devicie · Copilot · Feb 5, 2026 · Feb 5, 2026 · Feb 5, 2026 · Feb 5, 2026
diff --git a/cmd/syft/internal/test/integration/test-fixtures/image-pkg-coverage/pkgs/go/go.mod b/cmd/syft/internal/test/integration/test-fixtures/image-pkg-coverage/pkgs/go/go.mod
@@ -1,7 +1,3 @@
 module github.com/anchore/syft
 
 go 1.14
-
-require (
-	github.com/bmatcuk/doublestar v1.3.1
-)
diff --git a/cmd/syft/internal/test/integration/test-fixtures/image-sbom-cataloger/go.mod b/cmd/syft/internal/test/integration/test-fixtures/image-sbom-cataloger/go.mod
@@ -1,8 +1,3 @@
 module github.com/anchore/syft
 
 go 1.14
-
-require (
-	github.com/anchore/packageurl-go v0.1.1-0.20220428202044-a072fa3cb6d7
-	github.com/bmatcuk/doublestar v1.3.1
-)
diff --git a/syft/format/common/spdxhelpers/to_format_model.go b/syft/format/common/spdxhelpers/to_format_model.go
@@ -488,7 +488,7 @@ func toPackages(rels *relationship.Index, catalog *pkg.Collection, sbom sbom.SBO
 			//   (i) the SPDX document creator has made no attempt to determine this field; or
 			//   (ii) the SPDX document creator has intentionally provided no information (no meaning should be implied by doing so).
 			//
-			PackageCopyrightText: noAssertion,
+			PackageCopyrightText: helpers.Copyright(p),
 
 			// 7.18: Package Summary Description
 			// Cardinality: optional, one

diff --git a/syft/format/common/spdxhelpers/to_format_model_test.go b/syft/format/common/spdxhelpers/to_format_model_test.go
@@ -1056,3 +1056,74 @@ func Test_otherLicenses(t *testing.T) {
 		})
 	}
 }
+
+func Test_PEBinaryCopyright(t *testing.T) {
+	tests := []struct {
+		name     string
+		pkg      pkg.Package
+		expected string
+	}{
+		{
+			name: "PE binary with copyright",
+			pkg: pkg.Package{
+				Name:    "test.exe",
+				Version: "1.0.0",
+				Type:    pkg.BinaryPkg,
+				Metadata: pkg.PEBinary{
+					VersionResources: pkg.KeyValues{
+						{Key: "LegalCopyright", Value: "Copyright (c) 2024 Test Company"},
+						{Key: "ProductName", Value: "Test Product"},
+					},
+				},
+			},
+			expected: "Copyright (c) 2024 Test Company",
+		},
+		{
+			name: "PE binary without copyright",
+			pkg: pkg.Package{
+				Name:    "test.exe",
+				Version: "1.0.0",
+				Type:    pkg.BinaryPkg,
+				Metadata: pkg.PEBinary{
+					VersionResources: pkg.KeyValues{
+						{Key: "ProductName", Value: "Test Product"},
+					},
+				},
+			},
+			expected: helpers.NOASSERTION,
+		},
+		{
+			name: "non-PE binary package",
+			pkg: pkg.Package{
+				Name:     "test-package",
+				Version:  "1.0.0",
+				Type:     pkg.NpmPkg,
+				Metadata: pkg.NpmPackage{},
+			},
+			expected: helpers.NOASSERTION,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			s := sbom.SBOM{
+				Artifacts: sbom.Artifacts{
+					Packages: pkg.NewCollection(test.pkg),
+				},
+			}
+			doc := ToFormatModel(s)
+			require.NotEmpty(t, doc.Packages)
+
+			// Find the package (not the root)
+			var foundPkg *spdx.Package
+			for _, p := range doc.Packages {
+				if p.PackageName == test.pkg.Name {
+					foundPkg = p
+					break
+				}
+			}
+			require.NotNil(t, foundPkg, "package not found in SPDX document")
+			assert.Equal(t, test.expected, foundPkg.PackageCopyrightText)
+		})
+	}
+}
diff --git a/syft/format/internal/spdxutil/helpers/copyright.go b/syft/format/internal/spdxutil/helpers/copyright.go
@@ -0,0 +1,18 @@
+package helpers
+
+import "github.com/anchore/syft/syft/pkg"
+
+// Copyright extracts copyright text from package metadata.
+// For PE binaries, it returns the LegalCopyright field from version resources.
+// Returns NOASSERTION if no copyright information is available.
+func Copyright(p pkg.Package) string {
+	if hasMetadata(p) {
+		switch metadata := p.Metadata.(type) {
+		case pkg.PEBinary:
+			if copyright, ok := metadata.VersionResources.Get("LegalCopyright"); ok && copyright != "" {
+				return copyright
+			}
+		}
+	}
+	return NOASSERTION
+}
diff --git a/syft/format/internal/spdxutil/helpers/copyright_test.go b/syft/format/internal/spdxutil/helpers/copyright_test.go
@@ -0,0 +1,80 @@
+package helpers
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/anchore/syft/syft/pkg"
+)
+
+func TestCopyright(t *testing.T) {
+	tests := []struct {
+		name     string
+		pkg      pkg.Package
+		expected string
+	}{
+		{
+			name: "PE binary with LegalCopyright",
+			pkg: pkg.Package{
+				Name: "test",
+				Metadata: pkg.PEBinary{
+					VersionResources: pkg.KeyValues{
+						{Key: "LegalCopyright", Value: "Copyright (c) 2024 Test Company"},
+						{Key: "ProductName", Value: "Test Product"},
+					},
+				},
+			},
+			expected: "Copyright (c) 2024 Test Company",
+		},
+		{
+			name: "PE binary without LegalCopyright",
+			pkg: pkg.Package{
+				Name: "test",
+				Metadata: pkg.PEBinary{
+					VersionResources: pkg.KeyValues{
+						{Key: "ProductName", Value: "Test Product"},
+					},
+				},
+			},
+			expected: NOASSERTION,
+		},
+		{
+			name: "PE binary with empty LegalCopyright",
+			pkg: pkg.Package{
+				Name: "test",
+				Metadata: pkg.PEBinary{
+					VersionResources: pkg.KeyValues{
+						{Key: "LegalCopyright", Value: ""},
+						{Key: "ProductName", Value: "Test Product"},
+					},
+				},
+			},
+			expected: NOASSERTION,
+		},
+		{
+			name: "non-PE binary package",
+			pkg: pkg.Package{
+				Name: "test",
+				Metadata: pkg.NpmPackage{
+					Name: "test-package",
+				},
+			},
+			expected: NOASSERTION,
+		},
+		{
+			name: "package with no metadata",
+			pkg: pkg.Package{
+				Name: "test",
+			},
+			expected: NOASSERTION,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := Copyright(tt.pkg)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}
diff --git a/syft/pkg/cataloger/golang/test-fixtures/go-mod-fixtures/one-package/go.mod b/syft/pkg/cataloger/golang/test-fixtures/go-mod-fixtures/one-package/go.mod
@@ -1,7 +1,3 @@
 module github.com/anchore/syft
 
 go 1.14
-
-require (
-	github.com/bmatcuk/doublestar v1.3.1
-)
diff --git a/syft/pkg/cataloger/golang/test-fixtures/go-mod-fixtures/one-package/go.sum b/syft/pkg/cataloger/golang/test-fixtures/go-mod-fixtures/one-package/go.sum
@@ -1 +0,0 @@
-github.com/bmatcuk/doublestar v1.3.1/go.mod h1:wiQtGV+rzVYxB7WIlirSN++5HPtPlXEo9MEoZQC/PmE=

diff --git a/syft/pkg/cataloger/golang/test-fixtures/go-mod-fixtures/relative-replace/go.mod b/syft/pkg/cataloger/golang/test-fixtures/go-mod-fixtures/relative-replace/go.mod
@@ -2,6 +2,4 @@ module github.com/aws/aws-sdk-go-v2/feature/ec2/imds
 
 go 1.22
 
-require github.com/aws/aws-sdk-go-v2 v1.36.3
-
 replace github.com/aws/aws-sdk-go-v2 => ../../../
diff --git a/syft/pkg/cataloger/golang/test-fixtures/go-sum-hashes/go.mod b/syft/pkg/cataloger/golang/test-fixtures/go-sum-hashes/go.mod
@@ -2,10 +2,4 @@ module github.com/anchore/syft
 
 go 1.18
 
-require (
-	github.com/CycloneDX/cyclonedx-go v0.7.0
-	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d
-	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
-)
-
 replace github.com/CycloneDX/cyclonedx-go => github.com/CycloneDX/cyclonedx-go v0.6.0
diff --git a/syft/pkg/cataloger/golang/test-fixtures/go-sum-hashes/go.sum b/syft/pkg/cataloger/golang/test-fixtures/go-sum-hashes/go.sum
@@ -1,18 +0,0 @@
-github.com/CycloneDX/cyclonedx-go v0.6.0/go.mod h1:nQCiF4Tvrg5Ieu8qPhYMvzPGMu5I7fANZkrSsJjl5mg=
-github.com/CycloneDX/cyclonedx-go v0.7.0 h1:jNxp8hL7UpcvPDFXjY+Y1ibFtsW+e5zyF9QoSmhK/zg=
-github.com/CycloneDX/cyclonedx-go v0.7.0/go.mod h1:W5Z9w8pTTL+t+yG3PCiFRGlr8PUlE0pGWzKSJbsyXkg=
-github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d h1:licZJFw2RwpHMqeKTCYkitsPqHNxTmd4SNR5r94FGM8=
-github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d/go.mod h1:asat636LX7Bqt5lYEZ27JNDcqxfjdBQuJ/MM4CN/Lzo=
-github.com/bradleyjkemp/cupaloy/v2 v2.7.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
-github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI=
-github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
Original file line number	Diff line number	Diff line change
		@@ -1 +0,0 @@
		github.com/bmatcuk/doublestar v1.3.1/go.mod h1:wiQtGV+rzVYxB7WIlirSN++5HPtPlXEo9MEoZQC/PmE=
Original file line number	Diff line number	Diff line change
Expand Up		@@ -2,6 +2,4 @@ module github.com/aws/aws-sdk-go-v2/feature/ec2/imds

		go 1.22

		require github.com/aws/aws-sdk-go-v2 v1.36.3

		replace github.com/aws/aws-sdk-go-v2 => ../../../