Wrong format in license #4233
Description
What happened:
I came across a bug regarding licenses format. While the format is human-readable machines have issues with that.
The result from a java project with syft results in a license which is not machine readable
Current format: "LicenseRef-http---www.eclipse.org-legal-epl-v10.html--http---www.gnu.org-licenses-old-licenses-lgpl-2.1.html"
What you expected to happen:
I should be looking like this "EPL-1.0 AND LGPL-2.1-only"
(according to https://spdx.org/licenses/)
Steps to reproduce the issue:
git clone https://github.com/spring-projects/spring-petclinic.git
once checked out --> mvn install
syft . -o spdx-json=syft-sbom-spdx.json
As a sample you can see the dependency logback-classic:
"name": "logback-classic",
"SPDXID": "SPDXRef-Package-java-archive-logback-classic-20e8c9ef925bd6be",
"versionInfo": "1.5.18",
"supplier": "Organization: QOS.ch",
"originator": "Organization: QOS.ch",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "fc371f3fc97a639de2d67947cffb7518ec5e3d40"
}
],
"sourceInfo": "acquired package info from installed java archive: /target/spring-petclinic-3.5.0-SNAPSHOT.jar",
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "LicenseRef-http---www.eclipse.org-legal-epl-v10.html--http---www.gnu.org-licenses-old-licenses-lgpl-2.1.html",
"copyrightText": "NOASSERTION",
It shoes the license as a reference rather the the actual 3 licenses.
The same issue appears also via
syft . -o cyclonedx-json=syft-sbom-cyclonedx.json
{
"bom-ref": "pkg:maven/ch.qos.logback/logback-classic@1.5.18?package-id=20e8c9ef925bd6be",
"type": "library",
"group": "ch.qos.logback",
"name": "logback-classic",
"version": "1.5.18",
"licenses": [
{
"license": {
"name": "http://www.eclipse.org/legal/epl-v10.html, http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html"
}
}
],
If I compare these results with i.e. trivy the correct licenses are supplied.
trivy fs --format spdx-json --output trivy-sbom-spdx.json .
{
"name": "ch.qos.logback:logback-classic",
"SPDXID": "SPDXRef-Package-45d18c372fde1eb1",
"versionInfo": "1.5.18",
"supplier": "NOASSERTION",
"downloadLocation": "NONE",
"filesAnalyzed": false,
"sourceInfo": "package found in: pom.xml",
"licenseConcluded": "EPL-1.0 AND LGPL-2.1-only",
"licenseDeclared": "EPL-1.0 AND LGPL-2.1-only",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:maven/ch.qos.logback/logback-classic@1.5.18"
}
],
Anything else we need to know?:
Environment:
- Output of
syft version:
Application: syft
Version: 1.33.0
BuildDate: 2025-09-15T20:38:16Z
GitCommit: b87b919
GitDescription: v1.33.0
Platform: linux/amd64
GoVersion: go1.24.7
Compiler: gc
SchemaVersion: 16.0.39
Metadata
Metadata
Assignees
Type
Projects
Status