Fall back to license from package if not present in versioned package

internal/utils/spdx.go

@@ -32,9 +32,15 @@ func GetPurlFromSPDXPackage(pkg *spdx_2_3.Package) (*packageurl.PackageURL, erro
 	return &purl, nil
 }
 
-func GetSPDXLicenseExpressionFromEcosystemsLicense(data *packages.VersionWithDependencies) string {
-	if data == nil || data.Licenses == nil || *data.Licenses == "" {
+func GetSPDXLicenseExpressionFromEcosystemsLicense(pkgVersionData *packages.VersionWithDependencies, pkgData *packages.Package) string {
+	licenses := ""
+	if pkgVersionData != nil && pkgVersionData.Licenses != nil && *pkgVersionData.Licenses != "" {
+		licenses = *pkgVersionData.Licenses
+	} else if pkgData != nil && pkgData.Licenses != nil && *pkgData.Licenses != "" {
+		licenses = *pkgData.Licenses
+	}
+	if licenses == "" {
 		return ""
 	}
-	return fmt.Sprintf("(%s)", strings.Join(strings.Split(*data.Licenses, ","), " OR "))
+	return fmt.Sprintf("(%s)", strings.Join(strings.Split(licenses, ","), " OR "))
 }

internal/utils/spdx_test.go

@@ -11,29 +11,52 @@ import (
 
 func TestGetSPDXLicenseExpressionFromEcosystemsLicense(t *testing.T) {
 	assert := assert.New(t)
-	licenses := "GPLv2,MIT"
-	data := packages.VersionWithDependencies{Licenses: &licenses}
-	expression := utils.GetSPDXLicenseExpressionFromEcosystemsLicense(&data)
+	versionedLicenses := "GPLv2,MIT"
+	pkgVersionData := packages.VersionWithDependencies{Licenses: &versionedLicenses}
+	latestLicenses := "Apache-2.0"
+	pkgData := packages.Package{Licenses: &latestLicenses}
+	expression := utils.GetSPDXLicenseExpressionFromEcosystemsLicense(&pkgVersionData, &pkgData)
 	assert.Equal("(GPLv2 OR MIT)", expression)
 }
 
 func TestGetSPDXLicenseExpressionFromEcosystemsLicense_NoData(t *testing.T) {
 	assert := assert.New(t)
-	expression := utils.GetSPDXLicenseExpressionFromEcosystemsLicense(nil)
+	expression := utils.GetSPDXLicenseExpressionFromEcosystemsLicense(nil, nil)
 	assert.Equal("", expression)
 }
 
+func TestGetSPDXLicenseExpressionFromEcosystemsLicense_NoVersionedData(t *testing.T) {
+	assert := assert.New(t)
+	pkgVersionData := packages.VersionWithDependencies{}
+	latestLicenses := "Apache-2.0"
+	pkgData := packages.Package{Licenses: &latestLicenses}
+	expression := utils.GetSPDXLicenseExpressionFromEcosystemsLicense(&pkgVersionData, &pkgData)
+	assert.Equal("(Apache-2.0)", expression)
+}
+
+func TestGetSPDXLicenseExpressionFromEcosystemsLicense_NoLatestData(t *testing.T) {
+	assert := assert.New(t)
+	versionedLicenses := "GPLv2,MIT"
+	pkgVersionData := packages.VersionWithDependencies{Licenses: &versionedLicenses}
+	pkgData := packages.Package{}
+	expression := utils.GetSPDXLicenseExpressionFromEcosystemsLicense(&pkgVersionData, &pkgData)
+	assert.Equal("(GPLv2 OR MIT)", expression)
+}
+
 func TestGetSPDXLicenseExpressionFromEcosystemsLicense_NoLicenses(t *testing.T) {
 	assert := assert.New(t)
-	data := packages.VersionWithDependencies{}
-	expression := utils.GetSPDXLicenseExpressionFromEcosystemsLicense(&data)
+	pkgVersionData := packages.VersionWithDependencies{}
+	pkgData := packages.Package{}
+	expression := utils.GetSPDXLicenseExpressionFromEcosystemsLicense(&pkgVersionData, &pkgData)
 	assert.Equal("", expression)
 }
 
 func TestGetSPDXLicenseExpressionFromEcosystemsLicense_EmptyLicenses(t *testing.T) {
 	assert := assert.New(t)
-	licenses := ""
-	data := packages.VersionWithDependencies{Licenses: &licenses}
-	expression := utils.GetSPDXLicenseExpressionFromEcosystemsLicense(&data)
+	versionedLicenses := ""
+	pkgVersionData := packages.VersionWithDependencies{Licenses: &versionedLicenses}
+	latestLicenses := ""
+	pkgData := packages.Package{Licenses: &latestLicenses}
+	expression := utils.GetSPDXLicenseExpressionFromEcosystemsLicense(&pkgVersionData, &pkgData)
 	assert.Equal("", expression)
 }

lib/ecosystems/enrich_cyclonedx.go

@@ -31,7 +31,7 @@ import (
 )
 
 type cdxPackageEnricher = func(*cdx.Component, *packages.Package)
-type cdxPackageVersionEnricher = func(*cdx.Component, *packages.VersionWithDependencies)
+type cdxPackageVersionEnricher = func(*cdx.Component, *packages.VersionWithDependencies, *packages.Package)
 
 var cdxPackageEnrichers = []cdxPackageEnricher{
 	enrichCDXDescription,
@@ -58,8 +58,8 @@ func enrichCDXDescription(comp *cdx.Component, data *packages.Package) {
 	}
 }
 
-func enrichCDXLicense(comp *cdx.Component, data *packages.VersionWithDependencies) {
-	expression := utils.GetSPDXLicenseExpressionFromEcosystemsLicense(data)
+func enrichCDXLicense(comp *cdx.Component, pkgVersionData *packages.VersionWithDependencies, pkgData *packages.Package) {
+	expression := utils.GetSPDXLicenseExpressionFromEcosystemsLicense(pkgVersionData, pkgData)
 	if expression != "" {
 		licenses := cdx.LicenseChoice{Expression: expression}
 		comp.Licenses = &cdx.Licenses{licenses}
@@ -248,7 +248,7 @@ func enrichCDX(bom *cdx.BOM, logger *zerolog.Logger) {
 			}
 
 			for _, enrichFunc := range cdxPackageVersionEnrichers {
-				enrichFunc(comp, packageVersionResp.JSON200)
+				enrichFunc(comp, packageVersionResp.JSON200, packageResp.JSON200)
 			}
 
 		}(comps[i])

lib/ecosystems/enrich_cyclonedx_test.go

@@ -190,15 +190,54 @@ func TestEnrichLicense(t *testing.T) {
 		Name:    "cyclonedx-go",
 		Version: "v0.3.0",
 	}
-	lic := "BSD-3-Clause"
-	pack := &packages.VersionWithDependencies{
-		Licenses: &lic,
+	versionedLicenses := "BSD-3-Clause"
+	pkgVersionData := &packages.VersionWithDependencies{Licenses: &versionedLicenses}
+	latestLicenses := "Apache-2.0"
+	pkgData := &packages.Package{Licenses: &latestLicenses}
+
+	enrichCDXLicense(component, pkgVersionData, pkgData)
+
+	licenses := *component.Licenses
+	comp := cdx.LicenseChoice(cdx.LicenseChoice{Expression: "(BSD-3-Clause)"})
+	assert.Equal(t, 1, len(licenses))
+	assert.Equal(t, comp, licenses[0])
+}
+
+func TestEnrichLicenseNoVersionedLicense(t *testing.T) {
+	component := &cdx.Component{
+		Type:    cdx.ComponentTypeLibrary,
+		Name:    "cyclonedx-go",
+		Version: "v0.3.0",
+	}
+	versionedLicenses := ""
+	pkgVersionData := &packages.VersionWithDependencies{Licenses: &versionedLicenses}
+	latestLicenses := "Apache-2.0"
+	pkgData := &packages.Package{Licenses: &latestLicenses}
+
+	enrichCDXLicense(component, pkgVersionData, pkgData)
+
+	licenses := *component.Licenses
+	comp := cdx.LicenseChoice(cdx.LicenseChoice{Expression: "(Apache-2.0)"})
+	assert.Equal(t, 1, len(licenses))
+	assert.Equal(t, comp, licenses[0])
+}
+
+func TestEnrichLicenseNoLatestLicense(t *testing.T) {
+	component := &cdx.Component{
+		Type:    cdx.ComponentTypeLibrary,
+		Name:    "cyclonedx-go",
+		Version: "v0.3.0",
 	}
+	versionedLicenses := "BSD-3-Clause"
+	pkgVersionData := &packages.VersionWithDependencies{Licenses: &versionedLicenses}
+	latestLicenses := ""
+	pkgData := &packages.Package{Licenses: &latestLicenses}
 
-	enrichCDXLicense(component, pack)
+	enrichCDXLicense(component, pkgVersionData, pkgData)
 
 	licenses := *component.Licenses
 	comp := cdx.LicenseChoice(cdx.LicenseChoice{Expression: "(BSD-3-Clause)"})
+	assert.Equal(t, 1, len(licenses))
 	assert.Equal(t, comp, licenses[0])
 }
 

lib/ecosystems/enrich_spdx.go

@@ -64,7 +64,7 @@ func enrichSPDX(bom *spdx.Document, logger *zerolog.Logger) {
 			continue
 		}
 
-		enrichSPDXLicense(pkg, pkgVersionData)
+		enrichSPDXLicense(pkg, pkgVersionData, pkgData)
 	}
 }
 
@@ -96,10 +96,10 @@ func enrichSPDXSupplier(pkg *v2_3.Package, data *packages.Package) {
 	}
 }
 
-func enrichSPDXLicense(pkg *v2_3.Package, data *packages.VersionWithDependencies) {
-	expression := utils.GetSPDXLicenseExpressionFromEcosystemsLicense(data)
+func enrichSPDXLicense(pkg *v2_3.Package, pkgVersionData *packages.VersionWithDependencies, pkgData *packages.Package) {
+	expression := utils.GetSPDXLicenseExpressionFromEcosystemsLicense(pkgVersionData, pkgData)
 	if expression != "" {
-		pkg.PackageLicenseConcluded = *data.Licenses
+		pkg.PackageLicenseConcluded = *pkgVersionData.Licenses
 	}
 }