lib4sbom icon indicating copy to clipboard operation
lib4sbom copied to clipboard
verified publisher icon anthonyharrison

Issue converting SPDX document license to CycloneDX one

Open alcroito opened this issue 7 months ago • 0 comments

Hi,

I'm trying to use https://github.com/anthonyharrison/sbomconvert to convert some SPDX v2.3 documents to CycloneDX v1.6. I find it does better mapping for fields like cpe and purl compared to https://github.com/CycloneDX/cyclonedx-cli

But I stumbled upon a issue with converting licenses, and traced it back to lib4sbom.

Here is a sample spdx v2.3 document:

$ cat license_test/foo.spdx 

SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: TestDoc
DocumentNamespace: https://test.doc/


PackageName: MyPackage
SPDXID: SPDXRef-Package-MyPackage
PackageLicenseConcluded: LicenseRef-My-License OR LGPL-3.0-only

PackageName: MyPackage2
SPDXID: SPDXRef-Package-MyPackage2
PackageLicenseConcluded: LicenseRef-My-License

LicenseID: LicenseRef-My-License
ExtractedText: <text>My License</text>

If I then run

.venv/bin/python -m sbomconvert.cli -i ./license_test/foo.spdx --sbom cyclonedx --o ./license_test/foo.cdx.json

to convert the document.

And then use the cyclonedx-cli tool from https://github.com/CycloneDX/cyclonedx-cli to validate the conversion I see:

cyclonedx-osx-arm64 validate --input-file ./license_test/foo.cdx.json

Validation failed:
Expected 1 matching subschema but found 0
http://cyclonedx.org/schema/bom-1.6.schema.json#/definitions/licenseChoice
On instance: /components/1/licenses:
[
        {
          "license": {
            "id": "LicenseRef-My-License",
            "acknowledgement": "concluded"
          }
        }
      ]
Required properties ["expression"] are not present
http://cyclonedx.org/schema/bom-1.6.schema.json#/oneOf/1/items/0
On instance: /components/1/licenses/0:
{
          "license": {
            "id": "LicenseRef-My-License",
            "acknowledgement": "concluded"
          }
        }
All values fail against the false schema
http://cyclonedx.org/schema/bom-1.6.schema.json#/oneOf/1/items/0/additionalProperties
On instance: /components/1/licenses/0/license:
{
            "id": "LicenseRef-My-License",
            "acknowledgement": "concluded"
          }
Required properties ["name"] are not present
http://cyclonedx.org/schema/bom-1.6.schema.json#/oneOf/1
On instance: /components/1/licenses/0/license:
{
            "id": "LicenseRef-My-License",
            "acknowledgement": "concluded"
          }
Value should match one of the values specified by the enum
http://cyclonedx.org/schema/spdx.schema.json
On instance: /components/1/licenses/0/license/id:
LicenseRef-My-License
Unable to validate against any JSON schemas.
BOM is not valid

If I remove MyPackage2 but keep MyPackage, the converted document is valid.

It seems that custom SPDX licenses that are not part of a SPDX license expression are not handled properly in the conversion.

alcroito avatar May 22 '25 16:05 alcroito