Help shape the future of Syft! Share your thoughts in our quick 5-question survey. Your feedback will guide our development priorities and help us better serve your needs. Thank you! 
With this new version, I receive an SHA265 hash for some libraries as a licence. In theory, version v1.24.0 should have added the following improvement: ‘Return the full licence string instead of the SHA-256 hash when the licence string exceeds 64 characters’. Why is this happening to me? Thank you very much!
Hey @Carlos_CM – I believe the current behavior, after the issue you mentioned is: we attempt to validate the license string is a valid SPDX license expression and if it is valid, we directly include the expression but if the license is not a valid SPDX expression, like other unknown licenses, the contents are hashed and included as an “other license”, assuming you are using SPDX. There is an option to include full contents, which is disabled by default, that also can affect this behavior. I’d need a little more details to understand the specifics you’re seeing.
The good news here is that if you receive a SHA256 then you should be able to enable an option that will give you the full contents.
We wanted to be sensitive to not increase the SBOM size without the user opting in here.
The option should be SYFT_LICENSE_CONTENT=unknown ← That should get you the license content here.
If you throw over some examples of commands you’re running we can help 
Thank you very much for your answers. I have tried to enable the option to obtain the full contents rather than the SHA256 hash. I’m using Syft in a GitHub action to generate the SBOM of a repository. I added the following line to define the environment variable:
env:
SYFT_LICENSE_CONTENT: unknown
Nevertheless, I am still experiencing the same problem:
Is this the correct way to do it? Perhaps I didn’t understand it properly.
Thank you very much!
Are you accessing the correct field?
You’ll still see the sha256:xxxx in the value field, but with that option enabled you should now see a contents:xxxx field that has the full contents:
Something like this. See contents at the end of the object
{
"value": "sha256:9e3a4384b6d8d2358d44103f62bcd948328b3f8a63a1a6baa66abeb43302d581",
"spdxExpression": "",
"type": "concluded",
"urls": [],
"locations": [
{
"path": "/usr/share/doc/libcom-err2/copyright",
"layerID": "sha256:a8c68591d421fc2d4bdda704f67a796edf5ff880c59358d75107eb5261821650",
"accessPath": "/usr/share/doc/libcom-err2/copyright",
"annotations": {
"evidence": "supporting"
}
}
],
"contents": "This is the Debian GNU/Linux prepackaged version of the Common Error\nDescription library. It is currently distributed together with the EXT2 file\nsystem utilities, which are otherwise packaged as \"e2fsprogs\".\n\nThis package was put together by Yann Dirson <dirson@debian.org>,\nfrom sources obtained from a mirror of:\n tsx-11.mit.edu:/pub/linux/packages/ext2fs/\n\nFrom the original distribution:\n\nCopyright 1987, 1988 by the Student Information Processing Board\n\tof the Massachusetts Institute of Technology\n\nPermission to use, copy, modify, and distribute this software\nand its documentation for any purpose and without fee is\nhereby granted, provided that the above copyright notice\nappear in all copies and that both that copyright notice and\nthis permission notice appear in supporting documentation,\nand that the names of M.I.T. and the M.I.T. S.I.P.B. not be\nused in advertising or publicity pertaining to distribution\nof the software without specific, written prior permission.\nM.I.T. and the M.I.T. S.I.P.B. make no representations about\nthe suitability of this software for any purpose. It is\nprovided \"as is\" without express or implied warranty.\n"
}
I was accessing the ‘value’ field instead of the ‘contents’ field, but I still can’t retrieve the contents. Could you tell me how you got that JSON?
Thank you very much!
Here is an example of the command with the env variable set to unknown. The nvidia/cuda image should have some unknown licenses with contents generated. You can search for the field contents in the document and should see some full text
SYFT_LICENSE_CONTENT=unknown syft -o json nvidia/cuda:12.5.1-cudnn-runtime-ubuntu20.04 | jq . > unknown.json