License information missing from BOM

[ketronkowski]

When generating an sBOM report using Syft for a container image built with the new-relic buildpack, the "New Relic Java Agent" element does not correctly set license information so the Syft tool can export it correctly in an sBOM file.

Expected Behavior

We expect the sBOM file generated by Syft on an image has the licenseConcluded and licenseDeclared elements of the "New Relic Java Agent" element in the "packages" array set correctly.

Current Behavior

Using Syft on an image generated with Paketo with new-relic buildpack included, the "New Relic Java Agent" has incorrect (LicenseRef-) value for the licenseConcluded and licenseDeclared elements.

  {
   "name": "New Relic Java Agent",
   "SPDXID": "SPDXRef-Package-UnknownPackage-New-Relic-Java-Agent-51f555dbd7cae650",
   "versionInfo": "8.2.0",
   "downloadLocation": "NOASSERTION",
   "sourceInfo": "acquired package info from SBOM: /layers/sbom/launch/paketo-buildpacks_new-relic/new-relic-java/sbom.syft.json",
   "licenseConcluded": "LicenseRef-",
   "licenseDeclared": "LicenseRef-",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:newrelic:java-agent:8.2.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:New_Relic_Java_Agent:New_Relic_Java_Agent:8.2.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "PACKAGE-MANAGER",
     "referenceType": "purl",
     "referenceLocator": "pkg:generic/newrelic-java-agent@8.2.0?arch=amd64"
    }
   ]
  }

Possible Solution

Steps to Reproduce

1. Generate a container image with Paketo Buildpacks following instruction in this repository.
2. Run syft on the generated image: syft <image>
3. Inspect sbom for the "New Relic Java Agent" element in the "packages" array

Motivations

[dmikusa]

Run syft on the generated image: syft

I believe that would be a problem with syft not the buildpacks.

Buildpacks generate their own SBOM information. You don't need to run syft against the image, you just fetch the SBOM information generated by buildpacks. That said, I can't guarantee that we're setting this field properly either, but if it's not correct in the SBOM generated by the buildpacks, we have the capacity to fix that.

Can you please try this?

1. Do your pack build.
2. Run pack sbom download against your image. See https://buildpacks.io/docs/tools/pack/cli/pack_sbom_download/

The resulting folder should contain the SBOM information generated by buildpacks for the contents of your application image.

We also generate a separate SBOM for the build image, because sometimes more stuff is installed into the build environment. If you want that, you can only fetch it when running pack build with the --sbom-output-dir. It's not possible to go back and fetch it after the fact.

Hope that helps!

[ketronkowski]

Thanks for the help. I ran the pack sbom download command on the image. Inside the layers/sbom/launch/paketo-buildpacks_new-relic/new-relic-java/sbom.syft.json file there appears to be an empty string ("") value within the .Artifacts[0].Licenses[] array.

{
    "Artifacts": [
        {
            "ID": "8fff9b556e965d19",
            "Name": "New Relic Java Agent",
            "Version": "8.4.0",
            "Type": "UnknownPackage",
            "FoundBy": "libpak",
            "Locations": [
                {
                    "Path": "buildpack.toml"
                }
            ],
            "Licenses": [
                ""
            ],
            "Language": "",
            "CPEs": [
                "cpe:2.3:a:newrelic:java-agent:8.4.0:*:*:*:*:*:*:*"
            ],
            "PURL": "pkg:generic/newrelic-java-agent@8.4.0?arch=amd64"
        }
    ],
    "Source": {
        "Type": "directory",
        "Target": "/layers/paketo-buildpacks_new-relic/new-relic-java"
    },
    "Descriptor": {
        "Name": "syft",
        "Version": "0.32.0"
    },
    "Schema": {
        "Version": "1.1.0",
        "URL": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-1.1.0.json"
    }
}

[dmikusa]

Oh, interesting. That is not expected. It should have added the license information from the dependency in buildpack.toml.

Switching this to a bug.

[dmikusa]

Notes:

• The Dependency should have license information, that gets pulled out of buildpack.toml.
• It should pass this license information through to the SBOM information, see here.
• It doesn't look like that's happening for some reason, unsure why at the moment.