Understanding why license metadata not available

[lucasgonze]

I have created an SBOM using this shell command:
git clone https://github.com/airbytehq/airbyte-platform scancode --license --unknown-licenses airbyte-platform --json-pp analysis-2 --max-depth 20

However, the generated SBOM is missing license information for many packages, such as this one:

I would be grateful for insights.

[pombredanne]

I have created an SBOM using this shell command: git clone https://github.com/airbytehq/airbyte-platform scancode --license --unknown-licenses airbyte-platform --json-pp analysis-2 --max-depth 20

However, the generated SBOM is missing license information for many packages, such as this one:

@lucasgonze can you post the full JSON?

Also to get a full correct picture for airbyte-platform I would likely first provision (aka. build) the project. ScanCode alone will not fetch the dependencies.

Here pyjwt is only referenced there

• https://github.com/airbytehq/airbyte-platform/blob/e3b18597716997cb10949fdff5080be3b4fa62ec/airbyte-connector-builder-server/requirements.txt#L115

To get a full scan, I would likely therefore:

• run the build in place OR run selectively deplock https://github.com/aboutcode-org/dependency-inspector to ensure all deps are fetched
• use scancode.io to run a quick package scan "inspect_packages", then force download, scan and indexing of all the deps found with the "populate_purldb" pipeline
• then eventually also run the pipeline to further enrich the scan with PurlDB results with "enrich_with_purldb"

FWIW, https://github.com/airbytehq/airbyte-platform/archive/e3b18597716997cb10949fdff5080be3b4fa62ec.zip has close to 3000 dependencies across golang, maven,npm and pypi, so this is a fairly large thing.