License text classification doesn't work as expected

[parrot55]

Description

I launched a license scan, passing a custom config file (see trivy-custom.yaml in attachment).

I launched trivy in WSL with the following command:
trivy image --format table --scanners license --config trivy-custom.yaml --insecure --debug aquasec/trivy

I also launched it in docker:
docker run -v $(pwd):/project aquasec/trivy image --format table --scanners license --config /project/trivy-custom.yaml --ignorefile /project/.trivyignore --insecure --debug aquasec/trivy

The result is the same in both cases: GPL-2.0 licenses are not classified (i.e. are unknown/UNKNOWN) when using license text like "text://GPL-2.0.*" (see trivy-custom.yaml in attachment).

The config file trivy-custom.yaml is in UTF-8. But I also tried to convert it to ANSI, with the same result.

Attachments:
trivy.log
trivy-custom.yaml

Desired Behavior

When scanning licenses with licence text, licenses are categorized as described in the documentation.
E.g.
license:
forbidden:
- "text://GPL-2.*"
classifies "GPL-2.0-only" and "GPL-2.0-or-later" as "forbidden" licenses

Actual Behavior

In the example I used, GPL-2.0-or-later and GPL-2.0-only are classified as "Non Standard" or "unknown", with a severity of "UNKNOWN" (see trivy.log in attachment)

Reproduction Steps

1. create a default trivy-default.yaml, rename it into trivy-custom.yaml
2. remove all licenses listed under `license:restricted`
3. in `license:restricted`, add "text://GPL-2.0.*"
4. Execute `trivy image --format table --scanners license --config trivy-custom.yaml --insecure --debug aquasec/trivy`

Target

Container Image

Scanner

License

Output Format

Table

Mode

Standalone

Debug Output

2025-08-27T09:07:14+02:00       DEBUG   No plugins loaded
2025-08-27T09:07:14+02:00       INFO    Loaded  file_path="trivy-default.yaml"
2025-08-27T09:07:14+02:00       DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-08-27T09:07:14+02:00       DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-08-27T09:07:14+02:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-08-27T09:07:14+02:00       DEBUG   Ignore statuses statuses=[]
2025-08-27T09:07:14+02:00       INFO    [license] License scanning is enabled
2025-08-27T09:07:14+02:00       DEBUG   Initializing scan cache...      type="fs"
2025-08-27T09:07:14+02:00       DEBUG   [notification] Running version check
2025-08-27T09:07:14+02:00       DEBUG   Created process-specific temp directory path="/tmp/trivy-2366"
2025-08-27T09:07:14+02:00       DEBUG   [image] Image found     image="aquasec/trivy" source="docker"
2025-08-27T09:07:14+02:00       DEBUG   [image] Detected image ID       image_id="sha256:c6675fdd56741a56ac95e59d4095ffc55ef5a6c37153b061c33ccb33c251cf77"
2025-08-27T09:07:14+02:00       DEBUG   [image] Detected diff ID        diff_ids=[sha256:08000c18d16dadf9553d747a58cf44023423a9ab010aab96cf263d2216b8b350 sha256:99eca4446e9b7d38262fc65bfc17968258138a9f211d863ce3ea910185ebc6ab sha256:64897815a30db96270f37bb82403ee6a1622c08d44eeb675434c0d9ca7fdebfe sha256:1309eaad9d633ad24023ea4352393cde48e243b02c95bb64ce2aae29344ce405]
2025-08-27T09:07:14+02:00       DEBUG   [image] Detected base layers    diff_ids=[sha256:08000c18d16dadf9553d747a58cf44023423a9ab010aab96cf263d2216b8b350]
2025-08-27T09:07:14+02:00       DEBUG   Found an ignore file    file_path=".trivyignore"
2025-08-27T09:07:14+02:00       DEBUG   [vex] VEX filtering is disabled

Report Summary

┌─────────────┬──────┬──────────┐
│   Target    │ Type │ Licenses │
├─────────────┼──────┼──────────┤
│ OS Packages │  -   │    35    │
└─────────────┴──────┴──────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


OS Packages (license)

Total: 35 (UNKNOWN: 16, LOW: 17, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌────────────────────────┬───────────────────┬────────────────┬──────────┐
│        Package         │      License      │ Classification │ Severity │
├────────────────────────┼───────────────────┼────────────────┼──────────┤
│ alpine-baselayout      │ GPL-2.0-only      │ Non Standard   │ UNKNOWN  │
├────────────────────────┤                   │                │          │
│ alpine-baselayout-data │                   │                │          │

Operating System

WSL2 with Ubuntu 22.04.5 LTS

Version

Version: 0.65.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-08-21 06:28:10.725857663 +0000 UTC
  NextUpdate: 2025-08-22 06:28:10.725857382 +0000 UTC
  DownloadedAt: 2025-08-21 07:39:57.256479563 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-08-19 00:55:26.706626647 +0000 UTC
  NextUpdate: 2025-08-22 00:55:26.706626477 +0000 UTC
  DownloadedAt: 2025-08-19 13:35:59.482106014 +0000 UTC
Check Bundle:
  Digest: sha256:ae151c4eecf35c507d8f866121ddfbf46540b041bc7bca7cdd8d9f70ceb6f12c
  DownloadedAt: 2024-10-25 10:00:39.6654706 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @parrot55

As we wrote in docs - regex works only for text licenses (license with text:// prefix).

e.g. python image contains these licenses:

➜ trivy image --format json --scanners license --config trivy-custom.yaml --insecure -q --list-all-pkgs aquasec/trivy | grep "text://"
➜ trivy image --format json --scanners license --config trivy-custom.yaml --insecure -q --list-all-pkgs aquasec/trivy | grep GPL-2.0
            "GPL-2.0-only"
            "GPL-2.0-only"
            ...
➜ trivy image --format json --scanners license --config trivy-custom.yaml --insecure -q --list-all-pkgs python | grep "text://"  
            "text://Redistribution and use in source and binary forms, with or without",
            "text://By obtaining, using, and/or copying this software and/or its",
            ...

Regards, Dmitriy