fix: retain previous behaviour of using unformatted licenses

snyk · Feb 6, 2025 · b88f63d · b88f63d
1 parent c6eb75f
commit b88f63d
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 12 deletions.
diff --git a/internal/utils/spdx.go b/internal/utils/spdx.go
@@ -32,13 +32,18 @@ func GetPurlFromSPDXPackage(pkg *spdx_2_3.Package) (*packageurl.PackageURL, erro
 	return &purl, nil
 }
 
-func GetSPDXLicenseExpressionFromEcosystemsLicense(pkgVersionData *packages.VersionWithDependencies, pkgData *packages.Package) string {
+func GetLicensesFromEcosystemsLicense(pkgVersionData *packages.VersionWithDependencies, pkgData *packages.Package) []string {
 	licenses := []string{}
 	if pkgVersionData != nil && pkgVersionData.Licenses != nil && *pkgVersionData.Licenses != "" {
 		licenses = strings.Split(*pkgVersionData.Licenses, ",")
 	} else if pkgData != nil && len(pkgData.NormalizedLicenses) > 0 {
 		licenses = pkgData.NormalizedLicenses
 	}
+	return licenses
+}
+
+func GetLicenseExpressionFromEcosystemsLicense(pkgVersionData *packages.VersionWithDependencies, pkgData *packages.Package) string {
+	licenses := GetLicensesFromEcosystemsLicense(pkgVersionData, pkgData)
 	if len(licenses) == 0 {
 		return ""
 	}

diff --git a/internal/utils/spdx_test.go b/internal/utils/spdx_test.go
@@ -15,13 +15,13 @@ func TestGetSPDXLicenseExpressionFromEcosystemsLicense(t *testing.T) {
 	pkgVersionData := packages.VersionWithDependencies{Licenses: &versionedLicenses}
 	latestLicenses := []string{"Apache-2.0"}
 	pkgData := packages.Package{NormalizedLicenses: latestLicenses}
-	expression := utils.GetSPDXLicenseExpressionFromEcosystemsLicense(&pkgVersionData, &pkgData)
+	expression := utils.GetLicenseExpressionFromEcosystemsLicense(&pkgVersionData, &pkgData)
 	assert.Equal("(GPLv2 OR MIT)", expression)
 }
 
 func TestGetSPDXLicenseExpressionFromEcosystemsLicense_NoData(t *testing.T) {
 	assert := assert.New(t)
-	expression := utils.GetSPDXLicenseExpressionFromEcosystemsLicense(nil, nil)
+	expression := utils.GetLicenseExpressionFromEcosystemsLicense(nil, nil)
 	assert.Equal("", expression)
 }
 
@@ -30,7 +30,7 @@ func TestGetSPDXLicenseExpressionFromEcosystemsLicense_NoVersionedData(t *testin
 	pkgVersionData := packages.VersionWithDependencies{}
 	latestLicenses := []string{"Apache-2.0"}
 	pkgData := packages.Package{NormalizedLicenses: latestLicenses}
-	expression := utils.GetSPDXLicenseExpressionFromEcosystemsLicense(&pkgVersionData, &pkgData)
+	expression := utils.GetLicenseExpressionFromEcosystemsLicense(&pkgVersionData, &pkgData)
 	assert.Equal("(Apache-2.0)", expression)
 }
 
@@ -39,24 +39,24 @@ func TestGetSPDXLicenseExpressionFromEcosystemsLicense_NoLatestData(t *testing.T
 	versionedLicenses := "GPLv2,MIT"
 	pkgVersionData := packages.VersionWithDependencies{Licenses: &versionedLicenses}
 	pkgData := packages.Package{}
-	expression := utils.GetSPDXLicenseExpressionFromEcosystemsLicense(&pkgVersionData, &pkgData)
+	expression := utils.GetLicenseExpressionFromEcosystemsLicense(&pkgVersionData, &pkgData)
 	assert.Equal("(GPLv2 OR MIT)", expression)
 }
 
 func TestGetSPDXLicenseExpressionFromEcosystemsLicense_NoLicenses(t *testing.T) {
 	assert := assert.New(t)
 	pkgVersionData := packages.VersionWithDependencies{}
 	pkgData := packages.Package{}
-	expression := utils.GetSPDXLicenseExpressionFromEcosystemsLicense(&pkgVersionData, &pkgData)
+	expression := utils.GetLicenseExpressionFromEcosystemsLicense(&pkgVersionData, &pkgData)
 	assert.Equal("", expression)
 }
 
 func TestGetSPDXLicenseExpressionFromEcosystemsLicense_EmptyLicenses(t *testing.T) {
 	assert := assert.New(t)
 	versionedLicenses := ""
 	pkgVersionData := packages.VersionWithDependencies{Licenses: &versionedLicenses}
-	latestLicenses := []string{""}
+	latestLicenses := []string{}
 	pkgData := packages.Package{NormalizedLicenses: latestLicenses}
-	expression := utils.GetSPDXLicenseExpressionFromEcosystemsLicense(&pkgVersionData, &pkgData)
+	expression := utils.GetLicenseExpressionFromEcosystemsLicense(&pkgVersionData, &pkgData)
 	assert.Equal("", expression)
 }
diff --git a/lib/ecosystems/enrich_cyclonedx.go b/lib/ecosystems/enrich_cyclonedx.go
@@ -59,7 +59,7 @@ func enrichCDXDescription(comp *cdx.Component, data *packages.Package) {
 }
 
 func enrichCDXLicense(comp *cdx.Component, pkgVersionData *packages.VersionWithDependencies, pkgData *packages.Package) {
-	expression := utils.GetSPDXLicenseExpressionFromEcosystemsLicense(pkgVersionData, pkgData)
+	expression := utils.GetLicenseExpressionFromEcosystemsLicense(pkgVersionData, pkgData)
 	if expression != "" {
 		licenses := cdx.LicenseChoice{Expression: expression}
 		comp.Licenses = &cdx.Licenses{licenses}

diff --git a/lib/ecosystems/enrich_spdx.go b/lib/ecosystems/enrich_spdx.go
@@ -18,6 +18,7 @@ package ecosystems
 
 import (
 	"errors"
+	"strings"
 
 	"github.com/package-url/packageurl-go"
 	"github.com/rs/zerolog"
@@ -97,9 +98,9 @@ func enrichSPDXSupplier(pkg *v2_3.Package, data *packages.Package) {
 }
 
 func enrichSPDXLicense(pkg *v2_3.Package, pkgVersionData *packages.VersionWithDependencies, pkgData *packages.Package) {
-	expression := utils.GetSPDXLicenseExpressionFromEcosystemsLicense(pkgVersionData, pkgData)
-	if expression != "" {
-		pkg.PackageLicenseConcluded = *pkgVersionData.Licenses
+	licenses := utils.GetLicensesFromEcosystemsLicense(pkgVersionData, pkgData)
+	if len(licenses) > 0 {
+		pkg.PackageLicenseConcluded = strings.Join(licenses, ",")
 	}
 }