oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2026-02-12 02:26:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: base extension without spdx upstream update

Browse Source 
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
This commit is contained in:
Christopher Phillips 2026-01-29 14:26:30 -05:00
parent d02e3bcf62
commit ab725de6a1
No known key found for this signature in database
4 changed files with 72 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
internal/spdxlicense/license.go
View File

@ -41,14 +41,21 @@ type LicenseInfo struct {
ID string ID string
} }
// LicenseByURL returns the license ID and name for a given URL from the SPDX license list // LicenseByURL returns the license ID for a given URL.
// The URL should match one of the URLs in the seeAlso field of an SPDX license // It first checks supplemental mappings (user-contributed URLs not in the official
// SPDX list), then the auto-generated SPDX license list mappings.
func LicenseByURL(url string) (LicenseInfo, bool) { func LicenseByURL(url string) (LicenseInfo, bool) {
url = strings.TrimSpace(url) url = strings.TrimSpace(url)
if id, exists := urlToLicense[url]; exists {
return LicenseInfo{ // Check supplemental mappings first (user-contributed URLs)
ID: id, if id, exists := supplementalURLToLicense[url]; exists {
}, true return LicenseInfo{ID: id}, true
} }
// Fall back to auto-generated SPDX mappings
if id, exists := urlToLicense[url]; exists {
return LicenseInfo{ID: id}, true
}
return LicenseInfo{}, false return LicenseInfo{}, false
} }

34
internal/spdxlicense/license_url_test.go
View File

@ -88,6 +88,40 @@ func TestLicenseByURL(t *testing.T) {
} }
} }
func TestLicenseByURL_SupplementalURLs(t *testing.T) {
// Test that supplemental URLs (not in the official SPDX list) are resolved correctly
// These URLs are defined in supplemental_license_urls.go
tests := []struct {
name string
url string
wantID string
}{
{
name: "LGPL-2.1 http variant (supplemental)",
url: "http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html",
wantID: "LGPL-2.1-only",
},
{
name: "EDL/BSD-3-Clause http variant (supplemental)",
url: "http://www.eclipse.org/org/documents/edl-v10.php",
wantID: "BSD-3-Clause",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
info, found := LicenseByURL(tt.url)
if !found {
t.Fatalf("LicenseByURL(%q) not found, expected %s", tt.url, tt.wantID)
}
if info.ID != tt.wantID {
t.Errorf("LicenseByURL(%q) = %s, want %s", tt.url, info.ID, tt.wantID)
}
})
}
}
func TestLicenseByURL_DeprecatedLicenses(t *testing.T) { func TestLicenseByURL_DeprecatedLicenses(t *testing.T) {
// Test that deprecated license URLs map to their replacement licenses // Test that deprecated license URLs map to their replacement licenses
// For example, GPL-2.0+ should map to GPL-2.0-or-later // For example, GPL-2.0+ should map to GPL-2.0-or-later

24
internal/spdxlicense/supplemental_license_urls.go Normal file
View File

@ -0,0 +1,24 @@
package spdxlicense
// supplementalURLToLicense contains URL-to-SPDX-ID mappings that are not in the
// official SPDX license list but are commonly found in real-world packages.
//
// These mappings supplement the auto-generated urlToLicense map from license_list.go.
// Add new entries here when you encounter license URLs that should map to SPDX IDs
// but aren't covered by the official SPDX seeAlso URLs.
//
// Guidelines for adding entries:
// - Verify the URL actually corresponds to the SPDX license
// - Prefer adding to SPDX upstream if the URL is canonical (https://github.com/spdx/license-list-XML)
// - Use this map for common variants (http vs https, alternate paths) that SPDX won't accept
var supplementalURLToLicense = map[string]string{
// LGPL-2.1: Common http:// variant of the old-licenses path
// SPDX has https://www.gnu.org/licenses/old-licenses/lgpl-2.1-standalone.html
// but many Java packages use this simpler http:// URL
"http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html": "LGPL-2.1-only",
// BSD-3-Clause (EDL): http:// variant of Eclipse Distribution License
// SPDX has https://www.eclipse.org/org/documents/edl-v10.php
// but many Java packages use http:// instead of https://
"http://www.eclipse.org/org/documents/edl-v10.php": "BSD-3-Clause",
}

7
syft/pkg/cataloger/java/archive_parser.go
View File

@ -25,7 +25,6 @@ import (
"github.com/anchore/syft/syft/pkg" "github.com/anchore/syft/syft/pkg"
"github.com/anchore/syft/syft/pkg/cataloger/generic" "github.com/anchore/syft/syft/pkg/cataloger/generic"
"github.com/anchore/syft/syft/pkg/cataloger/java/internal/maven" "github.com/anchore/syft/syft/pkg/cataloger/java/internal/maven"
"github.com/anchore/syft/internal/spdxlicense"
) )
var archiveFormatGlobs = []string{ var archiveFormatGlobs = []string{
@ -376,11 +375,7 @@ func toPkgLicenses(ctx context.Context, location *file.Location, licenses []mave
if name == "" && url == "" { if name == "" && url == "" {
continue continue
} }
if licInfo, ok := spdxlicense.LicenseByURL(url); ok { // NewLicenseFromFieldsWithContext handles URL-to-SPDX-ID lookup internally
if name == "" {
name = licInfo.ID // use detected license ID if no name given
}
}
out = append(out, pkg.NewLicenseFromFieldsWithContext(ctx, name, url, location)) out = append(out, pkg.NewLicenseFromFieldsWithContext(ctx, name, url, location))
} }
return out return out