Invalid licenses for components #9295

jeaboswell · 2025-07-31T20:20:57Z

jeaboswell
Jul 31, 2025

Description

The licenses section of a component is now including licenses and expressions in a single list on debian.

Here is the output SBOM: https://hoppr.gitlab.io/-/choppr/-/jobs/10878607830/artifacts/result.cdx.json

This is a new issue with 0.65.0.

Desired Behavior

Licenses should be either a list of SPDX licenses and/or named licenses or a tuple of one SPDX license expression.

https://cyclonedx.org/docs/1.6/json/#components_items_licenses

Actual Behavior

Licenses is a list of both licenses and expressions.

Reproduction Steps

1. docker run -v .:/workspace-output aquasec/trivy:0.65.0 image --format cyclonedx --output /workspace-output/result.cdx.json --debug registry.gitlab.com/hoppr/choppr/debian-test:bugfix-fix-mypy-dependencies
2. Check the output SBOM against the schema
3. See that licenses includes licenses and expressions

Target

Container Image

Scanner

None

Output Format

CycloneDX

Mode

Client/Server

Debug Output

2025-07-31T20:14:55Z    DEBUG   No plugins loaded
2025-07-31T20:14:55Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-07-31T20:14:55Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-07-31T20:14:55Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-07-31T20:14:55Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-07-31T20:14:55Z    DEBUG   Ignore statuses statuses=[]
2025-07-31T20:14:55Z    INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the "cyclonedx" report.
2025-07-31T20:14:55Z    DEBUG   [pkg] Package types     types=[os library]
2025-07-31T20:14:55Z    DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2025-07-31T20:14:55Z    DEBUG   Initializing scan cache...      type="fs"
2025-07-31T20:14:55Z    DEBUG   [notification] Running version check
2025-07-31T20:14:55Z    DEBUG   [notification] Version check completed  latest_version="0.65.0"
2025-07-31T20:14:56Z    DEBUG   [image] Image found     image="registry.gitlab.com/hoppr/choppr/debian-test:bugfix-fix-mypy-dependencies" source="remote"
2025-07-31T20:14:56Z    DEBUG   Created process-specific temp directory path="/tmp/trivy-1"
2025-07-31T20:14:56Z    DEBUG   [image] Detected image ID       image_id="sha256:caf05980c32eb05d84ab28720320ac6e1fd3a7c766f1c1a2744f58759de51b0d"
2025-07-31T20:14:56Z    DEBUG   [image] Detected diff ID        diff_ids=[sha256:3cc982388b71ef357e0157e0b7d3059dcefa4dc9fd2e3815bde6c6ce040302f3 sha256:5553992aa1d6736a74afb6770c7a5d4de97f0ee33e138106a9649d5bc4643a2f sha256:bfe5499bbde645bd290dff00f10e79735ef5c57ec41210f5b68abe36864f3d93]
2025-07-31T20:14:56Z    DEBUG   [image] Detected base layers    diff_ids=[sha256:3cc982388b71ef357e0157e0b7d3059dcefa4dc9fd2e3815bde6c6ce040302f3]
2025-07-31T20:14:56Z    DEBUG   [image] Missing image ID in cache       image_id="sha256:caf05980c32eb05d84ab28720320ac6e1fd3a7c766f1c1a2744f58759de51b0d"
2025-07-31T20:14:56Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:bfe5499bbde645bd290dff00f10e79735ef5c57ec41210f5b68abe36864f3d93"
2025-07-31T20:14:56Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:3cc982388b71ef357e0157e0b7d3059dcefa4dc9fd2e3815bde6c6ce040302f3"
2025-07-31T20:14:56Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:5553992aa1d6736a74afb6770c7a5d4de97f0ee33e138106a9649d5bc4643a2f"
2025-07-31T20:15:24Z    DEBUG   [dpkg] Unable to parse the available file       file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2025-07-31T20:15:24Z    INFO    [python] Licenses acquired from one or more METADATA files may be subject to additional terms. Use `--debug` flag to see all affected packages.
2025-07-31T20:15:24Z    DEBUG   [python] License acquired from METADATA classifiers may be subject to additional terms name="pip" version="22.0.2"
2025-07-31T20:15:24Z    DEBUG   [python] License acquired from METADATA classifiers may be subject to additional terms name="setuptools" version="59.6.0"
2025-07-31T20:15:24Z    DEBUG   [python] License acquired from METADATA classifiers may be subject to additional terms name="wheel" version="0.37.1"
2025-07-31T20:15:57Z    DEBUG   No secrets found in container image config
2025-07-31T20:15:57Z    INFO    Detected OS     family="ubuntu" version="22.04"
2025-07-31T20:15:57Z    INFO    Number of language-specific files       num=1
2025-07-31T20:15:57Z    DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-07-31T20:15:57Z    DEBUG   [vex] VEX filtering is disabled
2025-07-31T20:15:57Z    DEBUG   Cleaning up temp directory      path="/tmp/trivy-1"

Operating System

docker image

Version

Version: 0.65.0

Checklist

Run trivy clean --all
Read the troubleshooting

DmitriyLewen · 2025-08-01T09:40:09Z

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Invalid licenses for components #9295

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Invalid licenses for components #9295

Uh oh!

jeaboswell Jul 31, 2025

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 1 comment

Uh oh!

DmitriyLewen Aug 1, 2025 Maintainer

jeaboswell
Jul 31, 2025

DmitriyLewen
Aug 1, 2025
Maintainer