source License not found..? it is bug?

[JUNGJUNCHUL]

1. git clone https://github.com/OWASP/NodeGoat
2. cd NodeGoat
3. syft ./ -o syft-json=sbom.syft.json -o cyclonedx-json=cyclone.json -o spdx-json=spdx.json

All format shows well with dependency but the license is empty..
it is bug?

[irteamsu@backscan002-dependabot-jp2v-dev NodeGoat]$ cat sbom.syft.json | grep -i -A 2 license | head
   "licenses": [],
   "language": "javascript",
   "cpes": [
--
   "licenses": [],
   "language": "javascript",
   "cpes": [
--
   "licenses": [],
   "language": "javascript",

[irteamsu@backscan002-dependabot-jp2v-dev NodeGoat]$ cat spdx.json | grep -i -A 2 license
 "dataLicense": "CC0-1.0",
 "SPDXID": "SPDXRef-DOCUMENT",
 "name": "./",
--
  "licenseListVersion": "3.19",
  "creators": [
   "Organization: Anchore, Inc",
--
   "licenseConcluded": "NONE",
   "licenseDeclared": "NONE",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
--
   "licenseConcluded": "NONE",
   "licenseDeclared": "NONE",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
--
   "licenseConcluded": "NONE",
   "licenseDeclared": "NONE",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
--
   "licenseConcluded": "NONE",
   "licenseDeclared": "NONE",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
--
   "licenseConcluded": "NONE",
   "licenseDeclared": "NONE",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
--
   "licenseConcluded": "NONE",
   "licenseDeclared": "NONE",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
--
   "licenseConcluded": "NONE",
   "licenseDeclared": "NONE",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
--
   "licenseConcluded": "NONE",
   "licenseDeclared": "NONE",
   "copyrightText": "NOASSERTION",
   "externalRefs": [

[JUNGJUNCHUL]

or i missing ENV vaule?
how can i get the license

[kzantow]

@JUNGJUNCHUL there are no licenses included in the package-lock.json. Syft only surfaces data available in what is scanned -- in other words, it does not look up licenses from external sources currently.

In this case, you have a npm project, you can run npm install and Syft will attempt to look up licenses in the node_modules directory. For example:

$ npm install && syft ./ -o syft-json | grep -i -A 2 license | head 
 ✔ Indexed .               
 ✔ Cataloged packages      [1467 packages]

   "licenses": [
    "MIT"
   ],
--
   "licenses": [
    "MIT"
   ],
--
   "licenses": [
    "MIT"

[JUNGJUNCHUL]

@kzantow
Thank you for your response!

Is there any way to retrieve the license in a normal source scan, not in a runtime environment? i have multiple project...
If possible, I would like to work on scanning multiple sources on a single host without additional commands like npm.

[kzantow]

@JUNGJUNCHUL if the package-lock.json includes license information, Syft would be able to pick it up but there's an open issue with npm where this is not being included. Again, Syft will currently only pick up license information if it's present on the filesystem either in the package-lock.json or in node_modules by running an npm install.

[JUNGJUNCHUL]

@kzantow
If syft makes an external query, the scan will be slow, so it would be great if there was an option.

syft is very good at extracting dependency lists, but it has the disadvantage of having to link with other tools because it is difficult to get license information.

Among other tools, SBOM (SPDX, Cyclondx) does not have the ability to add only the dependency list, so other tools are being considered rather than syft.

If that part is supplemented, it will be very useful and good to use.

Thank you for your answer.