Unable to identify from which transitive dependency license is been displaying

General
1

image
image1563×309 16.8 KB

in the screenshot attached, we see CC-BY-ND-3.0 license for the package gawk, i have tried to search license for which package it has mapped using rpm command and also tdnf info for all the transitive, no where it has CC-BY-ND-3.0 but syft is identifying. In our org we have made this license under RED category and we are unable to find for which package it has mapped, Please help us in identifying

└── [Transitive]: attr@2.5.1-6.ph5
└── [Transitive]: bash-bin@5.2-11.ph5
└── [Transitive]: coreutils-selinux-minimal@9.1-13.ph5
└── [Transitive]: coreutils-selinux@9.1-13.ph5
└── [Transitive]: filesystem@1.1-10.ph5
└── [Transitive]: glibc@2.43-1.ph5
└── [Transitive]: grep@3.7-6.ph5
└── [Transitive]: libselinux@3.10-1.ph5
└── [Transitive]: ncurses-libs@6.5-2.ph5
└── [Transitive]: openssl-libs@3.5.6-2.ph5
└── [Transitive]: pcre-libs@8.45-8.ph5
└── [Transitive]: pcre2-libs@10.40-10.ph5
└── [Transitive]: readline@8.2-8.ph5
└── [Transitive]: zlib@1.2.13-5.ph5

2

finally i found in the location which is displayed in sbom file, i tried to extract info from rpmdb.sqlite

strings /usr/lib/sysimage/rpm/rpmdb.sqlite | grep -A 5 “gawk” | grep “CC-BY”
BSD-3-Clause AND CC-BY-ND-3.0 AND FSFAP AND FSFAP-no-warranty-disclaimer AND FSFUL AND FSFULLR AND FSFULLRWD AND GFDL-1.1-or-later AND GFDL-1.3-only AND GFDL-1.3-or-later AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND Latex2e-translated-notice AND MIT AND X11
BSD-3-Clause AND CC-BY-ND-3.0 AND FSFAP AND FSFAP-no-warranty-disclaimer AND FSFUL AND FSFULLR AND FSFULLRWD AND GFDL-1.1-or-later AND GFDL-1.3-only AND GFDL-1.3-or-later AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND Latex2e-translated-notice AND MIT AND X11 - Please help me if my understanding is correct

3

Hi @anvitha_haviligi if you want to know where the licenses come from, the Syft SBOM should have this information. It looks like you already see the package(s) and licenses in another tool, but some of the information isn’t clear. I’m pretty sure this particular license string is what the package manager says for these packages, since you’re finding it verbatim in the RPMDB.

Maybe I’m not quite understanding the issue, what different information are you looking for?