Skip to content

Commit

Permalink
fix: properly decode SPDX license expressions in CycloneDX format
Browse files Browse the repository at this point in the history
This fixes the issue reported at anchore#3172,
where Syft would drop SPDX licenses due a logic error in the decoder.

CycloneDX specifications require `components[].licenses[].license` to be nil
when `components[].licenses[].expression` (SPDX) is non nil.

Signed-off-by: Mikail Kocak <mikail-gh@pm.me>
  • Loading branch information
NyanKiyoshi committed Aug 29, 2024
1 parent 731fc77 commit fb85c70
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 8 deletions.
9 changes: 3 additions & 6 deletions syft/format/internal/cyclonedxutil/helpers/licenses.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,17 +54,14 @@ func decodeLicenses(c *cyclonedx.Component) []pkg.License {
}

for _, l := range *c.Licenses {
if l.License == nil {
continue
}
// these fields are mutually exclusive in the spec
switch {
case l.License.ID != "":
case l.License != nil && l.License.ID != "":
licenses = append(licenses, pkg.NewLicenseFromURLs(l.License.ID, l.License.URL))
case l.License.Name != "":
case l.License != nil && l.License.Name != "":
licenses = append(licenses, pkg.NewLicenseFromURLs(l.License.Name, l.License.URL))
case l.Expression != "":
licenses = append(licenses, pkg.NewLicenseFromURLs(l.Expression, l.License.URL))
licenses = append(licenses, pkg.NewLicense(l.Expression))
default:
}
}
Expand Down
4 changes: 2 additions & 2 deletions syft/format/internal/cyclonedxutil/helpers/licenses_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -254,7 +254,8 @@ func TestDecodeLicenses(t *testing.T) {
input: &cyclonedx.Component{
Licenses: &cyclonedx.Licenses{
{
License: &cyclonedx.License{},
// CycloneDX specification doesn't allow to provide License if Expression is provided
License: nil,
Expression: "MIT AND GPL-3.0-only WITH Classpath-exception-2.0",
},
},
Expand All @@ -264,7 +265,6 @@ func TestDecodeLicenses(t *testing.T) {
Value: "MIT AND GPL-3.0-only WITH Classpath-exception-2.0",
SPDXExpression: "MIT AND GPL-3.0-only WITH Classpath-exception-2.0",
Type: license.Declared,
URLs: []string{},
},
},
},
Expand Down

0 comments on commit fb85c70

Please # to comment.