fix(cyclonedx): fix unmarshal for licenses (#5828)

aquasecurity · Dec 29, 2023 · b3d516e · b3d516e
1 parent c17b660
commit b3d516e
Show file tree

Hide file tree

Showing 8 changed files with 65 additions and 15 deletions.
diff --git a/integration/testdata/fixtures/sbom/centos-7-cyclonedx.json b/integration/testdata/fixtures/sbom/centos-7-cyclonedx.json
@@ -40,7 +40,9 @@
       "version": "4.2.46-31.el7",
       "licenses": [
         {
-          "expression": "GPLv3+"
+          "license": {
+            "name": "GPLv3+"
+          }
         }
       ],
       "purl": "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810",
@@ -78,7 +80,9 @@
       "version": "1.0.2k-16.el7",
       "licenses": [
         {
-          "expression": "OpenSSL"
+          "license": {
+            "name": "OpenSSL+"
+          }
         }
       ],
       "purl": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810",

diff --git a/integration/testdata/fixtures/sbom/fluentd-multiple-lockfiles-cyclonedx.json b/integration/testdata/fixtures/sbom/fluentd-multiple-lockfiles-cyclonedx.json
@@ -126,7 +126,9 @@
       "version": "6.0.2.1",
       "licenses": [
         {
-          "expression": "MIT"
+          "license": {
+            "name": "MIT"
+          }
         }
       ],
       "purl": "pkg:gem/activesupport@6.0.2.1",

diff --git a/pkg/sbom/cyclonedx/testdata/happy/bom.json b/pkg/sbom/cyclonedx/testdata/happy/bom.json
@@ -48,7 +48,9 @@
       "version": "1.2.3-r0",
       "licenses": [
         {
-          "expression": "MIT"
+          "license": {
+            "name": "MIT"
+          }
         }
       ],
       "purl": "pkg:apk/alpine/musl@1.2.3-r0?distro=3.16.0",
@@ -125,7 +127,9 @@
       "version": "5.0.2",
       "licenses": [
         {
-          "expression": "MIT"
+          "license": {
+            "name": "MIT"
+          }
         }
       ],
       "purl": "pkg:npm/bootstrap@5.0.2",

diff --git a/pkg/sbom/cyclonedx/testdata/happy/infinite-loop-bom.json b/pkg/sbom/cyclonedx/testdata/happy/infinite-loop-bom.json
@@ -49,13 +49,19 @@
       "version": "2.35-0ubuntu3.1",
       "licenses": [
         {
-          "expression": "LGPL-2.1"
+          "license": {
+            "name": "LGPL-2.1"
+          }
         },
         {
-          "expression": "GPL-2.0"
+          "license": {
+            "name": "GPL-2.0"
+          }
         },
         {
-          "expression": "GFDL-1.3"
+          "license": {
+            "name": "GFDL-1.3"
+          }
         }
       ],
       "purl": "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.1?distro=ubuntu-22.04",

diff --git a/pkg/sbom/cyclonedx/testdata/happy/third-party-bom-no-os.json b/pkg/sbom/cyclonedx/testdata/happy/third-party-bom-no-os.json
@@ -19,7 +19,9 @@
       "version": "1.2.3-r0",
       "licenses": [
         {
-          "expression": "MIT"
+          "license": {
+            "name": "MIT"
+          }
         }
       ],
       "purl": "pkg:apk/alpine/musl@1.2.3-r0?distro=3.16.0"

diff --git a/pkg/sbom/cyclonedx/testdata/happy/third-party-bom.json b/pkg/sbom/cyclonedx/testdata/happy/third-party-bom.json
@@ -35,7 +35,14 @@
       "type": "library",
       "name": "pear/log",
       "version": "1.13.1",
-      "purl": "pkg:composer/pear/log@1.13.1"
+      "purl": "pkg:composer/pear/log@1.13.1",
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT"
+          }
+        }
+      ]
     },
     {
       "bom-ref": "pkg:composer/pear/pear_exception@v1.0.0",

diff --git a/pkg/sbom/cyclonedx/unmarshal.go b/pkg/sbom/cyclonedx/unmarshal.go
@@ -352,10 +352,7 @@ func toPackage(component cdx.Component) (*ftypes.PackageURL, *ftypes.Package, er
 	// so we have to use an original package name
 	pkg.Name = packageName(p.Type, pkg.Name, component)
 	pkg.Ref = component.BOMRef
-
-	for _, license := range lo.FromPtr(component.Licenses) {
-		pkg.Licenses = append(pkg.Licenses, license.Expression)
-	}
+	pkg.Licenses = parsePackageLicenses(component.Licenses)
 
 	for key, value := range core.UnmarshalProperties(component.Properties) {
 		switch key {
@@ -434,3 +431,30 @@ func packageName(typ, pkgNameFromPurl string, component cdx.Component) string {
 	}
 	return component.Name
 }
+
+// parsePackageLicenses checks all supported license fields and returns a list of licenses.
+// https://cyclonedx.org/docs/1.5/json/#components_items_licenses
+func parsePackageLicenses(l *cdx.Licenses) []string {
+	var licenses []string
+	for _, license := range lo.FromPtr(l) {
+		if license.License != nil {
+			// Trivy uses `Name` field to marshal licenses
+			if license.License.Name != "" {
+				licenses = append(licenses, license.License.Name)
+				continue
+			}
+
+			if license.License.ID != "" {
+				licenses = append(licenses, license.License.ID)
+				continue
+			}
+		}
+
+		if license.Expression != "" {
+			licenses = append(licenses, license.Expression)
+			continue
+		}
+
+	}
+	return licenses
+}
diff --git a/pkg/sbom/cyclonedx/unmarshal_test.go b/pkg/sbom/cyclonedx/unmarshal_test.go
@@ -479,7 +479,8 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 										},
 									},
 								},
-								Ref: "pkg:composer/pear/log@1.13.1",
+								Ref:      "pkg:composer/pear/log@1.13.1",
+								Licenses: []string{"MIT"},
 							},
 							{