syft outputs incorrect license LicenseRef-AND

Question

syft outputs incorrect license LicenseRef-AND

makotosato-at opened this issue 2 months ago · comments

What happened:
License BSD-2-Clause AND BSD-3-Clause AND Public-Domain becomes
LicenseRef-AND AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Public-Domain

What you expected to happen:
It should be: (BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Public-Domain)

Steps to reproduce the issue:
On alpine linux

# apk add libarchive
# export SYFT_FORMAT_SPDX_JSON_PRETTY=true
# syft -o spdx-json@2.2 / > spdx.json

spdx.json

{                                                                                
   "name": "libarchive",                                                           
...
   "licenseDeclared": "LicenseRef-AND AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Public-Domain",

Anything else we need to know?:

Environment:

Output of syft version: 1.4.1
OS (e.g: cat /etc/os-release or similar): alpine linux 3.19.1

Tim Gerla · Answer 1 · Fri May 31 2024 04:11:41 GMT+0800 (China Standard Time)

Hi @makotosato-at, thanks for the report. We will take a look!