Comments (9)
Do you mind me using your example as a new unit test case?
@mrutkows I am happy to help. Of course you can use it as an example
from sbom-utility.
The UNDEFINED behavior indicates the license policy file (i.e. "mre-license.json") was not found...
If not running in --quiet
mode, you may see the WARNINGs:
[WARN] unable to find license policy config file: `.mre-license.json`
[WARN] License policy will default to `UNDEFINED`.
have you tried using instead using simply -config-license mre-license.json
?
e.g.,
.\sbom-utility.exe license list -i "mre-sbom.json" --format json --summary --quiet --config-license mre-license.json
Seeing you are using the backslash file sep., are you running this in Windows? If so, I had no avail. Windows test env., but endeavored to use the system neutral filepath
libraries (i.e., accounts for fore/backslash handling) in all places. Will check tomorrow if those properly handling the strings passed in on the --config-license
parm.
from sbom-utility.
When running (from PowerShell)
.\sbom-utility.exe license list -i "mre-sbom.json" --format json --summary --config-license "mre-license.json"
This gets printed
Welcome to the sbom-utility! Version `v0.9.3` (sbom-utility) (windows/amd64)
============================================================================
[INFO] Loading license policy config file: `mre-license.json`...
[INFO] Attempting to load and unmarshal file `mre-sbom.json`...
[INFO] Successfully unmarshalled data from: `mre-sbom.json`
[INFO] Determining file's SBOM format and version...
[INFO] Determined SBOM format, version (variant): `CycloneDX`, `1.4` (latest)
[INFO] Matching SBOM schema (for validation): schema/cyclonedx/1.4/bom-1.4.schema.json
[INFO] Scanning document for licenses...
[WARN] invalid SBOM: licenses not found (metadata.licenses) (mre-sbom.json)
[WARN] No license found for component. bomRef: -/ProductWithNpmAndSomeDependencies@- (`ProductWithNpmAndSomeDependencies`, , pkg:npm/ProductWithNpmAndSomeDependencies)
[INFO] Outputting summary (`json` format)...
[WARN] Summary not supported for `json` format; defaulting to `txt` format...
Policy Type ID/Name/Expression Component(s) BOM ref. Document location
------ ---- ------------------ ------------ -------- -----------------
UNDEFINED expression (MIT OR CC0-1.0) type-fest [email protected] components
UNDEFINED invalid NOASSERTION ProductWithNpmAndSomeDependencies -/ProductWithNpmAndSomeDependencies@- metadata.component
from sbom-utility.
When running
.\sbom-utility.exe license list -i "mre-sbom.json" --format json --summary --config-license "mre-license.json"
Against the below SBOM (same filename mre-sbom
), added one component called IDisposableAnalyzers
.
And the same mre-license.json
file.
For component IDisposableAnalyzers
it behaves as expected (allow
)
This gets printed
Welcome to the sbom-utility! Version `v0.9.3` (sbom-utility) (windows/amd64)
============================================================================
[INFO] Loading license policy config file: `mre-license.json`...
[INFO] Attempting to load and unmarshal file `mre-sbom.json`...
[INFO] Successfully unmarshalled data from: `mre-sbom.json`
[INFO] Determining file's SBOM format and version...
[INFO] Determined SBOM format, version (variant): `CycloneDX`, `1.4` (latest)
[INFO] Matching SBOM schema (for validation): schema/cyclonedx/1.4/bom-1.4.schema.json
[INFO] Scanning document for licenses...
[WARN] invalid SBOM: licenses not found (metadata.licenses) (mre-sbom.json)
[WARN] No license found for component. bomRef: -/ProductWithNpmAndSomeDependencies@- (`ProductWithNpmAndSomeDependencies`, , pkg:npm/ProductWithNpmAndSomeDependencies)
[INFO] Outputting summary (`json` format)...
[WARN] Summary not supported for `json` format; defaulting to `txt` format...
Policy Type ID/Name/Expression Component(s) BOM ref. Document location
------ ---- ------------------ ------------ -------- -----------------
UNDEFINED expression (MIT OR CC0-1.0) type-fest [email protected] components
allow id MIT IDisposableAnalyzers pkg:nuget/[email protected] components
UNDEFINED invalid NOASSERTION ProductWithNpmAndSomeDependencies -/ProductWithNpmAndSomeDependencies@- metadata.component
Click me
file name: mre-sbom
{
"$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"version": 1,
"serialNumber": "urn:uuid:50a6176e-bc14-4420-afd6-4b5142bec584",
"metadata": {
"timestamp": "2023-02-24T11:31:49.124Z",
"tools": [
{
"vendor": "@cyclonedx",
"name": "cyclonedx-npm",
"version": "1.8.0",
"externalReferences": [
{
"url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
"type": "vcs",
"comment": "as detected from PackageJson property \"repository.url\""
},
{
"url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
"type": "website",
"comment": "as detected from PackageJson property \"homepage\""
},
{
"url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
"type": "issue-tracker",
"comment": "as detected from PackageJson property \"bugs.url\""
}
]
},
{
"vendor": "@cyclonedx",
"name": "cyclonedx-library",
"version": "1.11.0",
"externalReferences": [
{
"url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
"type": "vcs",
"comment": "as detected from PackageJson property \"repository.url\""
},
{
"url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
"type": "website",
"comment": "as detected from PackageJson property \"homepage\""
},
{
"url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
"type": "issue-tracker",
"comment": "as detected from PackageJson property \"bugs.url\""
}
]
}
],
"component": {
"type": "application",
"name": "ProductWithNpmAndSomeDependencies",
"bom-ref": "-/ProductWithNpmAndSomeDependencies@-",
"purl": "pkg:npm/ProductWithNpmAndSomeDependencies",
"properties": [
{
"name": "cdx:npm:package:path",
"value": ""
}
]
}
},
"components": [
{
"type": "library",
"name": "type-fest",
"version": "1.4.0",
"bom-ref": "[email protected]",
"author": "Sindre Sorhus",
"description": "A collection of essential TypeScript types",
"hashes": [
{
"alg": "SHA-512",
"content": "c864b36bbe31934506f24fa92e1e687a8622aef2225a8e6dd3fa37cc71c03b6b510e265cc563fb7f2c0d95786a6fafebeac5afc22f91b3240c5a154b7b8055b8"
}
],
"licenses": [
{
"expression": "(MIT OR CC0-1.0)"
}
],
"purl": "pkg:npm/[email protected]",
"externalReferences": [
{
"url": "sindresorhus/type-fest",
"type": "vcs",
"comment": "as detected from PackageJson property \"repository\""
},
{
"url": "https://registry.npmjs.org/type-fest/-/type-fest-1.4.0.tgz",
"type": "distribution",
"comment": "as detected from npm-ls property \"resolved\""
}
],
"properties": [
{
"name": "cdx:npm:package:path",
"value": "node_modules/type-fest"
},
{
"name": "cdx:npm:package:development",
"value": "true"
}
]
},
{
"type": "library",
"bom-ref": "pkg:nuget/[email protected]",
"publisher": "Johan Larsson, milleniumbug",
"name": "IDisposableAnalyzers",
"version": "4.0.1",
"description": "Analyzers and fixes for IDisposable.",
"scope": "excluded",
"hashes": [
{
"alg": "SHA-512",
"content": "66B1A1885AD746DD599F4794E3AA77FC64C3F7F5F4F992AE143C9506E6F6B14D9E1658CDE6586DC0EAE3A0012D587BDE5C2DC427104C1E79A773835FB2335C00"
}
],
"licenses": [
{
"license": {
"id": "MIT"
}
}
],
"purl": "pkg:nuget/[email protected]",
"externalReferences": [
{
"url": "https://github.com/DotNetAnalyzers/IDisposableAnalyzers",
"type": "website"
},
{
"url": "https://github.com/DotNetAnalyzers/IDisposableAnalyzers",
"type": "vcs"
}
]
}
]
}
```
</details>
from sbom-utility.
@manne Thanks for including all the JSON to reproduce.
The only thing I see as interesting is the use of the outermost parens enclosing the expression, but will debug through.
So far, it appears that Windows file separator is not the issue thank goodness.
from sbom-utility.
@manne It is the outer parens... (the left-right expression tree operand parsing logic will need to be fixed)... If you use "MIT OR CC0-1.0"
(parens removed) it appears to work.
Do you mind me using your example as a new unit test case?
from sbom-utility.
@manne I found the logic issue with assuming any parens has a right-left compound with conjunction AND/OR.... and in this case there is no conjunction or "right side"... needs some thought to not break recursive logic...
from sbom-utility.
After looking at the ABNF grammar: https://spdx.github.io/spdx-spec/v2.3/SPDX-license-expressions/
It appears, the last case of of "simple-expression":
simple-expression "WITH" license-exception-id /
compound-expression "AND" compound-expression /
compound-expression "OR" compound-expression /
"(" compound-expression ")" )
that is:
"(" compound-expression ")"
was not accounted for in the recursive parsing as my logic always assumed a balanced left-right tree joined by a conjunction. Still thinking of the most elegant way to handle in the recursion...
from sbom-utility.
@manne Would you care to look at my PR (do not know if you have time to clone or pull it, compile and run it) before merge?
I merged the PR as it is a needed fix. Looking forwarded to when you have time to test it yourself and provide feedback. Thanks again for identifying this so well.
from sbom-utility.
Related Issues (20)
- Enhancement: Summarize "duplicate components" schema error HOT 5
- Enhancement: Add testcases to validate JSF signatures HOT 1
- replace deprecated `ioutil` package functions with latest advised `io` and `os` package replacements HOT 10
- Support stdin for input HOT 1
- Include config.json and licenses.json in the compiled executable HOT 2
- Support Graph rendering of dependences and formatted (graph) output
- Testcase: Need test for new complex "licenseChoice" schema defn. HOT 1
- Create Microsoft Softare Installer (MSI) file for Windows
- Testcase: Need new test case for new "Creation Tools" object
- Release v013.0 is missing release assets HOT 2
- Testcase: Need testcase that has a CDXService with no "bom-ref"
- Support OWASP SCVS "Profiles" for use in validation, trimming, etc. commands
- `diff` panics while diffing two files HOT 9
- SIGSEGV: segmentation violation code=0x2 addr=0x0 pc=0x104bfa024
- Feature Request - Generate JSON with entire structure
- TODO: Change Formulation and ModelCard schemas to use pointers
- Support SPDX in the "patch" command
- Add support for "legacy" and new `Tool` structure introduced in CycloneDX v1.5 HOT 1
- Support for both the v1.5 component evidence `identity` and the v1.6 array of `componentIdentityEvidence` HOT 2
- Add Apache Skywalking-eyes license checking to GitHub action CI workflow HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sbom-utility.