From d435b750ffd189be31d7e9ac7d32d13db3cde2d2 Mon Sep 17 00:00:00 2001 From: Nathan Barrett-Morrison Date: Fri, 29 Mar 2024 09:42:17 -0400 Subject: [PATCH] SBOM/SPDX Generation: Add in LicenseRef info for licenses which are not recognized by SPDX (OASIS-IPR) The sbom.spdx for corePKCS11 fails the SPDX validation check because OASIS-IPR is not a valid SPDX License This commit changes the following output to convert it to a LicenseRef and fix the validation check. $ diff -u sbom-original.spdx sbom-fixup.spdx --- sbom-original.spdx 2024-03-29 09:46:53.203092500 -0400 +++ sbom-fixup.spdx 2024-03-29 09:48:03.900301885 -0400 @@ -340,8 +340,8 @@ SPDXID: SPDXRef-Package-pkcs11 PackageVersion: v2.40_errata01 PackageDownloadLocation: https://github.com/amazon-freertos/pkcs11.git -PackageLicenseDeclared: OASIS-IPR -PackageLicenseConcluded: OASIS-IPR +PackageLicenseDeclared: LicenseRef-OASIS-IPR +PackageLicenseConcluded: LicenseRef-OASIS-IPR PackageLicenseInfoFromFiles: NOASSERTION FilesAnalyzed: True PackageVerificationCode: 0c50b69c6789adbc08378264ec75fa6e6a616364 @@ -1848,3 +1848,7 @@ Relationship: SPDXRef-Package-corePKCS11 DEPENDS_ON SPDXRef-Package-pkcs11 Relationship: SPDXRef-Package-corePKCS11 DEPENDS_ON SPDXRef-Package-mbedtls + +LicenseID: LicenseRef-OASIS-IPR +LicenseName: OASIS-IPR +ExtractedText: OASIS-IPR --- sbom-generator/scan_dir.py | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/sbom-generator/scan_dir.py b/sbom-generator/scan_dir.py index e3936a71..0a93d2b4 100644 --- a/sbom-generator/scan_dir.py +++ b/sbom-generator/scan_dir.py @@ -10,6 +10,13 @@ REPO_PATH = '' SOURCE_PATH = '' +def needs_licenseref(license): + #SPDX license list can be found at https://spdx.org/licenses/ + not_in_spdx = ["OASIS-IPR"] + if license in not_in_spdx: + return True + return False + def scan_dir(): dependency_path = os.path.join(REPO_PATH, 'source/dependency') path_3rdparty = os.path.join(REPO_PATH, 'source/dependency/3rdparty') @@ -20,6 +27,7 @@ def scan_dir(): total_file_list = [] dependency_info = {} dependency_file_list = {} + licenseref_info = "" with open(manifest_path) as f: manifest = yaml.load(f, Loader=SafeLoader) root_license = manifest['license'] @@ -111,7 +119,17 @@ def scan_dir(): if library_name == root_name: continue info = dependency_info[library_name] - package_writer(output, library_name, info['version'], info['repository']['url'], info['license'], package_hash(dependency_file_list[library_name])) + + #Is this license part of the SPDX license list? If not, then we need to use LicenseRef for proper SPDX validation + if needs_licenseref(info['license']): + license = "LicenseRef-" + info['license'] + licenseref_info += "\nLicenseID: LicenseRef-%s\n" % info['license'] + licenseref_info += "LicenseName: %s\n" % info['license'] + licenseref_info += "ExtractedText: %s\n" % info['license'] + else: + license = info['license'] + + package_writer(output, library_name, info['version'], info['repository']['url'], license, package_hash(dependency_file_list[library_name])) output.write(output_buffer[library_name].getvalue()) #print relationships @@ -120,6 +138,10 @@ def scan_dir(): continue output.write('Relationship: SPDXRef-Package-' + manifest['name'] + ' DEPENDS_ON SPDXRef-Package-' + library_name + '\n') + #print any LicenseRef info + if licenseref_info != "": + output.write(licenseref_info) + if __name__ == "__main__": parser = ArgumentParser(description='SBOM generator') parser.add_argument('--repo-root-path',