both cases in the parent pom:
Please consider this feature request, because as it stands Syft does not report any license for quite a few Maven projects due to this issue. Maybe it could be configurable via a feature flag (detect transitive licenses). To prevent infinite loops or denial of service type of attacks, it should only walk up to 2/3 parent poms.
Note that using mvn help:effective-pom -f httpclient-4.5.13.pom does show the correct license
The text was updated successfully, but these errors were encountered: