From 56b135ad668d7b08353077af80ec3d4d59db4da9 Mon Sep 17 00:00:00 2001 From: Ramkumar Chinchani <45800463+rchincha@users.noreply.github.com> Date: Tue, 30 Jan 2024 09:53:51 -0800 Subject: [PATCH] fix: add support for license detection (#56) Currently, we are not adding license information into files under a package. Also add detection for debian packages. Signed-off-by: Ramkumar Chinchani --- pkg/distro/apk/apk.go | 2 +- pkg/distro/deb/deb.go | 24 +- pkg/distro/deb/license.go | 454 ++++++++++++++++++++++++++++++++++++++ pkg/distro/rpm/rpm.go | 2 +- 4 files changed, 477 insertions(+), 5 deletions(-) create mode 100644 pkg/distro/deb/license.go diff --git a/pkg/distro/apk/apk.go b/pkg/distro/apk/apk.go index d3c5a96..c37edf0 100644 --- a/pkg/distro/apk/apk.go +++ b/pkg/distro/apk/apk.go @@ -246,7 +246,7 @@ func InstalledPackage(doc *spdx.Document, pkg *IndexEntry, files []string) error Msg("file entry detected") sfile := spdx.NewFile() - sfile.LicenseInfoInFile = "unknown" + sfile.LicenseInfoInFile = pkg.PackageLicense sfile.SetEntity( &spdx.Entity{ Name: file, diff --git a/pkg/distro/deb/deb.go b/pkg/distro/deb/deb.go index bf99dd1..e6286b1 100644 --- a/pkg/distro/deb/deb.go +++ b/pkg/distro/deb/deb.go @@ -21,6 +21,8 @@ import ( "stackerbuild.io/stacker-bom/pkg/buildgen" ) +const unknownLicense = "unknown" + // ParsePackage given a deb pkg emits a sbom. func ParsePackage(input, output, author, organization, license string) error { debfile, _, err := deb.LoadFile(input) @@ -114,11 +116,18 @@ func ParsePackage(input, output, author, organization, license string) error { } if strings.HasPrefix(hdr.Name, "./usr/share/doc/") && strings.HasSuffix(hdr.Name, "copyright") { - log.Info().Str("path", hdr.Name).Msg("license/copyright found") spkg.CopyrightText = string(buf) + license = getSpdxLicense(string(buf)) + log.Info().Str("path", hdr.Name).Str("license", license).Msg("license/copyright found") } } + spkg.LicenseDeclared = license + + for _, file := range spkg.Files() { + file.LicenseInfoInFile = license + } + if err := bom.WriteDocument(sdoc, output); err != nil { log.Error().Err(err).Str("path", output).Msg("unable to write output") @@ -273,6 +282,8 @@ func InstalledPackages(doc *spdx.Document) error { } func InstalledPackage(doc *spdx.Document, pkg Package, path string) error { + license := unknownLicense + spkg := &spdx.Package{ Entity: spdx.Entity{ Name: pkg.Package, @@ -285,7 +296,7 @@ func InstalledPackage(doc *spdx.Document, pkg Package, path string) error { Person: pkg.Maintainer, }, FilesAnalyzed: true, - LicenseDeclared: "unknown", + LicenseDeclared: license, } fhandle, err := os.Open(path) @@ -338,7 +349,7 @@ func InstalledPackage(doc *spdx.Document, pkg Package, path string) error { Msg("file entry detected") sfile := spdx.NewFile() - sfile.LicenseInfoInFile = "unknown" + sfile.LicenseInfoInFile = unknownLicense sfile.SetEntity( &spdx.Entity{ Name: line, @@ -366,9 +377,16 @@ func InstalledPackage(doc *spdx.Document, pkg Package, path string) error { } spkg.CopyrightText = string(buf) + license = getSpdxLicense(string(buf)) } } + spkg.LicenseDeclared = license + + for _, file := range spkg.Files() { + file.LicenseInfoInFile = license + } + if err := doc.AddPackage(spkg); err != nil { log.Error().Err(err).Msg("unable to add package to doc") diff --git a/pkg/distro/deb/license.go b/pkg/distro/deb/license.go new file mode 100644 index 0000000..5268017 --- /dev/null +++ b/pkg/distro/deb/license.go @@ -0,0 +1,454 @@ +package deb + +import "strings" + +func getSpdxLicense(text string) string { + // https://github.com/Debian/spdx-licenses/blob/master/licenses.md + //nolint:lll // long mnemonics + licenses := map[string]string{ + "BSD Zero Clause License": "0BSD", + "Attribution Assurance License": "AAL", + "Abstyles License": "Abstyles", + "Adobe Systems Incorporated Source Code License Agreement": "Adobe-2006", + "Adobe Glyph List License": "Adobe-Glyph", + "Amazon Digital Services License": "ADSL", + "Academic Free License v1.1": "AFL-1.1", + "Academic Free License v1.2": "AFL-1.2", + "Academic Free License v2.0": "AFL-2.0", + "Academic Free License v2.1": "AFL-2.1", + "Academic Free License v3.0": "AFL-3.0", + "Afmparse License": "Afmparse", + "Affero General Public License v1.0 only": "AGPL-1.0-only", + "Affero General Public License v1.0 or later": "AGPL-1.0-or-later", + "GNU Affero General Public License v3.0 only": "AGPL-3.0-only", + "GNU Affero General Public License v3.0 or later": "AGPL-3.0-or-later", + "Aladdin Free Public License": "Aladdin", + "AMD's plpa_map.c License": "AMDPLPA", + "Apple MIT License": "AML", + "Academy of Motion Picture Arts and Sciences BSD": "AMPAS", + "ANTLR Software Rights Notice": "ANTLR-PD", + "Apache License 1.0": "Apache-1.0", + "Apache License 1.1": "Apache-1.1", + "Apache License 2.0": "Apache-2.0", + "Adobe Postscript AFM License": "APAFML", + "Adaptive Public License 1.0": "APL-1.0", + "Apple Public Source License 1.0": "APSL-1.0", + "Apple Public Source License 1.1": "APSL-1.1", + "Apple Public Source License 1.2": "APSL-1.2", + "Apple Public Source License 2.0": "APSL-2.0", + "Artistic License 1.0": "Artistic-1.0", + "Artistic License 1.0 w/clause 8": "Artistic-1.0-cl8", + "Artistic License 1.0 (Perl)": "Artistic-1.0-Perl", + "Artistic License 2.0": "Artistic-2.0", + "Bahyph License": "Bahyph", + "Barr License": "Barr", + "Beerware License": "Beerware", + "BitTorrent Open Source License v1.0": "BitTorrent-1.0", + "BitTorrent Open Source License v1.1": "BitTorrent-1.1", + "SQLite Blessing": "blessing", + "Blue Oak Model License 1.0.0": "BlueOak-1.0.0", + "Borceux license": "Borceux", + "BSD 1-Clause License": "BSD-1-Clause", + "BSD 2-Clause \"Simplified\" License": "BSD-2-Clause", + "BSD 2-Clause FreeBSD License": "BSD-2-Clause-FreeBSD", + "BSD 2-Clause NetBSD License": "BSD-2-Clause-NetBSD", + "BSD-2-Clause Plus Patent License": "BSD-2-Clause-Patent", + "BSD 3-Clause \"New\" or \"Revised\" License": "BSD-3-Clause", + "BSD with attribution": "BSD-3-Clause-Attribution", + "BSD 3-Clause Clear License": "BSD-3-Clause-Clear", + "Lawrence Berkeley National Labs BSD variant license": "BSD-3-Clause-LBNL", + "BSD 3-Clause No Nuclear License": "BSD-3-Clause-No-Nuclear-License", + "BSD 3-Clause No Nuclear License 2014": "BSD-3-Clause-No-Nuclear-License-2014", + "BSD 3-Clause No Nuclear Warranty": "BSD-3-Clause-No-Nuclear-Warranty", + "BSD 3-Clause Open MPI variant": "BSD-3-Clause-Open-MPI", + "BSD 4-Clause \"Original\" or \"Old\" License": "BSD-4-Clause", + "BSD-4-Clause (University of California-Specific)": "BSD-4-Clause-UC", + "BSD Protection License": "BSD-Protection", + "BSD Source Code Attribution": "BSD-Source-Code", + "Boost Software License 1.0": "BSL-1.0", + "bzip2 and libbzip2 License v1.0.5": "bzip2-1.0.5", + "bzip2 and libbzip2 License v1.0.6": "bzip2-1.0.6", + "Caldera License": "Caldera", + "Computer Associates Trusted Open Source License 1.1": "CATOSL-1.1", + "Creative Commons Attribution 1.0 Generic": "CC-BY-1.0", + "Creative Commons Attribution 2.0 Generic": "CC-BY-2.0", + "Creative Commons Attribution 2.5 Generic": "CC-BY-2.5", + "Creative Commons Attribution 3.0 Unported": "CC-BY-3.0", + "Creative Commons Attribution 4.0 International": "CC-BY-4.0", + "Creative Commons Attribution Non Commercial 1.0 Generic": "CC-BY-NC-1.0", + "Creative Commons Attribution Non Commercial 2.0 Generic": "CC-BY-NC-2.0", + "Creative Commons Attribution Non Commercial 2.5 Generic": "CC-BY-NC-2.5", + "Creative Commons Attribution Non Commercial 3.0 Unported": "CC-BY-NC-3.0", + "Creative Commons Attribution Non Commercial 4.0 International": "CC-BY-NC-4.0", + "Creative Commons Attribution Non Commercial No Derivatives 1.0 Generic": "CC-BY-NC-ND-1.0", + "Creative Commons Attribution Non Commercial No Derivatives 2.0 Generic": "CC-BY-NC-ND-2.0", + "Creative Commons Attribution Non Commercial No Derivatives 2.5 Generic": "CC-BY-NC-ND-2.5", + "Creative Commons Attribution Non Commercial No Derivatives 3.0 Unported": "CC-BY-NC-ND-3.0", + "Creative Commons Attribution Non Commercial No Derivatives 4.0 International": "CC-BY-NC-ND-4.0", + "Creative Commons Attribution Non Commercial Share Alike 1.0 Generic": "CC-BY-NC-SA-1.0", + "Creative Commons Attribution Non Commercial Share Alike 2.0 Generic": "CC-BY-NC-SA-2.0", + "Creative Commons Attribution Non Commercial Share Alike 2.5 Generic": "CC-BY-NC-SA-2.5", + "Creative Commons Attribution Non Commercial Share Alike 3.0 Unported": "CC-BY-NC-SA-3.0", + "Creative Commons Attribution Non Commercial Share Alike 4.0 International": "CC-BY-NC-SA-4.0", + "Creative Commons Attribution No Derivatives 1.0 Generic": "CC-BY-ND-1.0", + "Creative Commons Attribution No Derivatives 2.0 Generic": "CC-BY-ND-2.0", + "Creative Commons Attribution No Derivatives 2.5 Generic": "CC-BY-ND-2.5", + "Creative Commons Attribution No Derivatives 3.0 Unported": "CC-BY-ND-3.0", + "Creative Commons Attribution No Derivatives 4.0 International": "CC-BY-ND-4.0", + "Creative Commons Attribution Share Alike 1.0 Generic": "CC-BY-SA-1.0", + "Creative Commons Attribution Share Alike 2.0 Generic": "CC-BY-SA-2.0", + "Creative Commons Attribution Share Alike 2.5 Generic": "CC-BY-SA-2.5", + "Creative Commons Attribution Share Alike 3.0 Unported": "CC-BY-SA-3.0", + "Creative Commons Attribution Share Alike 4.0 International": "CC-BY-SA-4.0", + "Creative Commons Public Domain Dedication and Certification": "CC-PDDC", + "Creative Commons Zero v1.0 Universal": "CC0-1.0", + "Common Development and Distribution License 1.0": "CDDL-1.0", + "Common Development and Distribution License 1.1": "CDDL-1.1", + "Community Data License Agreement Permissive 1.0": "CDLA-Permissive-1.0", + "Community Data License Agreement Sharing 1.0": "CDLA-Sharing-1.0", + "CeCILL Free Software License Agreement v1.0": "CECILL-1.0", + "CeCILL Free Software License Agreement v1.1": "CECILL-1.1", + "CeCILL Free Software License Agreement v2.0": "CECILL-2.0", + "CeCILL Free Software License Agreement v2.1": "CECILL-2.1", + "CeCILL-B Free Software License Agreement": "CECILL-B", + "CeCILL-C Free Software License Agreement": "CECILL-C", + "CERN Open Hardware Licence v1.1": "CERN-OHL-1.1", + "CERN Open Hardware Licence v1.2": "CERN-OHL-1.2", + "Clarified Artistic License": "ClArtistic", + "CNRI Jython License": "CNRI-Jython", + "CNRI Python License": "CNRI-Python", + "CNRI Python Open Source GPL Compatible License Agreement": "CNRI-Python-GPL-Compatible", + "Condor Public License v1.1": "Condor-1.1", + "copyleft-next 0.3.0": "copyleft-next-0.3.0", + "copyleft-next 0.3.1": "copyleft-next-0.3.1", + "Common Public Attribution License 1.0": "CPAL-1.0", + "Common Public License 1.0": "CPL-1.0", + "Code Project Open License 1.02": "CPOL-1.02", + "Crossword License": "Crossword", + "CrystalStacker License": "CrystalStacker", + "CUA Office Public License v1.0": "CUA-OPL-1.0", + "Cube License": "Cube", + "curl License": "curl", + "Deutsche Freie Software Lizenz": "D-FSL-1.0", + "diffmark license": "diffmark", + "DOC License": "DOC", + "Dotseqn License": "Dotseqn", + "DSDP License": "DSDP", + "dvipdfm License": "dvipdfm", + "Educational Community License v1.0": "ECL-1.0", + "Educational Community License v2.0": "ECL-2.0", + "Eiffel Forum License v1.0": "EFL-1.0", + "Eiffel Forum License v2.0": "EFL-2.0", + "eGenix.com Public License 1.1.0": "eGenix", + "Entessa Public License v1.0": "Entessa", + "Eclipse Public License 1.0": "EPL-1.0", + "Eclipse Public License 2.0": "EPL-2.0", + "Erlang Public License v1.1": "ErlPL-1.1", + "Etalab Open License 2.0": "etalab-2.0", + "EU DataGrid Software License": "EUDatagrid", + "European Union Public License 1.0": "EUPL-1.0", + "European Union Public License 1.1": "EUPL-1.1", + "European Union Public License 1.2": "EUPL-1.2", + "Eurosym License": "Eurosym", + "Fair License": "Fair", + "Frameworx Open License 1.0": "Frameworx-1.0", + "FreeImage Public License v1.0": "FreeImage", + "FSF All Permissive License": "FSFAP", + "FSF Unlimited License": "FSFUL", + "FSF Unlimited License (with License Retention)": "FSFULLR", + "Freetype Project License": "FTL", + "GNU Free Documentation License v1.1 only": "GFDL-1.1-only", + "GNU Free Documentation License v1.1 or later": "GFDL-1.1-or-later", + "GNU Free Documentation License v1.2 only": "GFDL-1.2-only", + "GNU Free Documentation License v1.2 or later": "GFDL-1.2-or-later", + "GNU Free Documentation License v1.3 only": "GFDL-1.3-only", + "GNU Free Documentation License v1.3 or later": "GFDL-1.3-or-later", + "Giftware License": "Giftware", + "GL2PS License": "GL2PS", + "3dfx Glide License": "Glide", + "Glulxe License": "Glulxe", + "gnuplot License": "gnuplot", + "GNU General Public License v1.0 only": "GPL-1.0-only", + "GNU General Public License v1.0 or later": "GPL-1.0-or-later", + "GNU General Public License v2.0 only": "GPL-2.0-only", + "GNU General Public License v2.0 or later": "GPL-2.0-or-later", + "GNU General Public License v3.0 only": "GPL-3.0-only", + "GNU General Public License v3.0 or later": "GPL-3.0-or-later", + // add the following as a fallback + "GNU General Public License": "GPL-2.0-or-later", + "gSOAP Public License v1.3b": "gSOAP-1.3b", + "Haskell Language Report License": "HaskellReport", + "Historical Permission Notice and Disclaimer": "HPND", + "Historical Permission Notice and Disclaimer - sell variant": "HPND-sell-variant", + "IBM PowerPC Initialization and Boot Software": "IBM-pibs", + "ICU License": "ICU", + "Independent JPEG Group License": "IJG", + "ImageMagick License": "ImageMagick", + "iMatix Standard Function Library Agreement": "iMatix", + "Imlib2 License": "Imlib2", + "Info-ZIP License": "Info-ZIP", + "Intel Open Source License": "Intel", + "Intel ACPI Software License Agreement": "Intel-ACPI", + "Interbase Public License v1.0": "Interbase-1.0", + "IPA Font License": "IPA", + "IBM Public License v1.0": "IPL-1.0", + "ISC License": "ISC", + "JasPer License": "JasPer-2.0", + "Japan Network Information Center License": "JPNIC", + "JSON License": "JSON", + "Licence Art Libre 1.2": "LAL-1.2", + "Licence Art Libre 1.3": "LAL-1.3", + "Latex2e License": "Latex2e", + "Leptonica License": "Leptonica", + "GNU Library General Public License v2 only": "LGPL-2.0-only", + "GNU Library General Public License v2 or later": "LGPL-2.0-or-later", + "GNU Lesser General Public License v2.1 only": "LGPL-2.1-only", + "GNU Lesser General Public License v2.1 or later": "LGPL-2.1-or-later", + "GNU Lesser General Public License v3.0 only": "LGPL-3.0-only", + "GNU Lesser General Public License v3.0 or later": "LGPL-3.0-or-later", + "Lesser General Public License For Linguistic Resources": "LGPLLR", + "libpng License": "Libpng", + "PNG Reference Library version 2": "libpng-2.0", + "libselinux public domain notice": "libselinux-1.0", + "libtiff License": "libtiff", + "Licence Libre du Québec – Permissive version 1.1": "LiLiQ-P-1.1", + "Licence Libre du Québec – Réciprocité version 1.1": "LiLiQ-R-1.1", + "Licence Libre du Québec – Réciprocité forte version 1.1": "LiLiQ-Rplus-1.1", + "Linux Kernel Variant of OpenIB.org license": "Linux-OpenIB", + "Lucent Public License Version 1.0": "LPL-1.0", + "Lucent Public License v1.02": "LPL-1.02", + "LaTeX Project Public License v1.0": "LPPL-1.0", + "LaTeX Project Public License v1.1": "LPPL-1.1", + "LaTeX Project Public License v1.2": "LPPL-1.2", + "LaTeX Project Public License v1.3a": "LPPL-1.3a", + "LaTeX Project Public License v1.3c": "LPPL-1.3c", + "MakeIndex License": "MakeIndex", + "The MirOS Licence": "MirOS", + "MIT License": "MIT", + "MIT No Attribution": "MIT-0", + "Enlightenment License (e16)": "MIT-advertising", + "CMU License": "MIT-CMU", + "enna License": "MIT-enna", + "feh License": "MIT-feh", + "MIT +no-false-attribs license": "MITNFA", + "Motosoto License": "Motosoto", + "mpich2 License": "mpich2", + "Mozilla Public License 1.0": "MPL-1.0", + "Mozilla Public License 1.1": "MPL-1.1", + "Mozilla Public License 2.0": "MPL-2.0", + "Mozilla Public License 2.0 (no copyleft exception)": "MPL-2.0-no-copyleft-exception", + "Microsoft Public License": "MS-PL", + "Microsoft Reciprocal License": "MS-RL", + "Matrix Template Library License": "MTLL", + "Mulan Permissive Software License, Version 1": "MulanPSL-1.0", + "Multics License": "Multics", + "Mup License": "Mup", + "NASA Open Source Agreement 1.3": "NASA-1.3", + "Naumen Public License": "Naumen", + "Net Boolean Public License v1": "NBPL-1.0", + "University of Illinois/NCSA Open Source License": "NCSA", + "Net-SNMP License": "Net-SNMP", + "NetCDF license": "NetCDF", + "Newsletr License": "Newsletr", + "Nethack General Public License": "NGPL", + "Norwegian Licence for Open Government Data": "NLOD-1.0", + "No Limit Public License": "NLPL", + "Nokia Open Source License": "Nokia", + "Netizen Open Source License": "NOSL", + "Noweb License": "Noweb", + "Netscape Public License v1.0": "NPL-1.0", + "Netscape Public License v1.1": "NPL-1.1", + "Non-Profit Open Software License 3.0": "NPOSL-3.0", + "NRL License": "NRL", + "NTP License": "NTP", + "NTP No Attribution": "NTP-0", + "Open CASCADE Technology Public License": "OCCT-PL", + "OCLC Research Public License 2.0": "OCLC-2.0", + "ODC Open Database License v1.0": "ODbL-1.0", + "Open Data Commons Attribution License v1.0": "ODC-By-1.0", + "SIL Open Font License 1.0": "OFL-1.0", + "SIL Open Font License 1.0 with no Reserved Font Name": "OFL-1.0-no-RFN", + "SIL Open Font License 1.0 with Reserved Font Name": "OFL-1.0-RFN", + "SIL Open Font License 1.1": "OFL-1.1", + "SIL Open Font License 1.1 with no Reserved Font Name": "OFL-1.1-no-RFN", + "SIL Open Font License 1.1 with Reserved Font Name": "OFL-1.1-RFN", + "Open Government Licence - Canada": "OGL-Canada-2.0", + "Open Government Licence v1.0": "OGL-UK-1.0", + "Open Government Licence v2.0": "OGL-UK-2.0", + "Open Government Licence v3.0": "OGL-UK-3.0", + "Open Group Test Suite License": "OGTSL", + "Open LDAP Public License v1.1": "OLDAP-1.1", + "Open LDAP Public License v1.2": "OLDAP-1.2", + "Open LDAP Public License v1.3": "OLDAP-1.3", + "Open LDAP Public License v1.4": "OLDAP-1.4", + "Open LDAP Public License v2.0 (or possibly 2.0A and 2.0B)": "OLDAP-2.0", + "Open LDAP Public License v2.0.1": "OLDAP-2.0.1", + "Open LDAP Public License v2.1": "OLDAP-2.1", + "Open LDAP Public License v2.2": "OLDAP-2.2", + "Open LDAP Public License v2.2.1": "OLDAP-2.2.1", + "Open LDAP Public License 2.2.2": "OLDAP-2.2.2", + "Open LDAP Public License v2.3": "OLDAP-2.3", + "Open LDAP Public License v2.4": "OLDAP-2.4", + "Open LDAP Public License v2.5": "OLDAP-2.5", + "Open LDAP Public License v2.6": "OLDAP-2.6", + "Open LDAP Public License v2.7": "OLDAP-2.7", + "Open LDAP Public License v2.8": "OLDAP-2.8", + "Open Market License": "OML", + "OpenSSL License": "OpenSSL", + "Open Public License v1.0": "OPL-1.0", + "OSET Public License version 2.1": "OSET-PL-2.1", + "Open Software License 1.0": "OSL-1.0", + "Open Software License 1.1": "OSL-1.1", + "Open Software License 2.0": "OSL-2.0", + "Open Software License 2.1": "OSL-2.1", + "Open Software License 3.0": "OSL-3.0", + "The Parity Public License 6.0.0": "Parity-6.0.0", + "ODC Public Domain Dedication & License 1.0": "PDDL-1.0", + "PHP License v3.0": "PHP-3.0", + "PHP License v3.01": "PHP-3.01", + "Plexus Classworlds License": "Plexus", + "PostgreSQL License": "PostgreSQL", + "Python Software Foundation License 2.0": "PSF-2.0", + "psfrag License": "psfrag", + "psutils License": "psutils", + "Python License 2.0": "Python-2.0", + "Qhull License": "Qhull", + "Q Public License 1.0": "QPL-1.0", + "Rdisc License": "Rdisc", + "Red Hat eCos Public License v1.1": "RHeCos-1.1", + "Reciprocal Public License 1.1": "RPL-1.1", + "Reciprocal Public License 1.5": "RPL-1.5", + "RealNetworks Public Source License v1.0": "RPSL-1.0", + "RSA Message-Digest License": "RSA-MD", + "Ricoh Source Code Public License": "RSCPL", + "Ruby License": "Ruby", + "Sax Public Domain Notice": "SAX-PD", + "Saxpath License": "Saxpath", + "SCEA Shared Source License": "SCEA", + "Sendmail License": "Sendmail", + "Sendmail License 8.23": "Sendmail-8.23", + "SGI Free Software License B v1.0": "SGI-B-1.0", + "SGI Free Software License B v1.1": "SGI-B-1.1", + "SGI Free Software License B v2.0": "SGI-B-2.0", + "Solderpad Hardware License v0.5": "SHL-0.5", + "Solderpad Hardware License, Version 0.51": "SHL-0.51", + "Simple Public License 2.0": "SimPL-2.0", + "Sun Industry Standards Source License v1.1": "SISSL", + "Sun Industry Standards Source License v1.2": "SISSL-1.2", + "Sleepycat License": "Sleepycat", + "Standard ML of New Jersey License": "SMLNJ", + "Secure Messaging Protocol Public License": "SMPPL", + "SNIA Public License 1.1": "SNIA", + "Spencer License 86": "Spencer-86", + "Spencer License 94": "Spencer-94", + "Spencer License 99": "Spencer-99", + "Sun Public License v1.0": "SPL-1.0", + "SSH OpenSSH license": "SSH-OpenSSH", + "SSH short notice": "SSH-short", + "Server Side Public License, v 1": "SSPL-1.0", + "SugarCRM Public License v1.1.3": "SugarCRM-1.1.3", + "Scheme Widget Library (SWL) Software License Agreement": "SWL", + "TAPR Open Hardware License v1.0": "TAPR-OHL-1.0", + "TCL/TK License": "TCL", + "TCP Wrappers License": "TCP-wrappers", + "TMate Open Source License": "TMate", + "TORQUE v2.5+ Software License v1.1": "TORQUE-1.1", + "Trusster Open Source License": "TOSL", + "Technische Universitaet Berlin License 1.0": "TU-Berlin-1.0", + "Technische Universitaet Berlin License 2.0": "TU-Berlin-2.0", + "Upstream Compatibility License v1.0": "UCL-1.0", + "Unicode License Agreement - Data Files and Software (2015)": "Unicode-DFS-2015", + "Unicode License Agreement - Data Files and Software (2016)": "Unicode-DFS-2016", + "Unicode Terms of Use": "Unicode-TOU", + "The Unlicense": "Unlicense", + "Universal Permissive License v1.0": "UPL-1.0", + "Vim License": "Vim", + "VOSTROM Public License for Open Source": "VOSTROM", + "Vovida Software License v1.0": "VSL-1.0", + "W3C Software Notice and License (2002-12-31)": "W3C", + "W3C Software Notice and License (1998-07-20)": "W3C-19980720", + "W3C Software Notice and Document License (2015-05-13)": "W3C-20150513", + "Sybase Open Watcom Public License 1.0": "Watcom-1.0", + "Wsuipa License": "Wsuipa", + "Do What The F*ck You Want To Public License": "WTFPL", + "X11 License": "X11", + "Xerox License": "Xerox", + "XFree86 License 1.1": "XFree86-1.1", + "xinetd License": "xinetd", + "X.Net License": "Xnet", + "XPP License": "xpp", + "XSkat License": "XSkat", + "Yahoo! Public License v1.0": "YPL-1.0", + "Yahoo! Public License v1.1": "YPL-1.1", + "Zed License": "Zed", + "Zend License v2.0": "Zend-2.0", + "Zimbra Public License v1.3": "Zimbra-1.3", + "Zimbra Public License v1.4": "Zimbra-1.4", + "zlib License": "Zlib", + "zlib/libpng License with Acknowledgement": "zlib-acknowledgement", + "Zope Public License 1.1": "ZPL-1.1", + "Zope Public License 2.0": "ZPL-2.0", + "Zope Public License 2.1": "ZPL-2.1", + "389 Directory Server Exception": "389-exception", + "Autoconf exception 2.0": "Autoconf-exception-2.0", + "Autoconf exception 3.0": "Autoconf-exception-3.0", + "Bison exception 2.2": "Bison-exception-2.2", + "Bootloader Distribution Exception": "Bootloader-exception", + "Classpath exception 2.0": "Classpath-exception-2.0", + "CLISP exception 2.0": "CLISP-exception-2.0", + "DigiRule FOSS License Exception": "DigiRule-FOSS-exception", + "eCos exception 2.0": "eCos-exception-2.0", + "Fawkes Runtime Exception": "Fawkes-Runtime-exception", + "FLTK exception": "FLTK-exception", + "Font exception 2.0": "Font-exception-2.0", + "FreeRTOS Exception 2.0": "freertos-exception-2.0", + "GCC Runtime Library exception 2.0": "GCC-exception-2.0", + "GCC Runtime Library exception 3.1": "GCC-exception-3.1", + "GNU JavaMail exception": "gnu-javamail-exception", + "GPL-3.0 Linking Exception": "GPL-3.0-linking-exception", + "GPL-3.0 Linking Exception (with Corresponding Source)": "GPL-3.0-linking-source-exception", + "GPL Cooperation Commitment 1.0": "GPL-CC-1.0", + "i2p GPL+Java Exception": "i2p-gpl-java-exception", + "Libtool Exception": "Libtool-exception", + "Linux Syscall Note": "Linux-syscall-note", + "LLVM Exception": "LLVM-exception", + "LZMA exception": "LZMA-exception", + "Macros and Inline Functions Exception": "mif-exception", + "OCaml LGPL Linking Exception": "OCaml-LGPL-linking-exception", + "Open CASCADE Exception 1.0": "OCCT-exception-1.0", + "OpenJDK Assembly exception 1.0": "OpenJDK-assembly-exception-1.0", + "OpenVPN OpenSSL Exception": "openvpn-openssl-exception", + "PS/PDF font exception (2017-08-17)": "PS-or-PDF-font-exception-20170817", + "Qt GPL exception 1.0": "Qt-GPL-exception-1.0", + "Qt LGPL exception 1.1": "Qt-LGPL-exception-1.1", + "Qwt exception 1.0": "Qwt-exception-1.0", + "Swift Exception": "Swift-exception", + "U-Boot exception 2.0": "u-boot-exception-2.0", + "Universal FOSS Exception, Version 1.0": "Universal-FOSS-exception-1.0", + "WxWindows Library Exception 3.1": "WxWindows-exception-3.1", + "Affero General Public License v1.0": "AGPL-1.0", + "GNU Affero General Public License v3.0": "AGPL-3.0", + "eCos license version 2.0": "eCos-2.0", + "GNU Free Documentation License v1.1": "GFDL-1.1", + "GNU Free Documentation License v1.2": "GFDL-1.2", + "GNU Free Documentation License v1.3": "GFDL-1.3", + "GNU General Public License v2.0 w/Autoconf exception": "GPL-2.0-with-autoconf-exception", + "GNU General Public License v2.0 w/Bison exception": "GPL-2.0-with-bison-exception", + "GNU General Public License v2.0 w/Classpath exception": "GPL-2.0-with-classpath-exception", + "GNU General Public License v2.0 w/Font exception": "GPL-2.0-with-font-exception", + "GNU General Public License v2.0 w/GCC Runtime Library exception": "GPL-2.0-with-GCC-exception", + "GNU General Public License v3.0 w/Autoconf exception": "GPL-3.0-with-autoconf-exception", + "GNU General Public License v3.0 w/GCC Runtime Library exception": "GPL-3.0-with-GCC-exception", + "GNU Library General Public License v2.1 or later": "LGPL-2.1+", + "Nunit License": "Nunit", + "wxWindows Library License": "wxWindows", + } + + for key, val := range licenses { + if strings.Contains(text, key) { + return val + } + } + + return "unknown" +} diff --git a/pkg/distro/rpm/rpm.go b/pkg/distro/rpm/rpm.go index 434397b..6e51fe7 100644 --- a/pkg/distro/rpm/rpm.go +++ b/pkg/distro/rpm/rpm.go @@ -236,7 +236,7 @@ func InstalledPackage(doc *spdx.Document, pkg *rpmdb.PackageInfo) error { Msg("file entry detected") sfile := spdx.NewFile() - sfile.LicenseInfoInFile = "unknown" + sfile.LicenseInfoInFile = pkg.License sfile.SetEntity( &spdx.Entity{ Name: ifile.Path,