• syft (version v1.36.0) generated (aiofiles version 25.1.0): /packages/from-purl?pUrl=pkg%3Apypi%2Faiofiles%4025.1.0
• pgutil (version v2.2.9) generated (tzdata version 2025.1): /packages/from-purl?pUrl=pkg%3Apypi%2Ftzdata%402025.1

I presume the hyperlink/pURL not working is the cause for the license information not being populated?

Running the analyze command on a build version produces the following output,

No Remote Metadata Provider was found for "pkg:pypi/aiofile@3.11.1"
Analyzing compliance for aiofile 3.11.1...
Beginning license rule analysis...
Default rules: undectableLicense=Warn, unspecifiedLicense=Compliant
The package is not cached or local to any feed; without package metadata, license detection is limited.
No licenses detected on package; applying undectableLicense rule (Warn)
License rule analysis complete.
Policy "Global" considers aged packages (3 years) Warn
The package is not cached or local to any feed; cannot determine Publish Date.
Policy "Global" considers recently published (7 days) Compliant
The package is not cached or local to any feed; cannot determine Publish Date.
Analysis resulted in a Warn result.
aiofile 3.11.1 is Warn Publish Date (Recent, Aged) is unknown; No license detected
Creating issues for build...
0 issues found.

We also tried manually including the license information in the SBOM and uploading it, this also didn't appear to fix the license field being "unknown".

We also tried enable the OSS metadata updating & caching for pypi.org, the error message did change, but still results in a message stating that pypi has no support for remote metadata.

Relevant versions:

• SBOM format was CycloneDX version 1.6
• proget version 2025.26 (Build 11)