cdx2spdx icon indicating copy to clipboard operation
cdx2spdx copied to clipboard
verified publisher icon spdx

npm group and name should have / and not : when stitching the spdx name together

Open flemminglau opened this issue 2 years ago • 2 comments

We are seeing that an NPM package like "@angular/router" in the cyclonedx file is represented as

"group": "@angular"
"name": "router"

When the converter constructs the SPDX "name" value it does

                if (Objects.nonNull(group) && !group.isBlank()) {
                        name = group + ":" + name;

yielding an SPDX name of "name": "@angular:router"

For java this works fine as the delimiter between group and name in java is ":" But for NPM it is a "/" which is implicit in the cyclonedx.

Would it make sense to check the purl to find the package manager or what would be a good strategy?

flemminglau avatar Sep 22 '23 12:09 flemminglau

Would it make sense to check the purl to find the package manager or what would be a good strategy?

Makes sense. We should follow the conventions of the package manager.

@flemminglau - would you like to create a PR?

goneall avatar Sep 22 '23 12:09 goneall

I have the code needed but I cannot figure out how to get the test working. So I guess my change would be unwelcome. Line 487 of CycloneSpdxConverter.java:

		String group = component.getGroup();
		if (Objects.nonNull(group) && !group.isBlank()) {
			String purl = component.getPurl();
			if (Objects.nonNull(purl) && purl.startsWith("pkg:npm")) {
				name = group + "/" + name;
			} else {
			    name = group + ":" + name;
			}
		}

My point is that the test validates that the ":" is always a ":". But actually for npm it must be a "/" so the test fails.

So the test must be taught to distinguish between java and npm.

flemminglau avatar Sep 22 '23 15:09 flemminglau