mirror of
https://github.com/anchore/syft.git
synced 2025-11-17 16:33:21 +01:00
ef627d82ef
* migrate pkg.ID and pkg.Relationship to artifact package Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * return relationships from tasks Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix more tests Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add artifact.Identifiable by Identity() method Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix linting Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * remove catalog ID assignment Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * adjust spdx helpers to use copy of packages Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * stabilize package ID relative to encode-decode format cycles Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * rename Identity() to ID() Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * use zero value for nils in ID generation Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * enable source.Location to be identifiable Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * hoist up package relationship discovery to analysis stage Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update ownership-by-file-overlap relationship description Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add test reminders to put new relationships under test Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * adjust PHP composer.lock parser function to return relationships Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
38 lines
1.3 KiB
Go
38 lines
1.3 KiB
Go
package spdxhelpers
|
|
|
|
import (
|
|
"strings"
|
|
|
|
"github.com/anchore/syft/internal/spdxlicense"
|
|
"github.com/anchore/syft/syft/pkg"
|
|
)
|
|
|
|
func License(p pkg.Package) string {
|
|
// source: https://spdx.github.io/spdx-spec/3-package-information/#313-concluded-license
|
|
// The options to populate this field are limited to:
|
|
// A valid SPDX License Expression as defined in Appendix IV;
|
|
// NONE, if the SPDX file creator concludes there is no license available for this package; or
|
|
// NOASSERTION if:
|
|
// (i) the SPDX file creator has attempted to but cannot reach a reasonable objective determination;
|
|
// (ii) the SPDX file creator has made no attempt to determine this field; or
|
|
// (iii) the SPDX file creator has intentionally provided no information (no meaning should be implied by doing so).
|
|
|
|
if len(p.Licenses) == 0 {
|
|
return "NONE"
|
|
}
|
|
|
|
// take all licenses and assume an AND expression; for information about license expressions see https://spdx.github.io/spdx-spec/appendix-IV-SPDX-license-expressions/
|
|
var parsedLicenses []string
|
|
for _, l := range p.Licenses {
|
|
if value, exists := spdxlicense.ID(l); exists {
|
|
parsedLicenses = append(parsedLicenses, value)
|
|
}
|
|
}
|
|
|
|
if len(parsedLicenses) == 0 {
|
|
return "NOASSERTION"
|
|
}
|
|
|
|
return strings.Join(parsedLicenses, " AND ")
|
|
}
|