cyclonedx-maven-plugin icon indicating copy to clipboard operation
cyclonedx-maven-plugin copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

Plugin does not gracefully handle present, but empty license data

Open rmartine-ias opened this issue 1 year ago • 1 comments

So I know this is a bit of an edge case. We generate BOMs with this plugin (version 2.7.9), merge them with cyclonedx-cli, and a third-party service validates them. For some dependencies, we're using an older version that does not specify the license correctly. Validation fails. Here is one of the offending dependencies, at the offending version: https://github.com/aliyun/aliyun-openapi-java-sdk/blob/5f06fdae064c6f87fc9494894a8ef849557f99c8/aliyun-java-sdk-ram/pom.xml#L41

Their pom.xml looks like this:

  <licenses>
    <license>
      <name/>
      <url/>
      <distribution/>
    </license>
  </licenses>

Which this plugin generates to:

      "licenses" : [
        {
          "license" : {
            "name" : ""
          }
        }
      ],

Which, while technically valid per the spec, is not what I would expect, and causes problems with other tools.

A low-impact fix could be something like "if no fields on the license are specified, or all specified fields are empty, then treat the license as if it does not exist." Then this plugin would output this for the dependency: "licenses" : [] and everything would work out.

rmartine-ias avatar Jun 29 '23 23:06 rmartine-ias

detecting such empty data to better represent it at CycloneDX level looks reasonable

target would probably be https://github.com/CycloneDX/cyclonedx-maven-plugin/blob/master/src/main/java/org/cyclonedx/maven/DefaultModelConverter.java#L212

anyone to try to help and code this, please?

hboutemy avatar Sep 12 '23 06:09 hboutemy