Syft sometimes reports URL for license value when scanning JARs with a URL in Bundle-License field of manifest

[willmurphyscode]

What happened:

When scanning licenses from JARs from https://mvnrepository.com/artifact/net.bytebuddy/byte-buddy/1.14.11 or https://mvnrepository.com/artifact/commons-io/commons-io/2.16.1, Syft reports a license object like this (Syft JSON output):

    {
      "value": "https://www.apache.org/licenses/LICENSE-2.0.txt",
      "spdxExpression": "",
      "type": "declared",
      "urls": [],
      "locations": [
        {
          "path": "/commons-io-2.16.1.jar",
          "accessPath": "/commons-io-2.16.1.jar",
          "annotations": {
            "evidence": "primary"
          }
        }
      ]
    }

What you expected to happen:

Syft should report Apache-2.0 for spdxExpression and a URL for the URL.

Steps to reproduce the issue:

cd $(mktemp -d)
wget https://repo1.maven.org/maven2/net/bytebuddy/byte-buddy/1.14.11/byte-buddy-1.14.11.jar
wget https://repo1.maven.org/maven2/commons-io/commons-io/2.16.1/commons-io-2.16.1.jar
syft -o json dir:. | jq '.artifacts[] | { name: .name, licenses: .licenses }'

Anything else we need to know?:

• This was reported on discourse

• syft/syft/pkg/cataloger/java/parse_java_manifest.go

  Line 258 in f2caf45

  "Bundle-License",

  is where Syft assumes that Bundle-License always points to a license name.

Environment:

• Output of syft version:

❯ syft version
Application: syft
Version:    1.11.1
BuildDate:  2024-08-20T15:45:33Z
GitCommit:  Homebrew
GitDescription: [not provided]
Platform:   darwin/arm64
GoVersion:  go1.23.0
Compiler:   gc

• OS (e.g: cat /etc/os-release or similar):
  M1 Mac