detection of license for ua-parser-js is MIT instead of AGPL-3.0-or-later

[jdalton]

When cloning https://github.com/faisalman/ua-parser-js/

git clone https://github.com/faisalman/ua-parser-js.git --depth=1

then

cd ./ua-parser-js

and running

npx @cyclonedx/cdxgen --type npm

I get a generated sbom that says the license is MIT but the license is AGPL-3.0-or-later

[prabhu]

Interesting! It is taking the last data from npmjs instead of package.json. In enterprise environments, most package.json files might have Unlicense or some other unreliable id, so we generally do not rely on that file. Is this a matter of having a new release with the new license? Also, I am unsure if the existing published versions could be retroactively changed from MIT, but I am not a lawyer.

[jdalton]

The existing published is indeed MIT (@prabhu thank you for spotting that). In this case we are more interested in the repository as the source of truth. For example assume the repo https://github.com/faisalman/ua-parser-js.git was a company/client repo and we are running cdxgen on it. Trying to generate the sbom from the repo source.

Update:

Looks like even with FETCH_LICENSE=0 it still returns MIT.

[prabhu]

The repository is unreleased main branch mostly, while the license data in the sbom is specific to the released version. Have you tried scancode to see if it returns uptodate information?

[jdalton]

I think the difference is app/project level vs. third party dependency. In the root of a repo the app/project doesn't need to use the registry to get info as it may not yet be published, where as it's third party dependencies and transitives are.

For app/project stuff I don't think the default should be to look to the registry and instead should look to its files available.