cyclonedx-cli icon indicating copy to clipboard operation
cyclonedx-cli copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

When converting cyclonedx xml to json and a dependency has multiple licenses, only the first license is taken into account

Open mawl opened this issue 2 years ago • 1 comments

When converting a cyclonedx.xml to json and a dependency/component has multiple licenses, only the first license is taken into account.

cyclonedx-cli convert \
        --input-format xml \
        --input-file ${ORT_OUTPUT_DIR}/bom.cyclonedx.xml \
        --output-format json \
        --output-file ${ORT_OUTPUT_DIR}/bom.cyclonedx.converted.json

Example: bom.cyclonedx.xml

    <component type="library">
      <name>pizzip</name>
      <version>3.1.4</version>
      <description>Create, read and edit .zip files synchronously with Javascript</description>
      <scope>required</scope>
      <hashes>
        <hash alg="SHA-1">0c2578506ce5b487fa00bc2dd62eebeb291ee677</hash>
      </hashes>
      <licenses>
        <license>
          <id>GPL-3.0-only</id>
          <text content-type="plain/text" encoding="base64">...
        </license>
        <license>
          <id>MIT</id>
          <text content-type="plain/text" encoding="base64">...
        </license>
      </licenses>
      <copyright>Copyright (C) Edgar Hipp</copyright>
      <purl>pkg:npm/[email protected]?classifier=sources</purl>
      <modified>false</modified>
      <externalReferences><reference type="website"><url>https://github.com/open-xml-templating/pizzip#readme</url></reference></externalReferences><ort:dependencyType xmlns:ort="http://www.w3.org/1999/xhtml">direct</ort:dependencyType>
    </component>

bom.cyclonedx.json

     "type": "library",
      "name": "pizzip",
      "version": "3.1.4",
      "description": "Create, read and edit .zip files synchronously with Javascript",
      "scope": "required",
      "hashes": [
        {
          "alg": "SHA-1",
          "content": "0c2578506ce5b487fa00bc2dd62eebeb291ee677"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "GPL-3.0-only",
            "text": {
              "contentType": "plain/text",
              "encoding": "base64",
              "content": "..."
            }
          }
        }
      ],
      "copyright": "Copyright (C) Edgar Hipp",
      "purl": "pkg:npm/[email protected]?classifier=sources",
      "modified": false,
      "externalReferences": [
        {
          "url": "https://github.com/open-xml-templating/pizzip#readme",
          "type": "website",
          "hashes": []
        }
      ]
    },

mawl avatar Jun 20 '23 11:06 mawl

@mawl I think this is related to https://github.com/CycloneDX/cyclonedx-dotnet-library/pull/187.

andreas-hilti avatar Aug 01 '23 07:08 andreas-hilti

With release 0.26.0, this should be fixed.

andreas-hilti avatar Aug 17 '24 08:08 andreas-hilti