From 99c3339810b27a67851d2144fd27f9eaeb24ad1b Mon Sep 17 00:00:00 2001
From: Keith Zantow <kzantow@gmail.com>
Date: Fri, 18 Mar 2022 09:44:51 -0400
Subject: [PATCH] Fix CycloneDX license decoding panic (#898)

---
 .../formats/common/cyclonedxhelpers/decoder_test.go    | 10 ++++++++++
 internal/formats/common/cyclonedxhelpers/licenses.go   |  4 +++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/internal/formats/common/cyclonedxhelpers/decoder_test.go b/internal/formats/common/cyclonedxhelpers/decoder_test.go
index 40b95b9dd..f55ef5b80 100644
--- a/internal/formats/common/cyclonedxhelpers/decoder_test.go
+++ b/internal/formats/common/cyclonedxhelpers/decoder_test.go
@@ -272,4 +272,14 @@ func Test_missingDataDecode(t *testing.T) {
 
 	_, err = toSyftModel(bom)
 	assert.NoError(t, err)
+
+	pkg := decodeComponent(&cyclonedx.Component{
+		Licenses: &cyclonedx.Licenses{
+			{
+				License: nil,
+			},
+		},
+	})
+
+	assert.Len(t, pkg.Licenses, 0)
 }
diff --git a/internal/formats/common/cyclonedxhelpers/licenses.go b/internal/formats/common/cyclonedxhelpers/licenses.go
index 68da1967b..9acf70d39 100644
--- a/internal/formats/common/cyclonedxhelpers/licenses.go
+++ b/internal/formats/common/cyclonedxhelpers/licenses.go
@@ -26,7 +26,9 @@ func encodeLicenses(p pkg.Package) *cyclonedx.Licenses {
 func decodeLicenses(c *cyclonedx.Component) (out []string) {
 	if c.Licenses != nil {
 		for _, l := range *c.Licenses {
-			out = append(out, l.License.ID)
+			if l.License != nil {
+				out = append(out, l.License.ID)
+			}
 		}
 	}
 	return