Skip to content

Commit c96dcdd

Browse files
DmitriyLewenDmitriyLewen
authored
fix(sbom): use NOASSERTION for licenses fields in SPDX formats (#7403)
1 parent 7aea79d commit c96dcdd

File tree

3 files changed

+28
-27
lines changed

3 files changed

+28
-27
lines changed

integration/testdata/julia-spdx.json.golden

+6-6
Original file line numberDiff line numberDiff line change
@@ -31,8 +31,8 @@
3131
"downloadLocation": "NONE",
3232
"filesAnalyzed": false,
3333
"sourceInfo": "package found in: Manifest.toml",
34-
"licenseConcluded": "NONE",
35-
"licenseDeclared": "NONE",
34+
"licenseConcluded": "NOASSERTION",
35+
"licenseDeclared": "NOASSERTION",
3636
"externalRefs": [
3737
{
3838
"referenceCategory": "PACKAGE-MANAGER",
@@ -54,8 +54,8 @@
5454
"downloadLocation": "NONE",
5555
"filesAnalyzed": false,
5656
"sourceInfo": "package found in: Manifest.toml",
57-
"licenseConcluded": "NONE",
58-
"licenseDeclared": "NONE",
57+
"licenseConcluded": "NOASSERTION",
58+
"licenseDeclared": "NOASSERTION",
5959
"externalRefs": [
6060
{
6161
"referenceCategory": "PACKAGE-MANAGER",
@@ -77,8 +77,8 @@
7777
"downloadLocation": "NONE",
7878
"filesAnalyzed": false,
7979
"sourceInfo": "package found in: Manifest.toml",
80-
"licenseConcluded": "NONE",
81-
"licenseDeclared": "NONE",
80+
"licenseConcluded": "NOASSERTION",
81+
"licenseDeclared": "NOASSERTION",
8282
"externalRefs": [
8383
{
8484
"referenceCategory": "PACKAGE-MANAGER",

pkg/sbom/spdx/marshal.go

+2-1
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@ const (
3333
CreatorOrganization = "aquasecurity"
3434
CreatorTool = "trivy"
3535
noneField = "NONE"
36+
noAssertionField = "NOASSERTION"
3637
)
3738

3839
const (
@@ -378,7 +379,7 @@ func (m *Marshaler) spdxAttributionTexts(c *core.Component) []string {
378379

379380
func (m *Marshaler) spdxLicense(c *core.Component) string {
380381
if len(c.Licenses) == 0 {
381-
return noneField
382+
return noAssertionField
382383
}
383384
return NormalizeLicense(c.Licenses)
384385
}

pkg/sbom/spdx/marshal_test.go

+20-20
Original file line numberDiff line numberDiff line change
@@ -217,8 +217,8 @@ func TestMarshaler_Marshal(t *testing.T) {
217217
PackageDownloadLocation: "NONE",
218218
PackageName: "actioncontroller",
219219
PackageVersion: "7.0.1",
220-
PackageLicenseConcluded: "NONE",
221-
PackageLicenseDeclared: "NONE",
220+
PackageLicenseConcluded: "NOASSERTION",
221+
PackageLicenseDeclared: "NOASSERTION",
222222
PackageAttributionTexts: []string{
223223
"PkgType: bundler",
224224
},
@@ -238,8 +238,8 @@ func TestMarshaler_Marshal(t *testing.T) {
238238
PackageDownloadLocation: "NONE",
239239
PackageName: "actionpack",
240240
PackageVersion: "7.0.1",
241-
PackageLicenseConcluded: "NONE",
242-
PackageLicenseDeclared: "NONE",
241+
PackageLicenseConcluded: "NOASSERTION",
242+
PackageLicenseDeclared: "NOASSERTION",
243243
PackageAttributionTexts: []string{
244244
"PkgType: bundler",
245245
},
@@ -259,8 +259,8 @@ func TestMarshaler_Marshal(t *testing.T) {
259259
PackageDownloadLocation: "NONE",
260260
PackageName: "actionpack",
261261
PackageVersion: "7.0.1",
262-
PackageLicenseConcluded: "NONE",
263-
PackageLicenseDeclared: "NONE",
262+
PackageLicenseConcluded: "NOASSERTION",
263+
PackageLicenseDeclared: "NOASSERTION",
264264
PackageAttributionTexts: []string{
265265
"PkgType: bundler",
266266
},
@@ -536,8 +536,8 @@ func TestMarshaler_Marshal(t *testing.T) {
536536
PackageDownloadLocation: "NONE",
537537
PackageName: "actionpack",
538538
PackageVersion: "7.0.1",
539-
PackageLicenseConcluded: "NONE",
540-
PackageLicenseDeclared: "NONE",
539+
PackageLicenseConcluded: "NOASSERTION",
540+
PackageLicenseDeclared: "NOASSERTION",
541541
PackageExternalReferences: []*spdx.PackageExternalReference{
542542
{
543543
Category: tspdx.CategoryPackageManager,
@@ -561,8 +561,8 @@ func TestMarshaler_Marshal(t *testing.T) {
561561
PackageDownloadLocation: "NONE",
562562
PackageName: "actionpack",
563563
PackageVersion: "7.0.1",
564-
PackageLicenseConcluded: "NONE",
565-
PackageLicenseDeclared: "NONE",
564+
PackageLicenseConcluded: "NOASSERTION",
565+
PackageLicenseDeclared: "NOASSERTION",
566566
PackageExternalReferences: []*spdx.PackageExternalReference{
567567
{
568568
Category: tspdx.CategoryPackageManager,
@@ -750,8 +750,8 @@ func TestMarshaler_Marshal(t *testing.T) {
750750
PackageDownloadLocation: "NONE",
751751
PackageName: "actioncable",
752752
PackageVersion: "6.1.4.1",
753-
PackageLicenseConcluded: "NONE",
754-
PackageLicenseDeclared: "NONE",
753+
PackageLicenseConcluded: "NOASSERTION",
754+
PackageLicenseDeclared: "NOASSERTION",
755755
PackageExternalReferences: []*spdx.PackageExternalReference{
756756
{
757757
Category: tspdx.CategoryPackageManager,
@@ -771,8 +771,8 @@ func TestMarshaler_Marshal(t *testing.T) {
771771
PackageDownloadLocation: "NONE",
772772
PackageName: "com.example:example",
773773
PackageVersion: "1.0.0",
774-
PackageLicenseConcluded: "NONE",
775-
PackageLicenseDeclared: "NONE",
774+
PackageLicenseConcluded: "NOASSERTION",
775+
PackageLicenseDeclared: "NOASSERTION",
776776
PackageExternalReferences: []*spdx.PackageExternalReference{
777777
{
778778
Category: tspdx.CategoryPackageManager,
@@ -889,8 +889,8 @@ func TestMarshaler_Marshal(t *testing.T) {
889889
PackageDownloadLocation: "NONE",
890890
PackageName: "org.apache.logging.log4j:log4j-core",
891891
PackageVersion: "2.17.0",
892-
PackageLicenseConcluded: "NONE",
893-
PackageLicenseDeclared: "NONE",
892+
PackageLicenseConcluded: "NOASSERTION",
893+
PackageLicenseDeclared: "NOASSERTION",
894894
PackageExternalReferences: []*spdx.PackageExternalReference{
895895
{
896896
Category: tspdx.CategoryPackageManager,
@@ -1229,8 +1229,8 @@ func TestMarshaler_Marshal(t *testing.T) {
12291229
PackageSPDXIdentifier: spdx.ElementID("Package-b1c3b9e2363f5ff7"),
12301230
PackageDownloadLocation: "NONE",
12311231
PackageName: "./private_repos/cnrm.googlesource.com/cnrm/",
1232-
PackageLicenseConcluded: "NONE",
1233-
PackageLicenseDeclared: "NONE",
1232+
PackageLicenseConcluded: "NOASSERTION",
1233+
PackageLicenseDeclared: "NOASSERTION",
12341234
PrimaryPackagePurpose: tspdx.PackagePurposeLibrary,
12351235
PackageSupplier: &spdx.Supplier{Supplier: tspdx.PackageSupplierNoAssertion},
12361236
PackageSourceInfo: "package found in: /usr/local/bin/test",
@@ -1243,8 +1243,8 @@ func TestMarshaler_Marshal(t *testing.T) {
12431243
PackageDownloadLocation: "NONE",
12441244
PackageName: "golang.org/x/crypto",
12451245
PackageVersion: "v0.0.1",
1246-
PackageLicenseConcluded: "NONE",
1247-
PackageLicenseDeclared: "NONE",
1246+
PackageLicenseConcluded: "NOASSERTION",
1247+
PackageLicenseDeclared: "NOASSERTION",
12481248
PackageExternalReferences: []*spdx.PackageExternalReference{
12491249
{
12501250
Category: tspdx.CategoryPackageManager,

0 commit comments

Comments
 (0)