Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

SPDX expressions are lost from CycloneDX if they contain extra parenthesis #3441

Closed
pasieronen opened this issue Nov 13, 2024 · 2 comments · Fixed by #3517
Closed

SPDX expressions are lost from CycloneDX if they contain extra parenthesis #3441

pasieronen opened this issue Nov 13, 2024 · 2 comments · Fixed by #3517
Assignees
Labels
bug Something isn't working

Comments

@pasieronen
Copy link

What happened:

Given a very minimal CycloneDX SBOM as input:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "components": [
    {
      "type": "library",
      "name": "one",
      "licenses": [{"expression": "BSD-3-Clause OR MIT"}]
    },
    {
      "type": "library",
      "name": "two",
      "licenses": [{"expression": "(BSD-3-Clause OR MIT)"}]
    }
  ]
}

Note that in the input, component "two" has extra parenthesis around the SPDX expression (which are allowed by the SPDX spec, as far as I can tell).

Running syft SBOM cataloger and outputting to CycloneDX:

syft scan file:./test.cdx.json --output=cyclonedx-json --select-catalogers "+sbom-cataloger"

What you expected to happen:

I'd expect both components to have licenses in the output. But what happens is that component "one" has the expected license, but component "two" does not have a license at all.

Interestingly enough, if I use --output=json, it looks like both components have licenses....

Environment:

  • Output of syft version:
Application: syft
Version:    1.16.0
BuildDate:  2024-11-04T22:29:33Z
GitCommit:  8a41d772509d37267a65e0b425808e883e4b9dce
GitDescription: v1.16.0
Platform:   darwin/arm64
GoVersion:  go1.22.8
Compiler:   gc
  • OS (e.g: cat /etc/os-release or similar): MacOS 14.7.1
@pasieronen pasieronen added the bug Something isn't working label Nov 13, 2024
@spiffcs spiffcs moved this to Ready in OSS Nov 20, 2024
@spiffcs spiffcs self-assigned this Nov 20, 2024
@spiffcs
Copy link
Contributor

spiffcs commented Nov 20, 2024

Thanks @pasieronen! I've reproduced this on my local and have picked this bug up to fix ASAP.

@spiffcs spiffcs moved this from Ready to In Progress in OSS Nov 21, 2024
@spiffcs spiffcs removed their assignment Dec 10, 2024
@willmurphyscode willmurphyscode moved this from In Progress to In Review in OSS Dec 10, 2024
@willmurphyscode
Copy link
Contributor

Fixed by #3517

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
bug Something isn't working
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

3 participants