From eb3c2e5718e709c20b377bdfcaaed0bb09cd4e58 Mon Sep 17 00:00:00 2001 From: tdruez Date: Fri, 3 Apr 2026 14:47:49 +0400 Subject: [PATCH] fix: fallback to license_declared when loading SPDX SBOM Signed-off-by: tdruez --- scanpipe/pipes/resolve.py | 10 +++--- scanpipe/pipes/spdx.py | 2 ++ .../tests/data/spdx/license-fields.spdx.json | 31 +++++++++++++++++++ scanpipe/tests/pipes/test_resolve.py | 15 +++++++++ 4 files changed, 54 insertions(+), 4 deletions(-) create mode 100644 scanpipe/tests/data/spdx/license-fields.spdx.json diff --git a/scanpipe/pipes/resolve.py b/scanpipe/pipes/resolve.py index 0a409dd88c..38c5a37dbd 100644 --- a/scanpipe/pipes/resolve.py +++ b/scanpipe/pipes/resolve.py @@ -327,7 +327,11 @@ def spdx_package_to_package_data(spdx_package): for checksum in spdx_package.checksums } - declared_license_expression_spdx = spdx_package.license_concluded + if spdx_package.license_concluded not in spdx.EMPTY: + declared_license_expression_spdx = spdx_package.license_concluded + else: + declared_license_expression_spdx = spdx_package.license_declared + declared_expression = "" if declared_license_expression_spdx: declared_expression = convert_spdx_expression(declared_license_expression_spdx) @@ -350,9 +354,7 @@ def spdx_package_to_package_data(spdx_package): } return { - key: value - for key, value in package_data.items() - if value not in [None, "", "NOASSERTION"] + key: value for key, value in package_data.items() if value not in spdx.EMPTY } diff --git a/scanpipe/pipes/spdx.py b/scanpipe/pipes/spdx.py index 5bb3e6bb16..f785a8a32a 100644 --- a/scanpipe/pipes/spdx.py +++ b/scanpipe/pipes/spdx.py @@ -47,6 +47,8 @@ "https://github.com/spdx/spdx-spec/raw/development/v2.2/schemas/spdx-schema.json" ) +EMPTY = [None, "", "NOASSERTION"] + """ Generate SPDX Documents. Spec documentation: https://spdx.github.io/spdx-spec/v2.3/ diff --git a/scanpipe/tests/data/spdx/license-fields.spdx.json b/scanpipe/tests/data/spdx/license-fields.spdx.json new file mode 100644 index 0000000000..a27294cf1d --- /dev/null +++ b/scanpipe/tests/data/spdx/license-fields.spdx.json @@ -0,0 +1,31 @@ +{ + "spdxVersion": "SPDX-2.3", + "dataLicense": "CC0-1.0", + "SPDXID": "SPDXRef-DOCUMENT", + "name": "analysis", + "documentNamespace": "https://scancode.io/spdxdocs/abc", + "creationInfo": { + "created": "2000-01-01T01:02:03Z", + "creators": [ + "Tool: ABC" + ], + "licenseListVersion": "3.27" + }, + "packages": [ + { + "SPDXID": "SPDXRef-Package-abc", + "name": "abc", + "downloadLocation": "NOASSERTION", + "licenseInfoFromFiles": [ + "NOASSERTION" + ], + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "(GPL-2.0-only AND LGPL-2.1-only)", + "copyrightText": "NOASSERTION", + "versionInfo": "1.0" + } + ], + "documentDescribes": [ + "SPDXRef-Package-abc" + ] +} \ No newline at end of file diff --git a/scanpipe/tests/pipes/test_resolve.py b/scanpipe/tests/pipes/test_resolve.py index 2c7aa33bcb..06e1458181 100644 --- a/scanpipe/tests/pipes/test_resolve.py +++ b/scanpipe/tests/pipes/test_resolve.py @@ -250,6 +250,21 @@ def test_scanpipe_pipes_resolve_spdx_packages(self): packages_data = resolve.resolve_spdx_packages(input_location) self.assertEqual(4, len(packages_data)) + def test_scanpipe_pipes_resolve_spdx_packages_license_fields(self): + input_location = self.data / "spdx" / "license-fields.spdx.json" + packages_data = resolve.resolve_spdx_packages(input_location) + expected = [ + { + "package_uid": "SPDXRef-Package-abc", + "name": "abc", + "declared_license_expression": "gpl-2.0 AND lgpl-2.1", + "declared_license_expression_spdx": "(GPL-2.0-only AND LGPL-2.1-only)", + "extracted_license_statement": "(GPL-2.0-only AND LGPL-2.1-only)", + "version": "1.0", + } + ] + self.assertEqual(expected, packages_data) + def test_scanpipe_pipes_resolve_spdx_dependencies(self): input_location = self.data / "spdx" / "SPDXJSONExample-v2.3.spdx.json" dependencies_data = resolve.resolve_spdx_dependencies(input_location)