Skip to content

bug(apk): Trivy incorrectly separates licenses that contain the WITH operator #9230

New issue
New issue
Closed
Bug
#9232
Closed
bug(apk): Trivy incorrectly separates licenses that contain the WITH operator#9230
Bug
#9232
Assignees
DmitriyLewen
Labels
kind/bugCategorizes issue or PR as related to a bug.scan/licenseIssues relating to license scanning
Milestone
v0.65.0
@DmitriyLewen

Description

@DmitriyLewen
DmitriyLewen
opened on Jul 22, 2025

Description

apk packages may use licenses that ccontain the WITH operator (e.g. GPL-2.0-only WITH Classpath-exception-2.0).
Instead of creating single license - Trivy creates 3 licenses:

          "Licenses": [
            "GPL-2.0-only",
            "WITH",
            "Classpath-exception-2.0"
          ],

Problem

LaxSplitLicenses function doesn't handle WITH operator:

trivy/pkg/licensing/normalize.go

Lines 751 to 769 in a692f29

func LaxSplitLicenses(str string) []string {
if str == "" {
return nil
}
var licenses []string
str = versionRegexp.ReplaceAllString(str, "$1-$4")
for s := range strings.FieldsSeq(str) {
s = strings.Trim(s, "()")
switch s {
case "":
continue
case "AND", "OR":
continue
default:
licenses = append(licenses, Normalize(s))
}
}
return licenses
}

Discussed in #9229

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes issue or PR as related to a bug.scan/licenseIssues relating to license scanning

Type

Bug

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions