test: update tests to match new SPDXLicense structure

Signed-off-by: Christopher Phillips <[email protected]>
anchore · Oct 1, 2024 · 6f40189 · 6f40189
1 parent 8a722d0
commit 6f40189
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 6 deletions.
diff --git a/syft/format/internal/spdxutil/helpers/license.go b/syft/format/internal/spdxutil/helpers/license.go
@@ -3,13 +3,16 @@ package helpers
 import (
 	"crypto/sha256"
 	"fmt"
-	"strings"
+	"regexp"
 
 	"github.com/anchore/syft/internal/spdxlicense"
 	"github.com/anchore/syft/syft/license"
 	"github.com/anchore/syft/syft/pkg"
+	"strings"
 )
 
+var validSPDXValue = regexp.MustCompile("[^A-Za-z0-9\\-\\.]+")
+
 func License(p pkg.Package) (concluded, declared string) {
 	// source: https://spdx.github.io/spdx-spec/v2.3/package-information/#713-concluded-license-field
 	// The options to populate this field are limited to:
@@ -58,8 +61,9 @@ func joinLicenses(licenses []SPDXLicense) string {
 }
 
 type SPDXLicense struct {
-	ID    string
-	Value string
+	ID       string
+	Value    string
+	FullText string
 }
 
 func ParseLicenses(raw []pkg.License) (concluded, declared []SPDXLicense) {
@@ -69,14 +73,25 @@ func ParseLicenses(raw []pkg.License) (concluded, declared []SPDXLicense) {
 		}
 
 		candidate := SPDXLicense{}
-		// a pkg license can have a couple combinations of values
-		if l.SPDXExpression != "" {
+		// extract which value was used for the license
+		switch {
+		case l.SPDXExpression != "":
 			candidate.ID = l.SPDXExpression
 			hash := sha256.Sum256([]byte(l.Value))
 			candidate.ID = fmt.Sprintf("%s%x", spdxlicense.LicenseRefPrefix, hash)
 			candidate.Value = l.Value
+		case l.Value != "":
+			hash := sha256.Sum256([]byte(l.Value))
+			candidate.ID = fmt.Sprintf("%s%x", spdxlicense.LicenseRefPrefix, hash)
+			validSpdxRef := validSPDXValue.ReplaceAllString(l.Value, "-")
+			candidate.Value = fmt.Sprintf("%s%s", spdxlicense.LicenseRefPrefix, validSpdxRef)
+		default:
+			hash := sha256.Sum256([]byte(l.FullText))
+			candidate.ID = fmt.Sprintf("%s%x", spdxlicense.LicenseRefPrefix, hash)
+			candidate.FullText = l.FullText
 		}
 
+		// extract if concluded or declared
 		switch l.Type {
 		case license.Concluded:
 			concluded = append(concluded, candidate)

diff --git a/syft/format/internal/spdxutil/helpers/license_test.go b/syft/format/internal/spdxutil/helpers/license_test.go
@@ -77,7 +77,7 @@ func Test_License(t *testing.T) {
 			expected: expected{
 				concluded: "NOASSERTION",
 				// because we separate licenses between valid SPDX and non valid, valid ID always end at the front
-				declared: "MIT AND LicenseRef-one-thing-first AND LicenseRef-two-things----second",
+				declared: "MIT AND LicenseRef-one-thing-first AND LicenseRef-two-things-second",
 			},
 		},
 		{
@@ -121,6 +121,11 @@ func Test_joinLicenses(t *testing.T) {
 			args: []string{"MIT AND Apache", "GPL-3.0-only"},
 			want: "(MIT AND Apache) AND GPL-3.0-only",
 		},
+		{
+			name: "multiple licenses with license references?",
+			args: []string{"MIT AND Apache", "GPL-3.0-only"},
+			want: "(MIT AND Apache) AND GPL-3.0-only",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

diff --git a/syft/pkg/license.go b/syft/pkg/license.go
@@ -81,6 +81,7 @@ func NewLicenseFromType(value string, t license.Type) License {
 	// in this case we annotate this as the full text to not lose value and do not extract the complex case
 	if strings.Contains(value, "\n") {
 		return License{
+			Type:     t,
 			FullText: value,
 		}
 	}
@@ -98,6 +99,7 @@ func NewLicenseFromType(value string, t license.Type) License {
 	}
 
 	return License{
+		Value:          value,
 		SPDXExpression: spdxExpression,
 		Type:           t,
 		Locations:      file.NewLocationSet(),