Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cdxgen does not follow CycloneDX 1.4 spec for SPDX license expressions #679

Closed
ansonallard opened this issue Oct 27, 2023 · 3 comments · Fixed by #975
Closed

cdxgen does not follow CycloneDX 1.4 spec for SPDX license expressions #679

ansonallard opened this issue Oct 27, 2023 · 3 comments · Fixed by #975

Comments

@ansonallard
Copy link
Contributor

Per the CycloneDX 1.4 Spec, SPDX expressions should be added under the licenses array as the expression object, not the license object. This requires the utility to match the input license against SPDX expressions and make the appropriate choice.

Current behavior:

type-fest:

    {
      "group": "",
      "name": "type-fest",
      "version": "0.20.2",
      "hashes": [
        {
          "alg": "SHA-512",
          "content": "35ef9e138af4fe25a7a40c43f39db3dc0f8dd01b7944dfff36327045dd95147126af2c317f9bec66587847a962c65e81fb0cfff1dfa669348090dd452242372d"
        }
      ],
      "licenses": [
        {
          "license": {
            "name": "(MIT OR CC0-1.0)"
          }
        }
      ],
      "purl": "pkg:npm/[email protected]",
      "type": "library",
      "bom-ref": "pkg:npm/[email protected]",
      "properties": [
        {
          "name": "SrcFile",
          "value": "/app/package-lock.json"
        }
      ]
    },

Expected Behavior:

type-fest:

    {
      "group": "",
      "name": "type-fest",
      "version": "0.20.2",
      "hashes": [
        {
          "alg": "SHA-512",
          "content": "35ef9e138af4fe25a7a40c43f39db3dc0f8dd01b7944dfff36327045dd95147126af2c317f9bec66587847a962c65e81fb0cfff1dfa669348090dd452242372d"
        }
      ],
      "licenses": [
        {
          "expression": "(MIT AND CC0-1.0)"
        }
      ],
      "purl": "pkg:npm/[email protected]",
      "type": "library",
      "bom-ref": "pkg:npm/[email protected]",
      "properties": [
        {
          "name": "SrcFile",
          "value": "/app/package-lock.json"
        }
      ]
    },

My example came from an npm package. The license field in package.json can be an SPDX expression.

type-fest:

    "node_modules/serialize-error/node_modules/type-fest": {
      "version": "0.20.2",
      "resolved": "<url>",
      "integrity": "sha512-Ne+eE4r0/iWnpAxD852z3A+N0Bt5RN//NjJwRd2VFHEmrywxf5vsZlh4R6lixl6B+wz/8d+maTSAkN1FIkI3LQ==",
      "inBundle": true,
      "license": "(MIT OR CC0-1.0)",
      "engines": {
        "node": ">=10"
      },
      "funding": {
        "url": "https://github.com/sponsors/sindresorhus"
      }
    },

This issue may relate to #41
@prabhu
Copy link
Collaborator

prabhu commented Oct 27, 2023

@ansonallard, could you try changing this line to

if (l.includes(" ") || l.includes("(")) {
  licenseContent.expression = l;
} else {
  licenseContent.name = l;
}

https://github.com/CycloneDX/cdxgen/blob/master/utils.js#L216

Please send a PR once you're happy.

@prabhu
Copy link
Collaborator

prabhu commented Oct 30, 2023

@ansonallard any luck?

@ansonallard
Copy link
Contributor Author

Open PR: #690

@validide validide mentioned this issue Apr 13, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Follow CycloneDX 1.5 spec for SPDX license expressions validide/cdxgen
2 participants
@prabhu @ansonallard