test: update tests to match new SPDXLicense structure

Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2024-11-12 23:27:20 +00:00 · 2024-10-01 11:52:48 -04:00 · 2024-10-01 11:52:48 -04:00 · 6f401891e7
commit 6f401891e7
parent 8a722d0ffe
3 changed files with 28 additions and 6 deletions
--- a/syft/format/internal/spdxutil/helpers/license.go
+++ b/syft/format/internal/spdxutil/helpers/license.go
@ -3,13 +3,16 @@ package helpers
 import (
 	"crypto/sha256"
 	"fmt"
-	"strings"
+	"regexp"

 	"github.com/anchore/syft/internal/spdxlicense"
 	"github.com/anchore/syft/syft/license"
 	"github.com/anchore/syft/syft/pkg"
+	"strings"
 )

+var validSPDXValue = regexp.MustCompile("[^A-Za-z0-9\\-\\.]+")
+
 func License(p pkg.Package) (concluded, declared string) {
 	// source: https://spdx.github.io/spdx-spec/v2.3/package-information/#713-concluded-license-field
 	// The options to populate this field are limited to:
@ -58,8 +61,9 @@ func joinLicenses(licenses []SPDXLicense) string {
 }

 type SPDXLicense struct {
-	ID    string
-	Value string
+	ID       string
+	Value    string
+	FullText string
 }

 func ParseLicenses(raw []pkg.License) (concluded, declared []SPDXLicense) {
@ -69,14 +73,25 @@ func ParseLicenses(raw []pkg.License) (concluded, declared []SPDXLicense) {
 		}

 		candidate := SPDXLicense{}
-		// a pkg license can have a couple combinations of values
-		if l.SPDXExpression != "" {
+		// extract which value was used for the license
+		switch {
+		case l.SPDXExpression != "":
 			candidate.ID = l.SPDXExpression
 			hash := sha256.Sum256([]byte(l.Value))
 			candidate.ID = fmt.Sprintf("%s%x", spdxlicense.LicenseRefPrefix, hash)
 			candidate.Value = l.Value
+		case l.Value != "":
+			hash := sha256.Sum256([]byte(l.Value))
+			candidate.ID = fmt.Sprintf("%s%x", spdxlicense.LicenseRefPrefix, hash)
+			validSpdxRef := validSPDXValue.ReplaceAllString(l.Value, "-")
+			candidate.Value = fmt.Sprintf("%s%s", spdxlicense.LicenseRefPrefix, validSpdxRef)
+		default:
+			hash := sha256.Sum256([]byte(l.FullText))
+			candidate.ID = fmt.Sprintf("%s%x", spdxlicense.LicenseRefPrefix, hash)
+			candidate.FullText = l.FullText
 		}

+		// extract if concluded or declared
 		switch l.Type {
 		case license.Concluded:
 			concluded = append(concluded, candidate)
--- a/syft/format/internal/spdxutil/helpers/license_test.go
+++ b/syft/format/internal/spdxutil/helpers/license_test.go
@ -77,7 +77,7 @@ func Test_License(t *testing.T) {
 			expected: expected{
 				concluded: "NOASSERTION",
 				// because we separate licenses between valid SPDX and non valid, valid ID always end at the front
-				declared: "MIT AND LicenseRef-one-thing-first AND LicenseRef-two-things----second",
+				declared: "MIT AND LicenseRef-one-thing-first AND LicenseRef-two-things-second",
 			},
 		},
 		{
@ -121,6 +121,11 @@ func Test_joinLicenses(t *testing.T) {
 			args: []string{"MIT AND Apache", "GPL-3.0-only"},
 			want: "(MIT AND Apache) AND GPL-3.0-only",
 		},
+		{
+			name: "multiple licenses with license references?",
+			args: []string{"MIT AND Apache", "GPL-3.0-only"},
+			want: "(MIT AND Apache) AND GPL-3.0-only",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
--- a/syft/pkg/license.go
+++ b/syft/pkg/license.go
@ -81,6 +81,7 @@ func NewLicenseFromType(value string, t license.Type) License {
 	// in this case we annotate this as the full text to not lose value and do not extract the complex case
 	if strings.Contains(value, "\n") {
 		return License{
+			Type:     t,
 			FullText: value,
 		}
 	}
@ -98,6 +99,7 @@ func NewLicenseFromType(value string, t license.Type) License {
 	}

 	return License{
+		Value:          value,
 		SPDXExpression: spdxExpression,
 		Type:           t,
 		Locations:      file.NewLocationSet(),