SBOM/SPDX Generation: Add in LicenseRef info for licenses which are n…

…ot recognized by SPDX (OASIS-IPR) The sbom.spdx for corePKCS11 fails the SPDX validation check because OASIS-IPR is not a valid SPDX License This commit changes the following output to convert it to a LicenseRef and fix the validation check. $ diff -u sbom-original.spdx sbom-fixup.spdx --- sbom-original.spdx 2024-03-29 09:46:53.203092500 -0400 +++ sbom-fixup.spdx 2024-03-29 09:48:03.900301885 -0400 @@ -340,8 +340,8 @@ SPDXID: SPDXRef-Package-pkcs11 PackageVersion: v2.40_errata01 PackageDownloadLocation: https://github.com/amazon-freertos/pkcs11.git -PackageLicenseDeclared: OASIS-IPR -PackageLicenseConcluded: OASIS-IPR +PackageLicenseDeclared: LicenseRef-OASIS-IPR +PackageLicenseConcluded: LicenseRef-OASIS-IPR PackageLicenseInfoFromFiles: NOASSERTION FilesAnalyzed: True PackageVerificationCode: 0c50b69c6789adbc08378264ec75fa6e6a616364 @@ -1848,3 +1848,7 @@ Relationship: SPDXRef-Package-corePKCS11 DEPENDS_ON SPDXRef-Package-pkcs11 Relationship: SPDXRef-Package-corePKCS11 DEPENDS_ON SPDXRef-Package-mbedtls + +LicenseID: LicenseRef-OASIS-IPR +LicenseName: OASIS-IPR +ExtractedText: <text>OASIS-IPR</text>
Skptak · Apr 2, 2024 · d435b75 · d435b75
1 parent e2129bf
commit d435b75
Showing 1 changed file with 23 additions and 1 deletion.
diff --git a/sbom-generator/scan_dir.py b/sbom-generator/scan_dir.py
@@ -10,6 +10,13 @@
 REPO_PATH = ''
 SOURCE_PATH = ''
 
+def needs_licenseref(license):
+    #SPDX license list can be found at https://spdx.org/licenses/
+    not_in_spdx = ["OASIS-IPR"]
+    if license in not_in_spdx:
+        return True
+    return False
+
 def scan_dir():
     dependency_path = os.path.join(REPO_PATH, 'source/dependency')
     path_3rdparty = os.path.join(REPO_PATH, 'source/dependency/3rdparty')
@@ -20,6 +27,7 @@ def scan_dir():
     total_file_list = []
     dependency_info = {}
     dependency_file_list = {}
+    licenseref_info = ""
     with open(manifest_path) as f:
         manifest = yaml.load(f, Loader=SafeLoader)
     root_license = manifest['license']
@@ -111,7 +119,17 @@ def scan_dir():
         if library_name == root_name:
             continue
         info = dependency_info[library_name]
-        package_writer(output, library_name, info['version'], info['repository']['url'], info['license'], package_hash(dependency_file_list[library_name]))
+
+        #Is this license part of the SPDX license list?  If not, then we need to use LicenseRef for proper SPDX validation
+        if needs_licenseref(info['license']):
+            license = "LicenseRef-" + info['license']
+            licenseref_info += "\nLicenseID: LicenseRef-%s\n" % info['license']
+            licenseref_info += "LicenseName: %s\n" % info['license']
+            licenseref_info += "ExtractedText: <text>%s</text>\n" % info['license']
+        else:
+            license = info['license']
+
+        package_writer(output, library_name, info['version'], info['repository']['url'], license, package_hash(dependency_file_list[library_name]))
         output.write(output_buffer[library_name].getvalue())
 
     #print relationships
@@ -120,6 +138,10 @@ def scan_dir():
             continue
         output.write('Relationship: SPDXRef-Package-' + manifest['name'] + ' DEPENDS_ON SPDXRef-Package-' + library_name + '\n')
 
+    #print any LicenseRef info
+    if licenseref_info != "":
+        output.write(licenseref_info)
+
 if __name__ == "__main__":
     parser = ArgumentParser(description='SBOM generator')
     parser.add_argument('--repo-root-path',