Matching of Licenses During Analysis

Dependency-Track v3.3.1 is parsing License information from both CycloneDX BOM and from Dependency-Check XML and, when licensing info is present, it is mostly not then linking the license to a known License.

ie, instead of “Apache-2.0” (linking to ../license/?licenseId=Apache-2.0), there is simple text displayed:

• The Apache Software License, Version 2.0
• Apache License 2.0
• Apache Software Licenses

I am not sure if this would be an enhancement or a defect, but my expectation is that all 3 of the above examples would have been identified as “Apache-2.0” (complete with link).

Using the last example (Purl = pkg:maven/org.slf4j/log4j-over-slf4j@1.7.25?type=jar):

<licenses>
  <license>
    <name>Apache Software Licenses</name>
    <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
  </license>
</licenses>

…there seems to be enough info (including the url) to match the license correctly.

The components that have licenses that are linked all seem to have a filename. Example:

glassfish-embedded-all-3.1.2.2.jar (shaded: org.jvnet.libpam4j:libpam4j:1.3) Purl: pkg:maven/org.jvnet.libpam4j/libpam4j@1.3

Dependency-Track lists this as CDDL 1.0 - although libpam4j itself has an MIT license.

• Tested with BOM using cyclonedx-maven-plugin-1.2.0
• Tested with XML using dependency-check-jenkins-plugin-4.0.0