fix(parser): recover licenses from CycloneDX expressions and SPDX declared field#32
Open
dmchaledev wants to merge 1 commit into
Open
fix(parser): recover licenses from CycloneDX expressions and SPDX declared field#32dmchaledev wants to merge 1 commit into
dmchaledev wants to merge 1 commit into
Conversation
…lared field
Two license data-loss bugs in the public parse() API:
- CycloneDX components licensed via an SPDX license *expression*
(e.g. `{ "expression": "MIT OR Apache-2.0" }`) — a spec-valid and common
shape for dual/expression-licensed packages — yielded `license: undefined`
because only `license.id` / `license.name` were read.
- SPDX packages whose `licenseConcluded` is the sentinel "NOASSERTION" stored
that meaningless string verbatim and ignored `licenseDeclared`, discarding
the real license. Now prefer a concrete concluded license, fall back to the
declared license, and drop the NOASSERTION sentinel.
Both feed the license/compliance use case the README advertises. Adds tests
for the expression path and the SPDX declared-license fallback.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Qqw3TvZsp8exiuHLLLkxTA
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two license data-loss bugs in the public
parse()API. Both silently drop a component's license, returningundefined(or a useless sentinel) even though the source SBOM carries the real value. This is squarely in thesupply-chain-securityremit and directly feeds the license-compliance use case the README advertises (and the proposed license-diff work in #9).Both fixes are confined to
src/parser.ts(license extraction only) — untouched by any open PR, so no conflict with the in-flightdiff.ts/reporter.ts/cli.tswork.Bug 1 — CycloneDX license expression is dropped
CycloneDX allows a
licensesentry to be an SPDX license expression instead of a license object, e.g.:{ "name": "dual", "version": "1.0.0", "licenses": [{ "expression": "MIT OR Apache-2.0" }] }extractCycloneDXLicense()only readlicense.id/license.name, so any dual- or expression-licensed component yieldedlicense: undefined. Expression licensing is common, so this is real signal loss.Bug 2 — SPDX
NOASSERTIONstored verbatim,licenseDeclaredignoredMany generators leave
licenseConcludedas the SPDX sentinel"NOASSERTION"while the real license sits inlicenseDeclared:{ "name": "foo", "versionInfo": "1.0.0", "licenseConcluded": "NOASSERTION", "licenseDeclared": "BSD-3-Clause" }The old code stored the string
"NOASSERTION"verbatim and never looked atlicenseDeclared, so the knownBSD-3-Clauselicense was lost. The fix prefers a concrete concluded license, falls back to the declared license, and drops theNOASSERTIONsentinel (leavinglicenseundefined only when neither field is meaningful).Before / after
Changes
src/parser.ts:extractCycloneDXLicense()now falls back tolicenses[].expression; newextractSPDXLicense()helper handles thelicenseConcluded→licenseDeclaredfallback and theNOASSERTIONsentinel.src/__tests__/parser.test.ts: adds coverage for the CycloneDX expression path and the SPDX declared-license fallback (incl. the both-NOASSERTION → undefined case).Testing
npx tsc --noEmit— cleannpm run lint— cleannpm test— 33 passed (4 new)Backward compatible: only previously-
undefined/sentinel license values change; components that already resolved a license are unaffected.🤖 Generated with Claude Code
https://claude.ai/code/session_01Qqw3TvZsp8exiuHLLLkxTA
Generated by Claude Code