trivy fs silently drops Python packages with non-SPDX license identifiers (misses AGPL licenses)

[deser]

Description

trivy fs with VIRTUAL_ENV environment variable silently excludes Python packages that have non-standard SPDX license identifiers in their METADATA files. This causes critical AGPL-licensed packages to be completely missing from scan results, creating a false sense of security and potential license compliance violations.

Impact

• Security/Compliance Risk: AGPL and other restrictively-licensed packages are not reported
• Silent Failure: No warning or error is shown when packages are dropped
• Inconsistent Behavior: trivy rootfs correctly detects these packages, but trivy fs does not
• False Negatives: Organizations relying on trivy fs for license compliance may unknowingly violate license restrictions

Root Cause

Python packages use non-standard SPDX identifiers in their METADATA files. The pip analyzer used by trivy fs fails to normalize these, while the packaging analyzer used by trivy rootfs handles them correctly.

anki (site-packages/anki-24.11.dist-info/METADATA):

License: AGPL-3
Classifier: License :: OSI Approved :: GNU Affero General Public License v3 or later (AGPLv3+)

• Not a valid SPDX identifier (should be AGPL-3.0-or-later)
• trivy fs: Drops the package entirely ❌
• trivy rootfs: Normalizes to AGPL-3.0-or-later ✅

ultralytics (site-packages/ultralytics-8.3.234.dist-info/METADATA):

License: AGPL-3.0

• Missing -or-later suffix
• trivy fs: Drops the package entirely ❌
• trivy rootfs: Normalizes to AGPL-3.0-or-later ✅

gensim (works correctly):

License: LGPL-2.1-only

• Valid SPDX identifier
• Both trivy fs and trivy rootfs detect it correctly ✅

Evidence

Debug output shows trivy fs does read the package but excludes it from results:

$ VIRTUAL_ENV=/path/to/env trivy fs requirements.txt --scanners=license --debug 2>&1 | grep anki
DEBUG [python] License acquired from METADATA classifiers ... name="anki" version="24.11"

However, when listing results:

$ VIRTUAL_ENV=/path/to/env trivy fs requirements.txt --scanners=license | grep anki
# No output - package silently dropped

Comparison Table

Package	METADATA License Field	trivy fs	trivy rootfs
anki	AGPL-3	❌ Not reported	✅ AGPL-3.0-or-later (CRITICAL)
ultralytics	AGPL-3.0	❌ Not reported	✅ AGPL-3.0-or-later (CRITICAL)
gensim	LGPL-2.1-only	✅ Detected (HIGH)	✅ Detected (HIGH)

This issue particularly affects organizations scanning for license compliance, as AGPL is typically flagged as a forbidden license due to its copyleft requirements. The silent failure means that critical compliance violations may go undetected.

The inconsistency between trivy fs and trivy rootfs behavior suggests that trivy rootfs has more robust license parsing/normalization logic that should be applied to trivy fs as well.

Note: This issue was discovered while scanning pixi-managed Python environments, but affects any Python virtual environment (venv, virtualenv, conda, pixi, etc.) when using trivy fs with VIRTUAL_ENV.

Desired Behavior

trivy fs should handle non-standard SPDX identifiers like trivy rootfs does:

1. Normalize common variants (e.g., AGPL-3 → AGPL-3.0-or-later, LGPL-2.1 → LGPL-2.1-only)
2. Fall back to license classifiers if the License: field is unparseable
3. Warn about unparseable licenses instead of silently dropping packages
4. Maintain consistency between fs and rootfs scanners

Actual Behavior

When scanning the same Python environment:

• trivy fs with VIRTUAL_ENV reports only 1 packages with licenses (gensim) and 0 CRITICAL findings
• Packages with non-SPDX license strings (anki with AGPL-3, ultralytics with AGPL-3.0) are silently excluded from the report
• No warning or error message indicates that packages were dropped
• Debug logs show anki is read from METADATA but it never appears in the final output

Reproduction Steps

# 1. Create a virtual environment and install packages
python3 -m venv test_env
source test_env/bin/activate
pip install anki==24.11 ultralytics==8.3.234 gensim==4.3.2

# Alternative with pixi:
# pixi init && pixi add anki==24.11 ultralytics==8.3.234 gensim==4.3.2

# 2. Create requirements.txt
pip freeze > requirements.txt

# 3. Scan with trivy fs (FAILS - missing AGPL packages)
VIRTUAL_ENV=$(pwd)/test_env trivy fs requirements.txt \
  --scanners=license \
  --severity=CRITICAL,HIGH

# Expected: Should report anki and ultralytics with AGPL licenses
# Actual: Only reports gensim 

# 4. Scan with trivy rootfs (WORKS - finds all packages)
trivy rootfs test_env \
  --scanners=license \
  --severity=CRITICAL,HIGH

# Expected: Should report same packages as trivy fs
# Actual: Correctly reports packages including anki and ultralytics

Target

Filesystem

Scanner

License

Output Format

None

Mode

Standalone

Debug Output

Running `trivy fs` with `--debug` flag shows that anki is being read but not included in results:


$ VIRTUAL_ENV=/path/to/env trivy fs requirements.txt --scanners=license --debug 2>&1 | grep -i anki
2025-12-12T20:56:59-05:00       DEBUG   [python] License acquired from METADATA classifiers may be subject to additional terms  name="anki" version="24.11"

Full scan output (without debug):

$ VIRTUAL_ENV=/path/to/env trivy fs requirements.txt --scanners=license --severity=CRITICAL,HIGH --skip-db-update
2025-12-12T20:56:59-05:00       INFO    [license] License scanning is enabled
2025-12-12T20:56:59-05:00       INFO    [python] Licenses acquired from one or more METADATA files may be subject to additional terms. Use `--debug` flag to see all affected packages.

Report Summary

┌──────────────────┬──────┬──────────┐
│      Target      │ Type │ Licenses │
├──────────────────┼──────┼──────────┤
│ requirements.txt │  -   │    2     │
└──────────────────┴──────┴──────────┘

requirements.txt (license)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────┬───────────────┬────────────────┬──────────┐
│ Package  │    License    │ Classification │ Severity │
├──────────┼───────────────┼────────────────┼──────────┤
│ gensim   │ LGPL-2.1-only │ Restricted     │ HIGH     │
├──────────┼───────────────┤                │          │
      │
└──────────┴───────────────┴────────────────┴──────────┘

Note: anki is missing from the output despite being in requirements.txt and detected in debug logs.

For comparison, trivy rootfs correctly finds anki:

$ trivy rootfs /path/to/env --scanners=license --severity=CRITICAL,HIGH --skip-db-update
2025-12-12T20:59:03-05:00       INFO    [license] License scanning is enabled
2025-12-12T20:59:04-05:00       INFO    [python] Licenses acquired from one or more METADATA files may be subject to additional terms.

Report Summary

┌─────────────────────────────────────────────────────────────────────┬──────┬──────────┐
│                               Target                                │ Type │ Licenses │
├─────────────────────────────────────────────────────────────────────┼──────┼──────────┤
│ lib/python3.12/site-packages/anki-24.11.dist-info/METADATA          │  -   │    1     │
├─────────────────────────────────────────────────────────────────────┼──────┼──────────┤
│ lib/python3.12/site-packages/gensim-4.3.2.dist-info/METADATA        │  -   │    1     │
├─────────────────────────────────────────────────────────────────────┼──────┼──────────┤
├─────────────────────────────────────────────────────────────────────┼──────┼──────────┤
│ ... (1 more packages)                                              │      │          │
└─────────────────────────────────────────────────────────────────────┴──────┴──────────┘

Python (license)

Total: 3 (HIGH: 1, CRITICAL: 2)

┌────────────────┬───────────────────┬────────────────┬──────────┐
│    Package     │      License      │ Classification │ Severity │
├────────────────┼───────────────────┼────────────────┼──────────┤
│ anki           │ AGPL-3.0-or-later │ Forbidden      │ CRITICAL │
├────────────────┼───────────────────┼────────────────┼──────────┤
│ ultralytics    │ AGPL-3.0-or-later │ Forbidden      │ CRITICAL │
├────────────────┼───────────────────┼────────────────┼──────────┤
│ gensim         │ LGPL-2.1-only     │ Restricted     │ HIGH     │
├────────────────┼───────────────────┤                │          │
└────────────────┴───────────────────┴────────────────┴──────────┘

### Operating System

Linux

### Version

```bash
0.65.0
(installed with pixi: `pixi add trivy`)

Checklist

• Run trivy clean --all
• Read the troubleshooting