cdxgen server mode does not collect license information for dotnet project

[gxuan0328]

I use export FETCH_LICENSE=true and cdxgen --server run cdxgen service to generate sbom for me. I try my dotnet project to test how it work, I first time I call the api it return same result just like I run cdxgen in my local project directory. And then I call api again with the same project url, this time response data does not contains licenses and externalReferences in component section. That's weird situation. It would result any other project can not successfully get full information in the generate sbom even if I set the correct FETCH_LICENSE.

After I trace the source code, I found that there is a cache metadata_cache for the processed packages, if the package has been query will set it into the cache, so after the first time query this package, will skip all the logic for collect package information from internet.

Is any body face the same problem? If that's a bug, how can I try to fix it?

[prabhu]

This is clearly a bug. Can you send a pull request to fix this?