feat: detect when full license text has been provided and preserve as separate field (#3450)

* feat: add full text field to syft license struct --------- Signed-off-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
2025-11-17 16:33:21 +01:00 · 2025-05-01 15:00:46 -04:00 · 2025-05-01 15:00:46 -04:00 · 94e63eb367
commit 94e63eb367
parent 4999de4114
23 changed files with 3282 additions and 426 deletions
--- a/internal/constants.go
+++ b/internal/constants.go
@ -3,5 +3,5 @@ package internal
 const (
 	// JSONSchemaVersion is the current schema version output by the JSON encoder
 	// This is roughly following the "SchemaVer" guidelines for versioning the JSON schema. Please see schema/json/README.md for details on how to increment.
-	JSONSchemaVersion = "16.0.26"
+	JSONSchemaVersion = "16.0.27"
 )
--- a/schema/json/schema-16.0.27.json
+++ b/schema/json/schema-16.0.27.json
--- a/schema/json/schema-latest.json
+++ b/schema/json/schema-latest.json
@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "anchore.io/schema/syft/json/16.0.26/document",
+  "$id": "anchore.io/schema/syft/json/16.0.27/document",
  "$ref": "#/$defs/Document",
  "$defs": {
    "AlpmDbEntry": {
@ -1391,6 +1391,9 @@
        "value": {
          "type": "string"
        },
        "fullText": {
          "type": "string"
        },
        "spdxExpression": {
          "type": "string"
        },
@ -1416,6 +1419,7 @@
      "type": "object",
      "required": [
        "value",
        "fullText",
        "spdxExpression",
        "type",
        "urls",
--- a/syft/format/common/spdxhelpers/to_format_model.go
+++ b/syft/format/common/spdxhelpers/to_format_model.go
@ -759,13 +759,18 @@ func toOtherLicenses(catalog *pkg.Collection) []*spdx.OtherLicense {
 	for _, id := range ids {
 		license := licenses[id]
 		value := license.Value
 		fullText := license.FullText
 		// handle cases where LicenseRef needs to be included in hasExtractedLicensingInfos
 		if license.Value == "" {
 			value, _ = strings.CutPrefix(license.ID, "LicenseRef-")
 		}
 		other := &spdx.OtherLicense{
 			LicenseIdentifier: license.ID,
-			ExtractedText:     value,
+		}
 		if fullText != "" {
 			other.ExtractedText = fullText
 		} else {
 			other.ExtractedText = value
 		}
 		customPrefix := spdxlicense.LicenseRefPrefix + helpers.SanitizeElementID(internallicenses.UnknownLicensePrefix)
 		if strings.HasPrefix(license.ID, customPrefix) {
--- a/syft/format/internal/spdxutil/helpers/license.go
+++ b/syft/format/internal/spdxutil/helpers/license.go
@ -5,7 +5,6 @@ import (
 	"fmt"
 	"strings"
 	"github.com/anchore/syft/internal/licenses"
 	"github.com/anchore/syft/internal/spdxlicense"
 	"github.com/anchore/syft/syft/license"
 	"github.com/anchore/syft/syft/pkg"
@ -59,39 +58,14 @@ func joinLicenses(licenses []SPDXLicense) string {
 }
 type SPDXLicense struct {
-	ID    string
+	ID       string
-	Value string
+	Value    string
 	FullText string
 }
 func ParseLicenses(raw []pkg.License) (concluded, declared []SPDXLicense) {
 	for _, l := range raw {
-		if l.Value == "" {
+		candidate := createSPDXLicense(l)
 			continue
 		}
 		candidate := SPDXLicense{}
 		if l.SPDXExpression != "" && !strings.HasPrefix(l.SPDXExpression, licenses.UnknownLicensePrefix) {
 			candidate.ID = l.SPDXExpression
 		} else {
 			candidate.Value = l.Value
 			// we did not find a valid SPDX license ID so treat as separate license
 			if strings.HasPrefix(l.SPDXExpression, licenses.UnknownLicensePrefix) {
 				candidate.ID = spdxlicense.LicenseRefPrefix + SanitizeElementID(l.SPDXExpression)
 				if len(l.Contents) > 0 {
 					candidate.Value = l.Contents
 				}
 			} else {
 				if len(l.Value) <= 64 {
 					// if the license text is less than the size of the hash,
 					// just use it directly so the id is more readable
 					candidate.ID = spdxlicense.LicenseRefPrefix + SanitizeElementID(l.Value)
 				} else {
 					hash := sha256.Sum256([]byte(l.Value))
 					candidate.ID = fmt.Sprintf("%s%x", spdxlicense.LicenseRefPrefix, hash)
 				}
 			}
 		}
 		switch l.Type {
 		case license.Concluded:
 			concluded = append(concluded, candidate)
@ -102,3 +76,33 @@ func ParseLicenses(raw []pkg.License) (concluded, declared []SPDXLicense) {
 	return concluded, declared
 }
 func createSPDXLicense(l pkg.License) SPDXLicense {
 	candidate := SPDXLicense{
 		ID:       generateLicenseID(l),
 		FullText: l.FullText,
 	}
 	if l.SPDXExpression == "" {
 		candidate.Value = l.Value
 	}
 	return candidate
 }
 func generateLicenseID(l pkg.License) string {
 	if l.SPDXExpression != "" {
 		return l.SPDXExpression
 	}
 	if l.Value != "" {
 		return licenseSum(l.Value)
 	}
 	return licenseSum(l.FullText)
 }
 func licenseSum(s string) string {
 	if len(s) <= 64 {
 		return spdxlicense.LicenseRefPrefix + SanitizeElementID(s)
 	}
 	hash := sha256.Sum256([]byte(s))
 	return fmt.Sprintf("%s%x", spdxlicense.LicenseRefPrefix, hash)
 }
--- a/syft/format/internal/testutil/test-fixtures/snapshot/TestImageEncoder.golden
+++ b/syft/format/internal/testutil/test-fixtures/snapshot/TestImageEncoder.golden
@ -0,0 +1,130 @@
 {
 "artifacts": [
  {
   "id": "25f6913140cb5286",
   "name": "package-1",
   "version": "1.0.1",
   "type": "python",
   "foundBy": "the-cataloger-1",
   "locations": [
    {
     "path": "/somefile-1.txt",
     "layerID": "sha256:100d5a55f9032faead28b7427fa3e650e4f0158f86ea89d06e1489df00cb8c6f",
     "accessPath": "/somefile-1.txt"
    }
   ],
   "licenses": [
    {
     "value": "MIT",
     "fullText": "",
     "spdxExpression": "MIT",
     "type": "declared",
     "urls": [],
     "locations": []
    }
   ],
   "language": "python",
   "cpes": [
    {
     "cpe": "cpe:2.3:*:some:package:1:*:*:*:*:*:*:*",
     "source": "syft-generated"
    }
   ],
   "purl": "a-purl-1",
   "metadataType": "python-package",
   "metadata": {
    "name": "package-1",
    "version": "1.0.1",
    "author": "",
    "authorEmail": "",
    "platform": "",
    "sitePackagesRootPath": ""
   }
  },
  {
   "id": "4b756c6f6fb127a3",
   "name": "package-2",
   "version": "2.0.1",
   "type": "deb",
   "foundBy": "the-cataloger-2",
   "locations": [
    {
     "path": "/somefile-2.txt",
     "layerID": "sha256:000fb9200890d3a19138478b20023023c0dce1c54352007c2863716780f049eb",
     "accessPath": "/somefile-2.txt"
    }
   ],
   "licenses": [],
   "language": "",
   "cpes": [
    {
     "cpe": "cpe:2.3:*:some:package:2:*:*:*:*:*:*:*",
     "source": "nvd-cpe-dictionary"
    }
   ],
   "purl": "pkg:deb/debian/package-2@2.0.1",
   "metadataType": "dpkg-db-entry",
   "metadata": {
    "package": "package-2",
    "source": "",
    "version": "2.0.1",
    "sourceVersion": "",
    "architecture": "",
    "maintainer": "",
    "installedSize": 0,
    "files": null
   }
  }
 ],
 "artifactRelationships": [],
 "source": {
  "id": "34d40fdc6ca13e9a3fa18415db216b50bff047716fae7d95a225c09732fe83fb",
  "name": "user-image-input",
  "version": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368",
  "type": "image",
  "metadata": {
   "userInput": "user-image-input",
   "imageID": "sha256:bf783ea304a3f02b5c7d2ece521800f5e2182e65ed5bb5116f578e17d6e82be4",
   "manifestDigest": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368",
   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
   "tags": [
    "stereoscope-fixture-image-simple:85066c51088bdd274f7a89e99e00490f666c49e72ffc955707cd6e18f0e22c5b"
   ],
   "imageSize": 38,
   "layers": [
    {
     "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
     "digest": "sha256:100d5a55f9032faead28b7427fa3e650e4f0158f86ea89d06e1489df00cb8c6f",
     "size": 22
    },
    {
     "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
     "digest": "sha256:000fb9200890d3a19138478b20023023c0dce1c54352007c2863716780f049eb",
     "size": 16
    }
   ],
   "manifest": "eyJzY2hlbWFWZXJzaW9uIjoyLCJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmRpc3RyaWJ1dGlvbi5tYW5pZmVzdC52Mitqc29uIiwiY29uZmlnIjp7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuY29udGFpbmVyLmltYWdlLnYxK2pzb24iLCJzaXplIjo2NzIsImRpZ2VzdCI6InNoYTI1NjpiZjc4M2VhMzA0YTNmMDJiNWM3ZDJlY2U1MjE4MDBmNWUyMTgyZTY1ZWQ1YmI1MTE2ZjU3OGUxN2Q2ZTgyYmU0In0sImxheWVycyI6W3sibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmRvY2tlci5pbWFnZS5yb290ZnMuZGlmZi50YXIuZ3ppcCIsInNpemUiOjIwNDgsImRpZ2VzdCI6InNoYTI1NjoxMDBkNWE1NWY5MDMyZmFlYWQyOGI3NDI3ZmEzZTY1MGU0ZjAxNThmODZlYTg5ZDA2ZTE0ODlkZjAwY2I4YzZmIn0seyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmltYWdlLnJvb3Rmcy5kaWZmLnRhci5nemlwIiwic2l6ZSI6MjA0OCwiZGlnZXN0Ijoic2hhMjU2OjAwMGZiOTIwMDg5MGQzYTE5MTM4NDc4YjIwMDIzMDIzYzBkY2UxYzU0MzUyMDA3YzI4NjM3MTY3ODBmMDQ5ZWIifV19",
   "config": "eyJhcmNoaXRlY3R1cmUiOiJhcm02NCIsImNvbmZpZyI6eyJFbnYiOlsiUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iXSwiV29ya2luZ0RpciI6Ii8iLCJPbkJ1aWxkIjpudWxsfSwiY3JlYXRlZCI6IjIwMjMtMDktMjhUMTI6MjM6MzUuNDAwNjcyODg1WiIsImhpc3RvcnkiOlt7ImNyZWF0ZWQiOiIyMDIzLTA5LTI4VDEyOjIzOjM1LjM5Mzk4NjUxWiIsImNyZWF0ZWRfYnkiOiJBREQgZmlsZS0xLnR4dCAvc29tZWZpbGUtMS50eHQgIyBidWlsZGtpdCIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIn0seyJjcmVhdGVkIjoiMjAyMy0wOS0yOFQxMjoyMzozNS40MDA2NzI4ODVaIiwiY3JlYXRlZF9ieSI6IkFERCBmaWxlLTIudHh0IC9zb21lZmlsZS0yLnR4dCAjIGJ1aWxka2l0IiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAifV0sIm9zIjoibGludXgiLCJyb290ZnMiOnsidHlwZSI6ImxheWVycyIsImRpZmZfaWRzIjpbInNoYTI1NjoxMDBkNWE1NWY5MDMyZmFlYWQyOGI3NDI3ZmEzZTY1MGU0ZjAxNThmODZlYTg5ZDA2ZTE0ODlkZjAwY2I4YzZmIiwic2hhMjU2OjAwMGZiOTIwMDg5MGQzYTE5MTM4NDc4YjIwMDIzMDIzYzBkY2UxYzU0MzUyMDA3YzI4NjM3MTY3ODBmMDQ5ZWIiXX19",
   "repoDigests": [],
   "architecture": "",
   "os": ""
  }
 },
 "distro": {
  "prettyName": "debian",
  "name": "debian",
  "id": "debian",
  "idLike": [
   "like!"
  ],
  "version": "1.2.3",
  "versionID": "1.2.3"
 },
 "descriptor": {
  "name": "syft",
  "version": "v0.42.0-bogus",
  "configuration": {
   "config-key": "config-value"
  }
 }
 }
--- a/syft/format/internal/testutil/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden
+++ b/syft/format/internal/testutil/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden
@ -1,106 +0,0 @@
 {
 "spdxVersion": "SPDX-2.3",
 "dataLicense": "CC0-1.0",
 "SPDXID": "SPDXRef-DOCUMENT",
 "name": "user-image-input",
 "documentNamespace":"redacted",
 "creationInfo": {
  "licenseListVersion":"redacted",
  "creators": [
   "Organization: Anchore, Inc",
   "Tool: syft-v0.42.0-bogus"
  ],
  "created":"redacted"
 },
 "packages": [
  {
   "name": "package-1",
   "SPDXID": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
   "versionInfo": "1.0.1",
   "supplier": "NOASSERTION",
   "downloadLocation": "NOASSERTION",
   "filesAnalyzed": false,
   "sourceInfo": "acquired package info from installed python package manifest file: /somefile-1.txt",
   "licenseConcluded": "NOASSERTION",
   "licenseDeclared": "MIT",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:*:some:package:1:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "PACKAGE-MANAGER",
     "referenceType": "purl",
     "referenceLocator": "a-purl-1"
    }
   ]
  },
  {
   "name": "package-2",
   "SPDXID": "SPDXRef-Package-deb-package-2-4b756c6f6fb127a3",
   "versionInfo": "2.0.1",
   "supplier": "NOASSERTION",
   "downloadLocation": "NOASSERTION",
   "filesAnalyzed": false,
   "sourceInfo": "acquired package info from DPKG DB: /somefile-2.txt",
   "licenseConcluded": "NOASSERTION",
   "licenseDeclared": "NOASSERTION",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:*:some:package:2:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "PACKAGE-MANAGER",
     "referenceType": "purl",
     "referenceLocator": "pkg:deb/debian/package-2@2.0.1"
    }
   ]
  },
  {
   "name": "user-image-input",
   "SPDXID": "SPDXRef-DocumentRoot-Image-user-image-input",
   "versionInfo": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368",
   "supplier": "NOASSERTION",
   "downloadLocation": "NOASSERTION",
   "filesAnalyzed": false,
   "checksums": [
    {
     "algorithm": "SHA256",
     "checksumValue": "2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368"
    }
   ],
   "licenseConcluded": "NOASSERTION",
   "licenseDeclared": "NOASSERTION",
   "externalRefs": [
    {
     "referenceCategory": "PACKAGE-MANAGER",
     "referenceType": "purl",
     "referenceLocator": "pkg:oci/user-image-input@sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368?arch="
    }
   ],
   "primaryPackagePurpose": "CONTAINER"
  }
 ],
 "relationships": [
  {
   "spdxElementId": "SPDXRef-DocumentRoot-Image-user-image-input",
   "relatedSpdxElement": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
   "relationshipType": "CONTAINS"
  },
  {
   "spdxElementId": "SPDXRef-DocumentRoot-Image-user-image-input",
   "relatedSpdxElement": "SPDXRef-Package-deb-package-2-4b756c6f6fb127a3",
   "relationshipType": "CONTAINS"
  },
  {
   "spdxElementId": "SPDXRef-DOCUMENT",
   "relatedSpdxElement": "SPDXRef-DocumentRoot-Image-user-image-input",
   "relationshipType": "DESCRIBES"
  }
 ]
 }
--- a/syft/format/internal/testutil/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
+++ b/syft/format/internal/testutil/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
@ -1,246 +0,0 @@
 {
 "spdxVersion": "SPDX-2.3",
 "dataLicense": "CC0-1.0",
 "SPDXID": "SPDXRef-DOCUMENT",
 "name": "user-image-input",
 "documentNamespace":"redacted",
 "creationInfo": {
  "licenseListVersion":"redacted",
  "creators": [
   "Organization: Anchore, Inc",
   "Tool: syft-v0.42.0-bogus"
  ],
  "created":"redacted"
 },
 "packages": [
  {
   "name": "package-1",
   "SPDXID": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
   "versionInfo": "1.0.1",
   "supplier": "NOASSERTION",
   "downloadLocation": "NOASSERTION",
   "filesAnalyzed": false,
   "sourceInfo": "acquired package info from installed python package manifest file: /somefile-1.txt",
   "licenseConcluded": "NOASSERTION",
   "licenseDeclared": "MIT",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:*:some:package:1:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "PACKAGE-MANAGER",
     "referenceType": "purl",
     "referenceLocator": "a-purl-1"
    }
   ]
  },
  {
   "name": "package-2",
   "SPDXID": "SPDXRef-Package-deb-package-2-4b756c6f6fb127a3",
   "versionInfo": "2.0.1",
   "supplier": "NOASSERTION",
   "downloadLocation": "NOASSERTION",
   "filesAnalyzed": false,
   "sourceInfo": "acquired package info from DPKG DB: /somefile-2.txt",
   "licenseConcluded": "NOASSERTION",
   "licenseDeclared": "NOASSERTION",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:*:some:package:2:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "PACKAGE-MANAGER",
     "referenceType": "purl",
     "referenceLocator": "pkg:deb/debian/package-2@2.0.1"
    }
   ]
  },
  {
   "name": "user-image-input",
   "SPDXID": "SPDXRef-DocumentRoot-Image-user-image-input",
   "versionInfo": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368",
   "supplier": "NOASSERTION",
   "downloadLocation": "NOASSERTION",
   "filesAnalyzed": false,
   "checksums": [
    {
     "algorithm": "SHA256",
     "checksumValue": "2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368"
    }
   ],
   "licenseConcluded": "NOASSERTION",
   "licenseDeclared": "NOASSERTION",
   "externalRefs": [
    {
     "referenceCategory": "PACKAGE-MANAGER",
     "referenceType": "purl",
     "referenceLocator": "pkg:oci/user-image-input@sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368?arch="
    }
   ],
   "primaryPackagePurpose": "CONTAINER"
  }
 ],
 "files": [
  {
   "fileName": "/a1/f6",
   "SPDXID": "SPDXRef-File-a1-f6-9c2f7510199b17f6",
   "fileTypes": [
    "OTHER"
   ],
   "checksums": [
    {
     "algorithm": "SHA1",
     "checksumValue": "0000000000000000000000000000000000000000"
    }
   ],
   "licenseConcluded": "NOASSERTION",
   "licenseInfoInFiles": [
    "NOASSERTION"
   ],
   "copyrightText": "NOASSERTION"
  },
  {
   "fileName": "/d1/f3",
   "SPDXID": "SPDXRef-File-d1-f3-c6f5b29dca12661f",
   "fileTypes": [
    "OTHER"
   ],
   "checksums": [
    {
     "algorithm": "SHA1",
     "checksumValue": "0000000000000000000000000000000000000000"
    }
   ],
   "licenseConcluded": "NOASSERTION",
   "licenseInfoInFiles": [
    "NOASSERTION"
   ],
   "copyrightText": "NOASSERTION"
  },
  {
   "fileName": "/d2/f4",
   "SPDXID": "SPDXRef-File-d2-f4-c641caa71518099f",
   "fileTypes": [
    "OTHER"
   ],
   "checksums": [
    {
     "algorithm": "SHA1",
     "checksumValue": "0000000000000000000000000000000000000000"
    }
   ],
   "licenseConcluded": "NOASSERTION",
   "licenseInfoInFiles": [
    "NOASSERTION"
   ],
   "copyrightText": "NOASSERTION"
  },
  {
   "fileName": "/f1",
   "SPDXID": "SPDXRef-File-f1-5265a4dde3edbf7c",
   "fileTypes": [
    "OTHER"
   ],
   "checksums": [
    {
     "algorithm": "SHA1",
     "checksumValue": "0000000000000000000000000000000000000000"
    }
   ],
   "licenseConcluded": "NOASSERTION",
   "licenseInfoInFiles": [
    "NOASSERTION"
   ],
   "copyrightText": "NOASSERTION"
  },
  {
   "fileName": "/f2",
   "SPDXID": "SPDXRef-File-f2-f9e49132a4b96ccd",
   "fileTypes": [
    "OTHER"
   ],
   "checksums": [
    {
     "algorithm": "SHA1",
     "checksumValue": "0000000000000000000000000000000000000000"
    }
   ],
   "licenseConcluded": "NOASSERTION",
   "licenseInfoInFiles": [
    "NOASSERTION"
   ],
   "copyrightText": "NOASSERTION"
  },
  {
   "fileName": "/z1/f5",
   "SPDXID": "SPDXRef-File-z1-f5-839d99ee67d9d174",
   "fileTypes": [
    "OTHER"
   ],
   "checksums": [
    {
     "algorithm": "SHA1",
     "checksumValue": "0000000000000000000000000000000000000000"
    }
   ],
   "licenseConcluded": "NOASSERTION",
   "licenseInfoInFiles": [
    "NOASSERTION"
   ],
   "copyrightText": "NOASSERTION"
  }
 ],
 "relationships": [
  {
   "spdxElementId": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
   "relatedSpdxElement": "SPDXRef-File-f1-5265a4dde3edbf7c",
   "relationshipType": "CONTAINS"
  },
  {
   "spdxElementId": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
   "relatedSpdxElement": "SPDXRef-File-z1-f5-839d99ee67d9d174",
   "relationshipType": "CONTAINS"
  },
  {
   "spdxElementId": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
   "relatedSpdxElement": "SPDXRef-File-a1-f6-9c2f7510199b17f6",
   "relationshipType": "CONTAINS"
  },
  {
   "spdxElementId": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
   "relatedSpdxElement": "SPDXRef-File-d2-f4-c641caa71518099f",
   "relationshipType": "CONTAINS"
  },
  {
   "spdxElementId": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
   "relatedSpdxElement": "SPDXRef-File-d1-f3-c6f5b29dca12661f",
   "relationshipType": "CONTAINS"
  },
  {
   "spdxElementId": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
   "relatedSpdxElement": "SPDXRef-File-f2-f9e49132a4b96ccd",
   "relationshipType": "CONTAINS"
  },
  {
   "spdxElementId": "SPDXRef-DocumentRoot-Image-user-image-input",
   "relatedSpdxElement": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
   "relationshipType": "CONTAINS"
  },
  {
   "spdxElementId": "SPDXRef-DocumentRoot-Image-user-image-input",
   "relatedSpdxElement": "SPDXRef-Package-deb-package-2-4b756c6f6fb127a3",
   "relationshipType": "CONTAINS"
  },
  {
   "spdxElementId": "SPDXRef-DOCUMENT",
   "relatedSpdxElement": "SPDXRef-DocumentRoot-Image-user-image-input",
   "relationshipType": "DESCRIBES"
  }
 ]
 }
--- a/syft/format/internal/testutil/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden
+++ b/syft/format/internal/testutil/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden
@ -0,0 +1,60 @@
 SPDXVersion: SPDX-2.3
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: user-image-input
 DocumentNamespace: redacted
 LicenseListVersion: redacted
 Creator: Organization: Anchore, Inc
 Creator: Tool: syft-v0.42.0-bogus
 Created: redacted
 ##### Package: user-image-input
 PackageName: user-image-input
 SPDXID: SPDXRef-DocumentRoot-Image-user-image-input
 PackageVersion: sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368
 PackageSupplier: NOASSERTION
 PackageDownloadLocation: NOASSERTION
 PrimaryPackagePurpose: CONTAINER
 FilesAnalyzed: false
 PackageChecksum: SHA256: 2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368
 PackageLicenseConcluded: NOASSERTION
 PackageLicenseDeclared: NOASSERTION
 ExternalRef: PACKAGE-MANAGER purl pkg:oci/user-image-input@sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368?arch=
 ##### Package: package-2
 PackageName: package-2
 SPDXID: SPDXRef-Package-deb-package-2-4b756c6f6fb127a3
 PackageVersion: 2.0.1
 PackageSupplier: NOASSERTION
 PackageDownloadLocation: NOASSERTION
 FilesAnalyzed: false
 PackageSourceInfo: acquired package info from DPKG DB: /somefile-2.txt
 PackageLicenseConcluded: NOASSERTION
 PackageLicenseDeclared: NOASSERTION
 PackageCopyrightText: NOASSERTION
 ExternalRef: SECURITY cpe23Type cpe:2.3:*:some:package:2:*:*:*:*:*:*:*
 ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/package-2@2.0.1
 ##### Package: package-1
 PackageName: package-1
 SPDXID: SPDXRef-Package-python-package-1-25f6913140cb5286
 PackageVersion: 1.0.1
 PackageSupplier: NOASSERTION
 PackageDownloadLocation: NOASSERTION
 FilesAnalyzed: false
 PackageSourceInfo: acquired package info from installed python package manifest file: /somefile-1.txt
 PackageLicenseConcluded: NOASSERTION
 PackageLicenseDeclared: MIT
 PackageCopyrightText: NOASSERTION
 ExternalRef: SECURITY cpe23Type cpe:2.3:*:some:package:1:*:*:*:*:*:*:*
 ExternalRef: PACKAGE-MANAGER purl a-purl-1
 ##### Relationships
 Relationship: SPDXRef-DocumentRoot-Image-user-image-input CONTAINS SPDXRef-Package-python-package-1-25f6913140cb5286
 Relationship: SPDXRef-DocumentRoot-Image-user-image-input CONTAINS SPDXRef-Package-deb-package-2-4b756c6f6fb127a3
 Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-DocumentRoot-Image-user-image-input
--- a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden
+++ b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden
@ -15,7 +15,7 @@
 "packages": [
  {
   "name": "package-1",
-   "SPDXID": "SPDXRef-Package-python-package-1-5a2b1ae000fcb51e",
+   "SPDXID": "SPDXRef-Package-python-package-1-cf21bacaa74c8c08",
   "versionInfo": "1.0.1",
   "supplier": "NOASSERTION",
   "downloadLocation": "NOASSERTION",
@ -76,7 +76,7 @@
 "relationships": [
  {
   "spdxElementId": "SPDXRef-DocumentRoot-Directory-some-path",
-   "relatedSpdxElement": "SPDXRef-Package-python-package-1-5a2b1ae000fcb51e",
+   "relatedSpdxElement": "SPDXRef-Package-python-package-1-cf21bacaa74c8c08",
   "relationshipType": "CONTAINS"
  },
  {
--- a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden
+++ b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden
@ -15,7 +15,7 @@
 "packages": [
  {
   "name": "package-1",
-   "SPDXID": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
+   "SPDXID": "SPDXRef-Package-python-package-1-2d8996d6f81313df",
   "versionInfo": "1.0.1",
   "supplier": "NOASSERTION",
   "downloadLocation": "NOASSERTION",
@ -90,7 +90,7 @@
 "relationships": [
  {
   "spdxElementId": "SPDXRef-DocumentRoot-Image-user-image-input",
-   "relatedSpdxElement": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
+   "relatedSpdxElement": "SPDXRef-Package-python-package-1-2d8996d6f81313df",
   "relationshipType": "CONTAINS"
  },
  {
--- a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
+++ b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
@ -15,7 +15,7 @@
 "packages": [
  {
   "name": "package-1",
-   "SPDXID": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
+   "SPDXID": "SPDXRef-Package-python-package-1-2d8996d6f81313df",
   "versionInfo": "1.0.1",
   "supplier": "NOASSERTION",
   "downloadLocation": "NOASSERTION",
@ -199,38 +199,38 @@
 ],
 "relationships": [
  {
-   "spdxElementId": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
+   "spdxElementId": "SPDXRef-Package-python-package-1-2d8996d6f81313df",
   "relatedSpdxElement": "SPDXRef-File-f1-5265a4dde3edbf7c",
   "relationshipType": "CONTAINS"
  },
  {
-   "spdxElementId": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
+   "spdxElementId": "SPDXRef-Package-python-package-1-2d8996d6f81313df",
   "relatedSpdxElement": "SPDXRef-File-z1-f5-839d99ee67d9d174",
   "relationshipType": "CONTAINS"
  },
  {
-   "spdxElementId": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
+   "spdxElementId": "SPDXRef-Package-python-package-1-2d8996d6f81313df",
   "relatedSpdxElement": "SPDXRef-File-a1-f6-9c2f7510199b17f6",
   "relationshipType": "CONTAINS"
  },
  {
-   "spdxElementId": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
+   "spdxElementId": "SPDXRef-Package-python-package-1-2d8996d6f81313df",
   "relatedSpdxElement": "SPDXRef-File-d2-f4-c641caa71518099f",
   "relationshipType": "CONTAINS"
  },
  {
-   "spdxElementId": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
+   "spdxElementId": "SPDXRef-Package-python-package-1-2d8996d6f81313df",
   "relatedSpdxElement": "SPDXRef-File-d1-f3-c6f5b29dca12661f",
   "relationshipType": "CONTAINS"
  },
  {
-   "spdxElementId": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
+   "spdxElementId": "SPDXRef-Package-python-package-1-2d8996d6f81313df",
   "relatedSpdxElement": "SPDXRef-File-f2-f9e49132a4b96ccd",
   "relationshipType": "CONTAINS"
  },
  {
   "spdxElementId": "SPDXRef-DocumentRoot-Image-user-image-input",
-   "relatedSpdxElement": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
+   "relatedSpdxElement": "SPDXRef-Package-python-package-1-2d8996d6f81313df",
   "relationshipType": "CONTAINS"
  },
  {
--- a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
+++ b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
@ -91,7 +91,7 @@ ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/package-2@2.0.1
 ##### Package: package-1
 PackageName: package-1
-SPDXID: SPDXRef-Package-python-package-1-c5cf7ac34cbca450
+SPDXID: SPDXRef-Package-python-package-1-2d8996d6f81313df
 PackageVersion: 1.0.1
 PackageSupplier: NOASSERTION
 PackageDownloadLocation: NOASSERTION
@ -105,13 +105,13 @@ ExternalRef: PACKAGE-MANAGER purl a-purl-1
 ##### Relationships
-Relationship: SPDXRef-Package-python-package-1-c5cf7ac34cbca450 CONTAINS SPDXRef-File-f1-5265a4dde3edbf7c
+Relationship: SPDXRef-Package-python-package-1-2d8996d6f81313df CONTAINS SPDXRef-File-f1-5265a4dde3edbf7c
-Relationship: SPDXRef-Package-python-package-1-c5cf7ac34cbca450 CONTAINS SPDXRef-File-z1-f5-839d99ee67d9d174
+Relationship: SPDXRef-Package-python-package-1-2d8996d6f81313df CONTAINS SPDXRef-File-z1-f5-839d99ee67d9d174
-Relationship: SPDXRef-Package-python-package-1-c5cf7ac34cbca450 CONTAINS SPDXRef-File-a1-f6-9c2f7510199b17f6
+Relationship: SPDXRef-Package-python-package-1-2d8996d6f81313df CONTAINS SPDXRef-File-a1-f6-9c2f7510199b17f6
-Relationship: SPDXRef-Package-python-package-1-c5cf7ac34cbca450 CONTAINS SPDXRef-File-d2-f4-c641caa71518099f
+Relationship: SPDXRef-Package-python-package-1-2d8996d6f81313df CONTAINS SPDXRef-File-d2-f4-c641caa71518099f
-Relationship: SPDXRef-Package-python-package-1-c5cf7ac34cbca450 CONTAINS SPDXRef-File-d1-f3-c6f5b29dca12661f
+Relationship: SPDXRef-Package-python-package-1-2d8996d6f81313df CONTAINS SPDXRef-File-d1-f3-c6f5b29dca12661f
-Relationship: SPDXRef-Package-python-package-1-c5cf7ac34cbca450 CONTAINS SPDXRef-File-f2-f9e49132a4b96ccd
+Relationship: SPDXRef-Package-python-package-1-2d8996d6f81313df CONTAINS SPDXRef-File-f2-f9e49132a4b96ccd
-Relationship: SPDXRef-DocumentRoot-Image-user-image-input CONTAINS SPDXRef-Package-python-package-1-c5cf7ac34cbca450
+Relationship: SPDXRef-DocumentRoot-Image-user-image-input CONTAINS SPDXRef-Package-python-package-1-2d8996d6f81313df
 Relationship: SPDXRef-DocumentRoot-Image-user-image-input CONTAINS SPDXRef-Package-deb-package-2-4b756c6f6fb127a3
 Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-DocumentRoot-Image-user-image-input
--- a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden
+++ b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden
@ -38,7 +38,7 @@ ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/package-2@2.0.1
 ##### Package: package-1
 PackageName: package-1
-SPDXID: SPDXRef-Package-python-package-1-5a2b1ae000fcb51e
+SPDXID: SPDXRef-Package-python-package-1-cf21bacaa74c8c08
 PackageVersion: 1.0.1
 PackageSupplier: NOASSERTION
 PackageDownloadLocation: NOASSERTION
@ -52,7 +52,7 @@ ExternalRef: PACKAGE-MANAGER purl a-purl-2
 ##### Relationships
-Relationship: SPDXRef-DocumentRoot-Directory-some-path CONTAINS SPDXRef-Package-python-package-1-5a2b1ae000fcb51e
+Relationship: SPDXRef-DocumentRoot-Directory-some-path CONTAINS SPDXRef-Package-python-package-1-cf21bacaa74c8c08
 Relationship: SPDXRef-DocumentRoot-Directory-some-path CONTAINS SPDXRef-Package-deb-package-2-39392bb5e270f669
 Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-DocumentRoot-Directory-some-path
--- a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden
+++ b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden
@ -41,7 +41,7 @@ ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/package-2@2.0.1
 ##### Package: package-1
 PackageName: package-1
-SPDXID: SPDXRef-Package-python-package-1-c5cf7ac34cbca450
+SPDXID: SPDXRef-Package-python-package-1-2d8996d6f81313df
 PackageVersion: 1.0.1
 PackageSupplier: NOASSERTION
 PackageDownloadLocation: NOASSERTION
@ -55,7 +55,7 @@ ExternalRef: PACKAGE-MANAGER purl a-purl-1
 ##### Relationships
-Relationship: SPDXRef-DocumentRoot-Image-user-image-input CONTAINS SPDXRef-Package-python-package-1-c5cf7ac34cbca450
+Relationship: SPDXRef-DocumentRoot-Image-user-image-input CONTAINS SPDXRef-Package-python-package-1-2d8996d6f81313df
 Relationship: SPDXRef-DocumentRoot-Image-user-image-input CONTAINS SPDXRef-Package-deb-package-2-4b756c6f6fb127a3
 Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-DocumentRoot-Image-user-image-input
--- a/syft/format/syftjson/model/package.go
+++ b/syft/format/syftjson/model/package.go
@ -47,6 +47,7 @@ type licenses []License
 type License struct {
 	Value          string          `json:"value"`
 	FullText       string          `json:"fullText"`
 	SPDXExpression string          `json:"spdxExpression"`
 	Type           license.Type    `json:"type"`
 	URLs           []string        `json:"urls"`
--- a/syft/format/syftjson/test-fixtures/snapshot/TestDirectoryEncoder.golden
+++ b/syft/format/syftjson/test-fixtures/snapshot/TestDirectoryEncoder.golden
@ -1,7 +1,7 @@
 {
 "artifacts": [
  {
-   "id": "5a2b1ae000fcb51e",
+   "id": "cf21bacaa74c8c08",
   "name": "package-1",
   "version": "1.0.1",
   "type": "python",
@ -15,6 +15,7 @@
   "licenses": [
    {
     "value": "MIT",
     "fullText": "",
     "spdxExpression": "MIT",
     "type": "declared",
     "urls": [],
--- a/syft/format/syftjson/test-fixtures/snapshot/TestEncodeFullJSONDocument.golden
+++ b/syft/format/syftjson/test-fixtures/snapshot/TestEncodeFullJSONDocument.golden
@ -1,7 +1,7 @@
 {
 "artifacts": [
  {
-   "id": "ad3ecac55fe1c30f",
+   "id": "783177db0211edb6",
   "name": "package-1",
   "version": "1.0.1",
   "type": "python",
@ -15,6 +15,7 @@
   "licenses": [
    {
     "value": "MIT",
     "fullText": "",
     "spdxExpression": "MIT",
     "type": "declared",
     "urls": [],
--- a/syft/format/syftjson/test-fixtures/snapshot/TestImageEncoder.golden
+++ b/syft/format/syftjson/test-fixtures/snapshot/TestImageEncoder.golden
@ -1,7 +1,7 @@
 {
 "artifacts": [
  {
-   "id": "c5cf7ac34cbca450",
+   "id": "2d8996d6f81313df",
   "name": "package-1",
   "version": "1.0.1",
   "type": "python",
@ -16,6 +16,7 @@
   "licenses": [
    {
     "value": "MIT",
     "fullText": "",
     "spdxExpression": "MIT",
     "type": "declared",
     "urls": [],
--- a/syft/format/syftjson/to_format_model.go
+++ b/syft/format/syftjson/to_format_model.go
@ -230,6 +230,7 @@ func toLicenseModel(pkgLicenses []pkg.License) (modelLicenses []model.License) {
 		modelLicenses = append(modelLicenses, model.License{
 			Value:          l.Value,
 			FullText:       l.FullText,
 			SPDXExpression: l.SPDXExpression,
 			Type:           l.Type,
 			URLs:           urls,
--- a/syft/pkg/license.go
+++ b/syft/pkg/license.go
@ -25,9 +25,15 @@ var _ sort.Interface = (*Licenses)(nil)
 // in order to distinguish if packages should be kept separate
 // this is different for licenses since we're only looking for evidence
 // of where a license was declared/concluded for a given package
 // If a license is given as it's full text in the metadata rather than it's value or SPDX expression
 // The FullText field is used to represent this data
 // A Concluded License type is the license the SBOM creator believes governs the package (human crafted or altered SBOM)
 // The Declared License is what the authors of a project believe govern the package. This is the default type syft declares.
 type License struct {
 	Value          string
 	SPDXExpression string
 	Value          string
 	FullText       string
 	Type           license.Type
 	URLs           []string         `hash:"ignore"`
 	Locations      file.LocationSet `hash:"ignore"`
@ -68,8 +74,16 @@ func NewLicense(value string) License {
 }
 func NewLicenseFromType(value string, t license.Type) License {
-	var spdxExpression string
+	var (
-	if value != "" {
+		spdxExpression string
 		fullText       string
 	)
 	// Check parsed value for newline character to see if it's the full license text
 	// License: <HERE IS THE FULL TEXT> <Expressions>
 	// DO we want to also submit file name when determining fulltext
 	if strings.Contains(strings.TrimSpace(value), "\n") {
 		fullText = value
 	} else {
 		var err error
 		spdxExpression, err = license.ParseExpression(value)
 		if err != nil {
@ -77,6 +91,14 @@ func NewLicenseFromType(value string, t license.Type) License {
 		}
 	}
 	if fullText != "" {
 		return License{
 			FullText:  fullText,
 			Type:      t,
 			Locations: file.NewLocationSet(),
 		}
 	}
 	return License{
 		Value:          value,
 		SPDXExpression: spdxExpression,
@ -99,7 +121,7 @@ func NewLicensesFromLocation(location file.Location, values ...string) (licenses
 		}
 		licenses = append(licenses, NewLicenseFromLocations(v, location))
 	}
-	return
+	return licenses
 }
 func NewLicenseFromLocations(value string, locations ...file.Location) License {
@ -157,6 +179,10 @@ func NewLicenseFromFields(value, url string, location *file.Location) License {
 	return l
 }
 func (s License) Empty() bool {
 	return s.Value == "" && s.SPDXExpression == "" && s.FullText == ""
 }
 // Merge two licenses into a new license object. If the merge is not possible due to unmergeable fields
 // (e.g. different values for Value, SPDXExpression, Type, or any non-collection type) an error is returned.
 // TODO: this is a bit of a hack to not infinitely recurse when hashing a license
--- a/syft/pkg/license_set.go
+++ b/syft/pkg/license_set.go
@ -50,15 +50,16 @@ func (s *LicenseSet) Add(licenses ...License) {
 		s.set = make(map[artifact.ID]License)
 	}
 	for _, l := range licenses {
-		// we only want to add licenses that have a value
+		// we only want to add licenses that are not empty
 		if l.Empty() {
 			continue
 		}
 		// note, this check should be moved to the license constructor in the future
-		if l.Value != "" {
+		if id, merged, err := s.addToExisting(l); err == nil && !merged {
-			if id, merged, err := s.addToExisting(l); err == nil && !merged {
+			// doesn't exist, add it
-				// doesn't exist, add it
+			s.set[id] = l
-				s.set[id] = l
+		} else if err != nil {
-			} else if err != nil {
+			log.WithFields("error", err, "license", l).Trace("failed to add license to license set")
 				log.Trace("license set failed to add license %#v: %+v", l, err)
 			}
 		}
 	}
 }
--- a/syft/pkg/license_test.go
+++ b/syft/pkg/license_test.go
@ -13,7 +13,6 @@ import (
 )
 func Test_Hash(t *testing.T) {
 	loc1 := file.NewLocation("place!")
 	loc1.FileSystemID = "fs1"
 	loc2 := file.NewLocation("place!")
@ -227,6 +226,33 @@ func TestLicense_Merge(t *testing.T) {
 	}
 }
 func TestFullText(t *testing.T) {
 	fullText := `I am a license with full text
 	my authors put new line characters in metadata for labeling a license`
 	tests := []struct {
 		name  string
 		value string
 		want  License
 	}{
 		{
 			name:  "Full Text field is populated with the correct full text",
 			value: fullText,
 			want: License{
 				Value:    "",
 				Type:     license.Declared,
 				FullText: fullText,
 			},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			got := NewLicense(tt.value)
 			assert.Equal(t, tt.want, got)
 		})
 	}
 }
 func TestLicenseConstructors(t *testing.T) {
 	type input struct {
 		value string
@ -244,7 +270,6 @@ func TestLicenseConstructors(t *testing.T) {
 				urls: []string{
 					`
 						http://user-agent-utils.googlecode.com/svn/trunk/UserAgentUtils/LICENSE.txt
 					`},
 			},
 			expected: License{