Follow CycloneDX 1.4 spec for SPDX license expressions for npm. #690
Conversation
Signed-off-by: ansonallard <[email protected]>
|
@ansonallard any ideas about the test failures? |
Signed-off-by: ansonallard <[email protected]>
|
@prabhu Is there a way to see what the inputs were to the test that failed? I just see that the schema validation failed, but I don't have the data to determine why. |
|
@ansonallard I could never get the jsonschema to return that information. Usually I would run the same test locally and use jq :( |
| @@ -234,7 +236,9 @@ export function getLicenses(pkg, format = "xml") { | |||
| } | |||
| return licenseContent; | |||
| }) | |||
| .map((l) => ({ license: l })); | |||
| .map((l) => | |||
| l.expression ? { expression: l.expression } : { license: l } | |||
There was a problem hiding this comment.
I think there can be only one expression, so possible we are returning multiple.
There was a problem hiding this comment.
The licenses list supports multiple schemas in the array. I'm not certain if the spec requires all data to be the same schema in the list. Spec
There was a problem hiding this comment.
There was a problem hiding this comment.
Oh yeah. Looks like that is new 1.5 restriction. I remember the rationale for enforcing a single expression. We may have to try to fix this bug in index.js or elsewhere.
There was a problem hiding this comment.
There are a few situations that I can think of:
- A component has multiple licenses and a SPDX expression
- A component has multiple SPDX expressions and multiple licenses
- A component has multiple licenses, no SPDX expressions
- A component has one SPDX expression
For 1, it may make sense to ignore the license list and serve the single SPDX expression (the expression takes precedence).
For 2, one would have to choose which expression to persist. It could be simple, but arbitrary, like choosing the first entry, or more complex, like choosing the most permissive or open.
For 3 and 4, those behaviors are known.
There was a problem hiding this comment.
- If there are legitimately multiple expressions (with a space or bracket), then we can use the first one and show a warning.
|
@ansonallard, could you kindly rebase since we have refactored things a bit. Also, could you take a look at the new known-licenses.json to see if this bug could be resolved with an entry there? |
|
Is there any progress on this? If not I would like move the changes to a new branch and try to fix it. |
|
@validide New branches are better. Also why are people still using 1.4? |
|
It's not just 1.4 I think. I just created an SBOM to test and got the following:
I hope to have this done over the weekend. |
Support spdx expressions for CycloneDX 1.4 Spec