Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SPDX expressions are lost from CycloneDX if they contain extra parenthesis #3441

Open
pasieronen opened this issue Nov 13, 2024 · 1 comment
Assignees
Labels
bug Something isn't working

Comments

@pasieronen
Copy link

What happened:

Given a very minimal CycloneDX SBOM as input:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "components": [
    {
      "type": "library",
      "name": "one",
      "licenses": [{"expression": "BSD-3-Clause OR MIT"}]
    },
    {
      "type": "library",
      "name": "two",
      "licenses": [{"expression": "(BSD-3-Clause OR MIT)"}]
    }
  ]
}

Note that in the input, component "two" has extra parenthesis around the SPDX expression (which are allowed by the SPDX spec, as far as I can tell).

Running syft SBOM cataloger and outputting to CycloneDX:

syft scan file:./test.cdx.json --output=cyclonedx-json --select-catalogers "+sbom-cataloger"

What you expected to happen:

I'd expect both components to have licenses in the output. But what happens is that component "one" has the expected license, but component "two" does not have a license at all.

Interestingly enough, if I use --output=json, it looks like both components have licenses....

Environment:

  • Output of syft version:
Application: syft
Version:    1.16.0
BuildDate:  2024-11-04T22:29:33Z
GitCommit:  8a41d772509d37267a65e0b425808e883e4b9dce
GitDescription: v1.16.0
Platform:   darwin/arm64
GoVersion:  go1.22.8
Compiler:   gc
  • OS (e.g: cat /etc/os-release or similar): MacOS 14.7.1
@pasieronen pasieronen added the bug Something isn't working label Nov 13, 2024
@spiffcs spiffcs moved this to Ready in OSS Nov 20, 2024
@spiffcs spiffcs self-assigned this Nov 20, 2024
@spiffcs
Copy link
Contributor

spiffcs commented Nov 20, 2024

Thanks @pasieronen! I've reproduced this on my local and have picked this bug up to fix ASAP.

@spiffcs spiffcs moved this from Ready to In Progress in OSS Nov 21, 2024
@spiffcs spiffcs removed their assignment Dec 10, 2024
@willmurphyscode willmurphyscode moved this from In Progress to In Review in OSS Dec 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Status: In Review
Development

No branches or pull requests

3 participants