oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2025-11-17 16:33:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: Do not use hashes for SPDX license names/expressions (#3844)

Browse Source 
---------
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
This commit is contained in:
Christopher Angelo Phillips 2025-05-02 09:34:08 -04:00 committed by GitHub
parent 94e63eb367
commit 6ba087c72c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 54 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
syft/format/internal/spdxutil/helpers/license.go
View File

@ -94,7 +94,7 @@ func generateLicenseID(l pkg.License) string {
return l.SPDXExpression return l.SPDXExpression
} }
if l.Value != "" { if l.Value != "" {
return licenseSum(l.Value) return spdxlicense.LicenseRefPrefix + SanitizeElementID(l.Value)
} }
return licenseSum(l.FullText) return licenseSum(l.FullText)
} }

52
syft/format/internal/spdxutil/helpers/license_test.go
View File

@ -105,6 +105,58 @@ func Test_License(t *testing.T) {
} }
} }
func TestGenerateLicenseID(t *testing.T) {
tests := []struct {
name string
license pkg.License
expected string
}{
{
name: "SPDX expression is preferred",
license: pkg.License{
SPDXExpression: "Apache-2.0",
Value: "SomeValue",
FullText: "Some text",
},
expected: "Apache-2.0",
},
{
name: "Uses value if no SPDX expression",
license: pkg.License{
Value: "MIT",
},
expected: spdxlicense.LicenseRefPrefix + "MIT",
},
{
name: "Long value is sanitized correctly",
license: pkg.License{
Value: "LGPLv2+ and LGPLv2+ with exceptions and GPLv2+ and GPLv2+ with exceptions and BSD and Inner-Net and ISC and Public Domain and GFDL",
},
expected: spdxlicense.LicenseRefPrefix +
"LGPLv2--and-LGPLv2--with-exceptions-and-GPLv2--and-GPLv2--with-exceptions-and-BSD-and-Inner-Net-and-ISC-and-Public-Domain-and-GFDL",
},
{
name: "Uses hash of fullText when nothing else is provided",
license: pkg.License{
FullText: "This is a very long custom license text that should be hashed because it's more than 64 characters long.",
},
expected: "", // We'll verify it starts with the correct prefix
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
id := generateLicenseID(tt.license)
if tt.expected == "" {
assert.True(t, len(id) > len(spdxlicense.LicenseRefPrefix))
assert.Contains(t, id, spdxlicense.LicenseRefPrefix)
} else {
assert.Equal(t, tt.expected, id)
}
})
}
}
func Test_joinLicenses(t *testing.T) { func Test_joinLicenses(t *testing.T) {
tests := []struct { tests := []struct {
name string name string

1
syft/format/internal/spdxutil/helpers/spdxid.go
View File

@ -8,6 +8,7 @@ var expr = regexp.MustCompile("[^a-zA-Z0-9.-]")
// SPDX spec says SPDXID must be: // SPDX spec says SPDXID must be:
// "SPDXRef-"[idstring] where [idstring] is a unique string containing letters, numbers, ., and/or - // "SPDXRef-"[idstring] where [idstring] is a unique string containing letters, numbers, ., and/or -
// https://spdx.github.io/spdx-spec/v2.3/snippet-information/
func SanitizeElementID(id string) string { func SanitizeElementID(id string) string {
return expr.ReplaceAllString(id, "-") return expr.ReplaceAllString(id, "-")
} }