Thanks for this great software. I have a software with a component <

Do you mind me using your example as a new unit test case? </blockquo

When running (from PowerShell) <div class="snippet-clipboard-content notranslate p

When running <div class="snippet-clipboard-content notranslate position-relative o

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

After looking at the ABNF grammar: <a href="https://spdx.github.io/spdx-spec/v2.3/SPDX

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

Composite SPDX license expression not recognized about sbom-utility HOT 9 CLOSED

manne commented on July 1, 2024

Composite SPDX license expression not recognized

from sbom-utility.

Comments (9)

manne commented on July 1, 2024 1

Do you mind me using your example as a new unit test case?

@mrutkows I am happy to help. Of course you can use it as an example

from sbom-utility.

mrutkows commented on July 1, 2024

The UNDEFINED behavior indicates the license policy file (i.e. "mre-license.json") was not found...

If not running in --quiet mode, you may see the WARNINGs:

[WARN] unable to find license policy config file: `.mre-license.json`
[WARN] License policy will default to `UNDEFINED`.

have you tried using instead using simply -config-license mre-license.json?

e.g.,

.\sbom-utility.exe license list -i "mre-sbom.json" --format json --summary --quiet --config-license mre-license.json

Seeing you are using the backslash file sep., are you running this in Windows? If so, I had no avail. Windows test env., but endeavored to use the system neutral filepath libraries (i.e., accounts for fore/backslash handling) in all places. Will check tomorrow if those properly handling the strings passed in on the --config-license parm.

from sbom-utility.

manne commented on July 1, 2024

When running (from PowerShell)

.\sbom-utility.exe license list -i "mre-sbom.json" --format json --summary --config-license "mre-license.json"

This gets printed

Welcome to the sbom-utility! Version `v0.9.3` (sbom-utility) (windows/amd64)
============================================================================
[INFO] Loading license policy config file: `mre-license.json`...
[INFO] Attempting to load and unmarshal file `mre-sbom.json`...
[INFO] Successfully unmarshalled data from: `mre-sbom.json`
[INFO] Determining file's SBOM format and version...
[INFO] Determined SBOM format, version (variant): `CycloneDX`, `1.4` (latest)
[INFO] Matching SBOM schema (for validation): schema/cyclonedx/1.4/bom-1.4.schema.json
[INFO] Scanning document for licenses...
[WARN] invalid SBOM: licenses not found (metadata.licenses) (mre-sbom.json)
[WARN] No license found for component. bomRef: -/ProductWithNpmAndSomeDependencies@- (`ProductWithNpmAndSomeDependencies`, , pkg:npm/ProductWithNpmAndSomeDependencies)
[INFO] Outputting summary (`json` format)...
[WARN] Summary not supported for `json` format; defaulting to `txt` format...
Policy     Type        ID/Name/Expression  Component(s)                       BOM ref.                               Document location
------     ----        ------------------  ------------                       --------                               -----------------
UNDEFINED  expression  (MIT OR CC0-1.0)    type-fest                          [email protected]                        components
UNDEFINED  invalid     NOASSERTION         ProductWithNpmAndSomeDependencies  -/ProductWithNpmAndSomeDependencies@-  metadata.component

from sbom-utility.

manne commented on July 1, 2024

When running

.\sbom-utility.exe license list -i "mre-sbom.json" --format json --summary --config-license "mre-license.json"

Against the below SBOM (same filename mre-sbom), added one component called IDisposableAnalyzers.

And the same mre-license.json file.

For component IDisposableAnalyzers it behaves as expected (allow)

This gets printed

Welcome to the sbom-utility! Version `v0.9.3` (sbom-utility) (windows/amd64)
============================================================================
[INFO] Loading license policy config file: `mre-license.json`...
[INFO] Attempting to load and unmarshal file `mre-sbom.json`...
[INFO] Successfully unmarshalled data from: `mre-sbom.json`
[INFO] Determining file's SBOM format and version...
[INFO] Determined SBOM format, version (variant): `CycloneDX`, `1.4` (latest)
[INFO] Matching SBOM schema (for validation): schema/cyclonedx/1.4/bom-1.4.schema.json
[INFO] Scanning document for licenses...
[WARN] invalid SBOM: licenses not found (metadata.licenses) (mre-sbom.json)
[WARN] No license found for component. bomRef: -/ProductWithNpmAndSomeDependencies@- (`ProductWithNpmAndSomeDependencies`, , pkg:npm/ProductWithNpmAndSomeDependencies)
[INFO] Outputting summary (`json` format)...
[WARN] Summary not supported for `json` format; defaulting to `txt` format...
Policy     Type        ID/Name/Expression  Component(s)                       BOM ref.                               Document location
------     ----        ------------------  ------------                       --------                               -----------------
UNDEFINED  expression  (MIT OR CC0-1.0)    type-fest                          [email protected]                        components
allow      id          MIT                 IDisposableAnalyzers               pkg:nuget/[email protected]   components
UNDEFINED  invalid     NOASSERTION         ProductWithNpmAndSomeDependencies  -/ProductWithNpmAndSomeDependencies@-  metadata.component

Click me

file name: mre-sbom

{
  "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "version": 1,
  "serialNumber": "urn:uuid:50a6176e-bc14-4420-afd6-4b5142bec584",
  "metadata": {
    "timestamp": "2023-02-24T11:31:49.124Z",
    "tools": [
      {
        "vendor": "@cyclonedx",
        "name": "cyclonedx-npm",
        "version": "1.8.0",
        "externalReferences": [
          {
            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
            "type": "vcs",
            "comment": "as detected from PackageJson property \"repository.url\""
          },
          {
            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
            "type": "website",
            "comment": "as detected from PackageJson property \"homepage\""
          },
          {
            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
            "type": "issue-tracker",
            "comment": "as detected from PackageJson property \"bugs.url\""
          }
        ]
      },
      {
        "vendor": "@cyclonedx",
        "name": "cyclonedx-library",
        "version": "1.11.0",
        "externalReferences": [
          {
            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
            "type": "vcs",
            "comment": "as detected from PackageJson property \"repository.url\""
          },
          {
            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
            "type": "website",
            "comment": "as detected from PackageJson property \"homepage\""
          },
          {
            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
            "type": "issue-tracker",
            "comment": "as detected from PackageJson property \"bugs.url\""
          }
        ]
      }
    ],
    "component": {
      "type": "application",
      "name": "ProductWithNpmAndSomeDependencies",
      "bom-ref": "-/ProductWithNpmAndSomeDependencies@-",
      "purl": "pkg:npm/ProductWithNpmAndSomeDependencies",
      "properties": [
        {
          "name": "cdx:npm:package:path",
          "value": ""
        }
      ]
    }
  },
  "components": [
    {
      "type": "library",
      "name": "type-fest",
      "version": "1.4.0",
      "bom-ref": "[email protected]",
      "author": "Sindre Sorhus",
      "description": "A collection of essential TypeScript types",
      "hashes": [
        {
          "alg": "SHA-512",
          "content": "c864b36bbe31934506f24fa92e1e687a8622aef2225a8e6dd3fa37cc71c03b6b510e265cc563fb7f2c0d95786a6fafebeac5afc22f91b3240c5a154b7b8055b8"
        }
      ],
      "licenses": [
        {
          "expression": "(MIT OR CC0-1.0)"
        }
      ],
      "purl": "pkg:npm/[email protected]",
      "externalReferences": [
        {
          "url": "sindresorhus/type-fest",
          "type": "vcs",
          "comment": "as detected from PackageJson property \"repository\""
        },
        {
          "url": "https://registry.npmjs.org/type-fest/-/type-fest-1.4.0.tgz",
          "type": "distribution",
          "comment": "as detected from npm-ls property \"resolved\""
        }
      ],
      "properties": [
        {
          "name": "cdx:npm:package:path",
          "value": "node_modules/type-fest"
        },
        {
          "name": "cdx:npm:package:development",
          "value": "true"
        }
      ]
    },
	{
      "type": "library",
      "bom-ref": "pkg:nuget/[email protected]",
      "publisher": "Johan Larsson, milleniumbug",
      "name": "IDisposableAnalyzers",
      "version": "4.0.1",
      "description": "Analyzers and fixes for IDisposable.",
      "scope": "excluded",
      "hashes": [
        {
          "alg": "SHA-512",
          "content": "66B1A1885AD746DD599F4794E3AA77FC64C3F7F5F4F992AE143C9506E6F6B14D9E1658CDE6586DC0EAE3A0012D587BDE5C2DC427104C1E79A773835FB2335C00"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "MIT"
          }
        }
      ],
      "purl": "pkg:nuget/[email protected]",
      "externalReferences": [
        {
          "url": "https://github.com/DotNetAnalyzers/IDisposableAnalyzers",
          "type": "website"
        },
        {
          "url": "https://github.com/DotNetAnalyzers/IDisposableAnalyzers",
          "type": "vcs"
        }
      ]
    }
  ]
}
```
</details>

from sbom-utility.

mrutkows commented on July 1, 2024

@manne Thanks for including all the JSON to reproduce.

The only thing I see as interesting is the use of the outermost parens enclosing the expression, but will debug through.

So far, it appears that Windows file separator is not the issue thank goodness.

from sbom-utility.

mrutkows commented on July 1, 2024

@manne It is the outer parens... (the left-right expression tree operand parsing logic will need to be fixed)... If you use "MIT OR CC0-1.0" (parens removed) it appears to work.

Do you mind me using your example as a new unit test case?

from sbom-utility.

mrutkows commented on July 1, 2024

@manne I found the logic issue with assuming any parens has a right-left compound with conjunction AND/OR.... and in this case there is no conjunction or "right side"... needs some thought to not break recursive logic...

from sbom-utility.

mrutkows commented on July 1, 2024

After looking at the ABNF grammar: https://spdx.github.io/spdx-spec/v2.3/SPDX-license-expressions/

It appears, the last case of of "simple-expression":

simple-expression "WITH" license-exception-id /
  compound-expression "AND" compound-expression /
  compound-expression "OR" compound-expression /
  "(" compound-expression ")" )

that is:

"(" compound-expression ")"

was not accounted for in the recursive parsing as my logic always assumed a balanced left-right tree joined by a conjunction. Still thinking of the most elegant way to handle in the recursion...

from sbom-utility.

mrutkows commented on July 1, 2024

@manne Would you care to look at my PR (do not know if you have time to clone or pull it, compile and run it) before merge?

I merged the PR as it is a needed fix. Looking forwarded to when you have time to test it yourself and provide feedback. Thanks again for identifying this so well.

from sbom-utility.

Composite SPDX license expression not recognized about sbom-utility HOT 9 CLOSED

Comments (9)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent