Trivy incorrectly reports "UNLICENSED" software as "Unencumbered"

[nartreb]

Description

NPM packages commonly write "UNLICENSED" in the license field to indicate a commercial license. (Which, of course, has no SPDX ID.).
When trivy scans these packages, it (rightly) states the license name as "UNLICENSED", but (wrongly) classifies the license as "unencumbered" and therefore LOW severity.

I think the correct behavior is to classify "UNLICENSED" packages as "unknown" license type, "UNKNOWN" severity.

I'm wondering if somehow "UNLICENSED" is matching into the same category as the "Unlicense" (which IS an unencumbered-category, Low-severity license...

Desired Behavior

Packages that clearly indicate commercial license (i.e., NPM packages with "UNLICENSED" in their license SPDX field) should have their licenses reported in a category suitable for commercial licenses. Since Trivy doesn't have a commercial category, the best category would be "unknown".

Actual Behavior

NPM packages marked "UNLICENSED" are categorized as "unencumbered", with LOW severity.

Reproduction Steps

1.  Install an NPM package under commercial license, with SPX-ID field "UNLICENSED".   
    Here's one:  https://www.npmjs.com/package/@license-cop/unlicensed-test-package
     
  Alternatively, edit the package.json of an already-installed NPM package:
     "license": "UNLICENSED",

2.  Run a trivy license scan on the project or directory where the package is installed.

3.  Observe the output, you'll find this package's license categorized as "unencumbered", LOW severity.

Target

Filesystem

Scanner

License

Output Format

Table

Mode

Standalone

Debug Output

n/a

Operating System

linux

Version

latest (as of a few weeks ago anyway)

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @nartreb
Thanks for your report!

NPM packages commonly write "UNLICENSED" in the license field to indicate a commercial license. (Which, of course, has no SPDX ID.).

This is very strange logic.
If this is really the case, then any developer who isn’t aware of it could end up in a very bad situation, since they might use this software believing it’s available to everyone (see the SPDX license description).

Do you have any documentation that points to this kind of behavior?

Regrards, Dmitriy

[nartreb]

Hi Dimitry,

You've linked to the SPDX description for "Unlicense". That is NOT the same as "unlicensed", with a D at the end.

This Stack Overflow page is old, but there are plenty of old (and new!) NPM packages that follow its advice to use "UNLICENSED" (with D) for commercially-licensed packages:
https://stackoverflow.com/questions/32214751/what-should-i-put-in-the-license-field-of-package-json-if-my-code-is-only-for-us

Here's the official NPM doc the above page is referencing, so you can see the advice has some basis in NPM's intent:
https://docs.npmjs.com/cli/v8/configuring-npm/package-json#license

The latest version of the NPM doc remains the same: https://docs.npmjs.com/cli/v11/configuring-npm/package-json#license
---begin quote--
Finally, if you do not wish to grant others the right to use a private or unpublished package under any terms:

{
"license": "UNLICENSED"
}
---- end quote---

That's not quite the same as "commercially licensed", but as the Stack Overflow page points out, it's the closest available choice for commercial packages in NPM. In ten years, NPM has not proposed a better solution.

Here is one example of an NPM package that follows the NPM documentation. The README here is quite explicit about "unlicensed" (with D) being used to mean something quite different from The Unlicense:
https://www.npmjs.com/package/@nxtvid/component-library

I didn't test, but I bet Trivy would (incorrectly) report that package as "unencumbered".

I had some trouble finding actual commercially-licensed examples for you. They're generally not available for direct download from npmjs.com. But for one example, you can spend $120 at https://fontawesome.com/plans/pro to download the commercially-licensed ("pro") parts of Font Awesome.
(Trivy reports all of these as "unencumbered", when they're not:
@fortawesome/pro-duotone-svg-icons
@fortawesome/pro-light-svg-icons
@fortawesome/pro-regular-svg-icons
@fortawesome/pro-solid-svg-icons
@fortawesome/pro-thin-svg-icons
)

But you don't need to spend any money. You should be able to reproduce the behavior by editing the package.json of any existing package to
"license": "UNLICENSED"

which, again, is NOT the same as:
"license": "Unlicense"

[itaysk]

thank you @nartreb for the detailed explanation. I agree - "unlicensed" should be treated as "unknown" in trivy results.

[DmitriyLewen]

Now I see the difference.
Thanks for such a detailed explanation and examples.
I created issue #9610 for this.

UPD: i didn't see that Itay created #9581
Closed #9610

[DmitriyLewen]

track #9610 #9581