Skip to content

fix: fallback to license_declared when loading SPDX SBOM #2144

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tdruez merged 1 commit into from
Apr 3, 2026
Merged

fix: fallback to license_declared when loading SPDX SBOM #2144

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 6 additions & 4 deletions scanpipe/pipes/resolve.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -327,7 +327,11 @@ def spdx_package_to_package_data(spdx_package):
for checksum in spdx_package.checksums
}

declared_license_expression_spdx = spdx_package.license_concluded
if spdx_package.license_concluded not in spdx.EMPTY:
declared_license_expression_spdx = spdx_package.license_concluded
else:
declared_license_expression_spdx = spdx_package.license_declared

declared_expression = ""
if declared_license_expression_spdx:
declared_expression = convert_spdx_expression(declared_license_expression_spdx)
Expand All @@ -350,9 +354,7 @@ def spdx_package_to_package_data(spdx_package):
}

return {
key: value
for key, value in package_data.items()
if value not in [None, "", "NOASSERTION"]
key: value for key, value in package_data.items() if value not in spdx.EMPTY
}


Expand Down
2 changes: 2 additions & 0 deletions scanpipe/pipes/spdx.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,8 @@
"https://github.com/spdx/spdx-spec/raw/development/v2.2/schemas/spdx-schema.json"
)

EMPTY = [None, "", "NOASSERTION"]

"""
Generate SPDX Documents.
Spec documentation: https://spdx.github.io/spdx-spec/v2.3/
Expand Down
31 changes: 31 additions & 0 deletions scanpipe/tests/data/spdx/license-fields.spdx.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
{
"spdxVersion": "SPDX-2.3",
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "analysis",
"documentNamespace": "https://scancode.io/spdxdocs/abc",
"creationInfo": {
"created": "2000-01-01T01:02:03Z",
"creators": [
"Tool: ABC"
],
"licenseListVersion": "3.27"
},
"packages": [
{
"SPDXID": "SPDXRef-Package-abc",
"name": "abc",
"downloadLocation": "NOASSERTION",
"licenseInfoFromFiles": [
"NOASSERTION"
],
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "(GPL-2.0-only AND LGPL-2.1-only)",
"copyrightText": "NOASSERTION",
"versionInfo": "1.0"
}
],
"documentDescribes": [
"SPDXRef-Package-abc"
]
}
15 changes: 15 additions & 0 deletions scanpipe/tests/pipes/test_resolve.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -250,6 +250,21 @@ def test_scanpipe_pipes_resolve_spdx_packages(self):
packages_data = resolve.resolve_spdx_packages(input_location)
self.assertEqual(4, len(packages_data))

def test_scanpipe_pipes_resolve_spdx_packages_license_fields(self):
input_location = self.data / "spdx" / "license-fields.spdx.json"
packages_data = resolve.resolve_spdx_packages(input_location)
expected = [
{
"package_uid": "SPDXRef-Package-abc",
"name": "abc",
"declared_license_expression": "gpl-2.0 AND lgpl-2.1",
"declared_license_expression_spdx": "(GPL-2.0-only AND LGPL-2.1-only)",
"extracted_license_statement": "(GPL-2.0-only AND LGPL-2.1-only)",
"version": "1.0",
}
]
self.assertEqual(expected, packages_data)

def test_scanpipe_pipes_resolve_spdx_dependencies(self):
input_location = self.data / "spdx" / "SPDXJSONExample-v2.3.spdx.json"
dependencies_data = resolve.resolve_spdx_dependencies(input_location)
Expand Down
Loading