oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2025-11-17 16:33:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: sanitize SPDX LicenseRefs (#1657)

Browse Source 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
This commit is contained in:
Keith Zantow 2023-03-06 10:55:23 -05:00 committed by GitHub
parent f43953d225
commit 7cfdffab5f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 86 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
syft/formats/common/spdxhelpers/license.go
View File

@ -24,6 +24,12 @@ func License(p pkg.Package) string {
// take all licenses and assume an AND expression; for information about license expressions see https://spdx.github.io/spdx-spec/appendix-IV-SPDX-license-expressions/ // take all licenses and assume an AND expression; for information about license expressions see https://spdx.github.io/spdx-spec/appendix-IV-SPDX-license-expressions/
parsedLicenses := parseLicenses(p.Licenses) parsedLicenses := parseLicenses(p.Licenses)
for i, v := range parsedLicenses {
if strings.HasPrefix(v, spdxlicense.LicenseRefPrefix) {
parsedLicenses[i] = SanitizeElementID(v)
}
}
if len(parsedLicenses) == 0 { if len(parsedLicenses) == 0 {
return NOASSERTION return NOASSERTION
} }

11
syft/formats/common/spdxhelpers/license_test.go
View File

@ -65,6 +65,17 @@ func Test_License(t *testing.T) {
}, },
expected: "GPL-2.0-only", expected: "GPL-2.0-only",
}, },
{
name: "includes valid LicenseRef-",
input: pkg.Package{
Licenses: []string{
"one thing first",
"two things/#$^second",
"MIT",
},
},
expected: "LicenseRef-one-thing-first AND LicenseRef-two-things----second AND MIT",
},
} }
for _, test := range tests { for _, test := range tests {
t.Run(test.name, func(t *testing.T) { t.Run(test.name, func(t *testing.T) {

6
syft/formats/common/spdxhelpers/to_format_model.go
View File

@ -514,8 +514,8 @@ func toFileTypes(metadata *source.FileMetadata) (ty []string) {
func toOtherLicenses(catalog *pkg.Catalog) []*spdx.OtherLicense { func toOtherLicenses(catalog *pkg.Catalog) []*spdx.OtherLicense {
licenses := map[string]bool{} licenses := map[string]bool{}
for _, pkg := range catalog.Sorted() { for _, p := range catalog.Sorted() {
for _, license := range parseLicenses(pkg.Licenses) { for _, license := range parseLicenses(p.Licenses) {
if strings.HasPrefix(license, spdxlicense.LicenseRefPrefix) { if strings.HasPrefix(license, spdxlicense.LicenseRefPrefix) {
licenses[license] = true licenses[license] = true
} }
@ -526,7 +526,7 @@ func toOtherLicenses(catalog *pkg.Catalog) []*spdx.OtherLicense {
// separate the actual ID from the prefix // separate the actual ID from the prefix
name := strings.TrimPrefix(license, spdxlicense.LicenseRefPrefix) name := strings.TrimPrefix(license, spdxlicense.LicenseRefPrefix)
result = append(result, &spdx.OtherLicense{ result = append(result, &spdx.OtherLicense{
LicenseIdentifier: license, LicenseIdentifier: SanitizeElementID(license),
LicenseName: name, LicenseName: name,
ExtractedText: NONE, // we probably should have some extracted text here, but this is good enough for now ExtractedText: NONE, // we probably should have some extracted text here, but this is good enough for now
}) })

68
syft/formats/common/spdxhelpers/to_format_model_test.go
View File

@ -369,7 +369,7 @@ func Test_fileIDsForPackage(t *testing.T) {
} }
func Test_H1Digest(t *testing.T) { func Test_H1Digest(t *testing.T) {
sbom := sbom.SBOM{} s := sbom.SBOM{}
tests := []struct { tests := []struct {
name string name string
pkg pkg.Package pkg pkg.Package
@ -416,7 +416,7 @@ func Test_H1Digest(t *testing.T) {
for _, test := range tests { for _, test := range tests {
t.Run(test.name, func(t *testing.T) { t.Run(test.name, func(t *testing.T) {
catalog := pkg.NewCatalog(test.pkg) catalog := pkg.NewCatalog(test.pkg)
pkgs := toPackages(catalog, sbom) pkgs := toPackages(catalog, s)
require.Len(t, pkgs, 1) require.Len(t, pkgs, 1)
for _, p := range pkgs { for _, p := range pkgs {
if test.expectedDigest == "" { if test.expectedDigest == "" {
@ -431,3 +431,67 @@ func Test_H1Digest(t *testing.T) {
}) })
} }
} }
func Test_OtherLicenses(t *testing.T) {
tests := []struct {
name string
pkg pkg.Package
expected []*spdx.OtherLicense
}{
{
name: "no licenseRef",
pkg: pkg.Package{
Licenses: []string{
"MIT",
},
},
expected: nil,
},
{
name: "single licenseRef",
pkg: pkg.Package{
Licenses: []string{
"un known",
},
},
expected: []*spdx.OtherLicense{
{
LicenseIdentifier: "LicenseRef-un-known",
LicenseName: "un known",
ExtractedText: NONE,
},
},
},
{
name: "multiple licenseRef",
pkg: pkg.Package{
Licenses: []string{
"un known",
"not known %s",
"MIT",
},
},
expected: []*spdx.OtherLicense{
{
LicenseIdentifier: "LicenseRef-un-known",
LicenseName: "un known",
ExtractedText: NONE,
},
{
LicenseIdentifier: "LicenseRef-not-known--s",
LicenseName: "not known %s",
ExtractedText: NONE,
},
},
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
catalog := pkg.NewCatalog(test.pkg)
otherLicenses := toOtherLicenses(catalog)
require.Len(t, otherLicenses, len(test.expected))
require.Equal(t, test.expected, otherLicenses)
})
}
}