fix: only output valid cyclonedx license choices (#1879)

* fix: only output valid cyclonedx license choices

Signed-off-by: Keith Zantow <kzantow@gmail.com>

* chore: update tests

Signed-off-by: Keith Zantow <kzantow@gmail.com>

* chore: return nil for emtpty cdx license list

Signed-off-by: Keith Zantow <kzantow@gmail.com>

---------

Signed-off-by: Keith Zantow <kzantow@gmail.com>

syft/formats/common/cyclonedxhelpers/licenses.go

@@ -12,40 +12,36 @@ import (
 
 // This should be a function that just surfaces licenses already validated in the package struct
 func encodeLicenses(p pkg.Package) *cyclonedx.Licenses {
-	spdxc, otherc, ex := separateLicenses(p)
+	spdx, other, ex := separateLicenses(p)
-	if len(otherc) > 0 {
+	out := spdx
+	out = append(out, other...)
+
+	if len(other) > 0 || len(spdx) > 0 {
 		// found non spdx related licenses
 		// build individual license choices for each
 		// complex expressions are not combined and set as NAME fields
 		for _, e := range ex {
-			otherc = append(otherc, cyclonedx.LicenseChoice{
+			if e == "" {
+				continue
+			}
+			out = append(out, cyclonedx.LicenseChoice{
 				License: &cyclonedx.License{
 					Name: e,
 				},
 			})
 		}
-		otherc = append(otherc, spdxc...)
+	} else if len(ex) > 0 {
-		return &otherc
+		// only expressions found
-	}
+		e := mergeSPDX(ex)
-
+		if e != "" {
-	if len(spdxc) > 0 {
+			out = append(out, cyclonedx.LicenseChoice{
-		for _, l := range ex {
+				Expression: e,
-			spdxc = append(spdxc, cyclonedx.LicenseChoice{
-				License: &cyclonedx.License{
-					Name: l,
-				},
 			})
 		}
-		return &spdxc
 	}
 
-	if len(ex) > 0 {
+	if len(out) > 0 {
-		// only expressions found
+		return &out
-		var expressions cyclonedx.Licenses
-		expressions = append(expressions, cyclonedx.LicenseChoice{
-			Expression: mergeSPDX(ex),
-		})
-		return &expressions
 	}
 
 	return nil
@@ -185,20 +181,20 @@ func reduceOuter(expression string) string {
 
 	for _, c := range expression {
 		if string(c) == "(" && openCount > 0 {
-			fmt.Fprintf(&sb, "%c", c)
+			_, _ = fmt.Fprintf(&sb, "%c", c)
 		}
 		if string(c) == "(" {
 			openCount++
 			continue
 		}
 		if string(c) == ")" && openCount > 1 {
-			fmt.Fprintf(&sb, "%c", c)
+			_, _ = fmt.Fprintf(&sb, "%c", c)
 		}
 		if string(c) == ")" {
 			openCount--
 			continue
 		}
-		fmt.Fprintf(&sb, "%c", c)
+		_, _ = fmt.Fprintf(&sb, "%c", c)
 	}
 
 	return sb.String()

syft/formats/common/cyclonedxhelpers/licenses_test.go

@@ -18,9 +18,8 @@ func Test_encodeLicense(t *testing.T) {
 		expected *cyclonedx.Licenses
 	}{
 		{
-			name:     "no licenses",
+			name:  "no licenses",
-			input:    pkg.Package{},
+			input: pkg.Package{},
-			expected: nil,
 		},
 		{
 			name: "no SPDX licenses",
@@ -48,12 +47,12 @@ func Test_encodeLicense(t *testing.T) {
 			expected: &cyclonedx.Licenses{
 				{
 					License: &cyclonedx.License{
-						Name: "FOOBAR",
+						ID: "MIT",
 					},
 				},
 				{
 					License: &cyclonedx.License{
-						ID: "MIT",
+						Name: "FOOBAR",
 					},
 				},
 			},
@@ -95,17 +94,6 @@ func Test_encodeLicense(t *testing.T) {
 				),
 			},
 			expected: &cyclonedx.Licenses{
-				{
-					License: &cyclonedx.License{
-						Name: "FakeLicense",
-						URL:  "htts://someurl.com",
-					},
-				},
-				{
-					License: &cyclonedx.License{
-						Name: "MIT AND GPL-3.0-only",
-					},
-				},
 				{
 					License: &cyclonedx.License{
 						ID:  "MIT",
@@ -118,6 +106,17 @@ func Test_encodeLicense(t *testing.T) {
 						URL: "https://spdx.org/licenses/MIT.html",
 					},
 				},
+				{
+					License: &cyclonedx.License{
+						Name: "FakeLicense",
+						URL:  "htts://someurl.com",
+					},
+				},
+				{
+					License: &cyclonedx.License{
+						Name: "MIT AND GPL-3.0-only",
+					},
+				},
 			},
 		},
 		{