Skip to content

container scanning sbom-based license ingestion fails for container scanning v8.5.7

Why are we doing this work

Container scanning SBOM-based license ingestion is broken since container scanning v8.5.7 due to a breaking change in Trivy's license data structure. TLDR; the default value has been moved from license.name to license.id.

Report version for trivy 0.65.0 
$ jq '.metadata.tools' gl-sbom-report.cdx.json
{
  "components": [
    {
      "type": "application",
      "manufacturer": {
        "name": "Aqua Security Software Ltd."
      },
      "group": "aquasecurity",
      "name": "trivy",
      "version": "0.65.0"
    }
  ]
}
$ jq '.components[].licenses[]?' gl-sbom-report.cdx.json
{
  "license": {
    "id": "GPL-2.0-only"
  }
}
{
  "license": {
    "id": "MIT"
  }
}
{
  "license": {
    "id": "GPL-2.0-only"
  }
}
{
  "license": {
    "id": "GPL-2.0-only"
  }
}
{
  "license": {
    "id": "MPL-2.0"
  }
}
{
  "license": {
    "id": "MIT"
  }
}
{
  "license": {
    "id": "BSD-2-Clause"
  }
}
{
  "license": {
    "id": "BSD-3-Clause"
  }
}
{
  "license": {
    "id": "OpenSSL"
  }
}
{
  "license": {
    "id": "ISC"
  }
}
{
  "license": {
    "id": "BSD-3-Clause"
  }
}
{
  "license": {
    "id": "MIT"
  }
}
{
  "license": {
    "id": "OpenSSL"
  }
}
{
  "license": {
    "id": "MIT"
  }
}
{
  "license": {
    "id": "BSD-3-Clause"
  }
}
{
  "license": {
    "id": "GPL-2.0-or-later"
  }
}
{
  "license": {
    "id": "MIT"
  }
}
{
  "license": {
    "id": "GPL-2.0-only"
  }
}
{
  "license": {
    "id": "GPL-2.0-only"
  }
}
{
  "license": {
    "id": "Zlib"
  }
}
Report version for trivy 0.58.0 
$ jq '.metadata.tools.components[]' result.cdx
{
  "type": "application",
  "group": "aquasecurity",
  "name": "trivy",
  "version": "0.58.0"
}
$ jq '.components[].licenses[]?.license' result.cdx
{
  "name": "GPL-2.0-only"
}
{
  "name": "MIT"
}
{
  "name": "GPL-2.0-only"
}
{
  "name": "GPL-2.0-only"
}
{
  "name": "MPL-2.0"
}
{
  "name": "MIT"
}
{
  "name": "BSD-2-Clause"
}
{
  "name": "BSD-3-Clause"
}
{
  "name": "OpenSSL"
}
{
  "name": "ISC"
}
{
  "name": "BSD-3-Clause"
}
{
  "name": "MIT"
}
{
  "name": "OpenSSL"
}
{
  "name": "MIT"
}
{
  "name": "BSD-3-Clause"
}
{
  "name": "GPL-2.0-or-later"
}
{
  "name": "MIT"
}
{
  "name": "GPL-2.0-only"
}
{
  "name": "GPL-2.0-only"
}
{
  "name": "Zlib"
}

Implementation plan

  • Update SBOM parser to handle both license.id and license.name fields

Verification steps

  1. Run container scan on image with mixed license types
  2. Verify licenses appear correctly in Dependency list page
  3. Test with both new (0.65.0+) and legacy Trivy formats
Edited by Oscar Tovar