fix: properly decode SPDX license expressions in CycloneDX format (#3175)

Signed-off-by: Mikail Kocak <mikail-gh@pm.me>
2024-11-10 06:14:16 +00:00 · 2024-08-29 17:05:43 +02:00 · 2024-08-29 17:05:43 +02:00 · f2caf45695
commit f2caf45695
parent 731fc77641
2 changed files with 5 additions and 8 deletions
--- a/syft/format/internal/cyclonedxutil/helpers/licenses.go
+++ b/syft/format/internal/cyclonedxutil/helpers/licenses.go
@ -54,17 +54,14 @@ func decodeLicenses(c *cyclonedx.Component) []pkg.License {
 	}
 	for _, l := range *c.Licenses {
 		if l.License == nil {
 			continue
 		}
 		// these fields are mutually exclusive in the spec
 		switch {
-		case l.License.ID != "":
+		case l.License != nil && l.License.ID != "":
 			licenses = append(licenses, pkg.NewLicenseFromURLs(l.License.ID, l.License.URL))
-		case l.License.Name != "":
+		case l.License != nil && l.License.Name != "":
 			licenses = append(licenses, pkg.NewLicenseFromURLs(l.License.Name, l.License.URL))
 		case l.Expression != "":
-			licenses = append(licenses, pkg.NewLicenseFromURLs(l.Expression, l.License.URL))
+			licenses = append(licenses, pkg.NewLicense(l.Expression))
 		default:
 		}
 	}
--- a/syft/format/internal/cyclonedxutil/helpers/licenses_test.go
+++ b/syft/format/internal/cyclonedxutil/helpers/licenses_test.go
@ -254,7 +254,8 @@ func TestDecodeLicenses(t *testing.T) {
 			input: &cyclonedx.Component{
 				Licenses: &cyclonedx.Licenses{
 					{
-						License:    &cyclonedx.License{},
+						// CycloneDX specification doesn't allow to provide License if Expression is provided
 						License:    nil,
 						Expression: "MIT AND GPL-3.0-only WITH Classpath-exception-2.0",
 					},
 				},
@ -264,7 +265,6 @@ func TestDecodeLicenses(t *testing.T) {
 					Value:          "MIT AND GPL-3.0-only WITH Classpath-exception-2.0",
 					SPDXExpression: "MIT AND GPL-3.0-only WITH Classpath-exception-2.0",
 					Type:           license.Declared,
 					URLs:           []string{},
 				},
 			},
 		},