Merge pull request #36 from CycloneDX/feat/add-license-support

Add support for parsing package licenses from installed packages

Author: madpah

cyclonedx/output/json.py

@@ -65,6 +65,15 @@ def _get_component_as_dict(self, component: Component) -> dict:
                 })
             c['hashes'] = hashes
 
+        if component.get_license():
+            c['licenses'] = [
+                {
+                    "license": {
+                        "name": component.get_license()
+                    }
+                }
+            ]
+
         if self.component_supports_author() and component.get_author():
             c['author'] = component.get_author()
 

cyclonedx/output/xml.py

@@ -102,6 +102,12 @@ def _get_component_as_xml_element(self, component: Component) -> ElementTree.Ele
         # purl
         ElementTree.SubElement(component_element, 'purl').text = component.get_purl()
 
+        # licenses
+        if component.get_license():
+            licenses_e = ElementTree.SubElement(component_element, 'licenses')
+            license_e = ElementTree.SubElement(licenses_e, 'license')
+            ElementTree.SubElement(license_e, 'name').text = component.get_license()
+
         # externalReferences
         if self.component_supports_external_references() and len(component.get_external_references()) > 0:
             external_references_e = ElementTree.SubElement(component_element, 'externalReferences')

cyclonedx/parser/environment.py

@@ -60,9 +60,13 @@ def __init__(self):
             if 'Author' in i_metadata.keys():
                 c.set_author(author=i_metadata.get('Author'))
 
-            if 'License' in i_metadata.keys():
+            if 'License' in i_metadata.keys() and i_metadata.get('License') != 'UNKNOWN':
                 c.set_license(license_str=i_metadata.get('License'))
 
+            for classifier in i_metadata.get_all('Classifier'):
+                if str(classifier).startswith('License :: OSI Approved :: '):
+                    c.set_license(license_str=str(classifier).replace('License :: OSI Approved :: ', '').strip())
+
             self._components.append(c)
 
     @staticmethod

tests/fixtures/bom_v1.3_toml_with_component_license.json

@@ -0,0 +1,31 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.3",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2021-09-01T10:50:42.051979+00:00",
+    "tools": [
+      {
+        "vendor": "CycloneDX",
+        "name": "cyclonedx-python-lib",
+        "version": "VERSION"
+      }
+    ]
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "toml",
+      "version": "0.10.2",
+      "purl": "pkg:pypi/[email protected]?extension=tar.gz",
+      "licenses": [
+        {
+          "license": {
+            "name": "MIT License"
+          }
+        }
+      ]
+    }
+  ]
+}

tests/fixtures/bom_v1.3_toml_with_component_license.xml

@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
+    <metadata>
+        <timestamp>2021-09-01T10:50:42.051979+00:00</timestamp>
+        <tools>
+            <tool>
+                <vendor>CycloneDX</vendor>
+                <name>cyclonedx-python-lib</name>
+                <version>VERSION</version>
+            </tool>
+        </tools>
+    </metadata>
+    <components>
+        <component type="library" bom-ref="pkg:pypi/[email protected]?extension=tar.gz">
+            <name>toml</name>
+            <version>0.10.2</version>
+            <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+            <licenses>
+                <license>
+                    <name>MIT License</name>
+                </license>
+            </licenses>
+        </component>
+    </components>
+</bom>

tests/test_output_json.py

@@ -84,3 +84,15 @@ def test_bom_v1_3_with_component_external_references(self):
                        'fixtures/bom_v1.3_toml_with_component_external_references.json')) as expected_json:
             self.assertEqualJsonBom(a=outputter.output_as_string(), b=expected_json.read())
             expected_json.close()
+
+    def test_bom_v1_3_with_component_license(self):
+        bom = Bom()
+        c = Component(name='toml', version='0.10.2', qualifiers='extension=tar.gz')
+        c.set_license('MIT License')
+        bom.add_component(c)
+        outputter: Json = get_instance(bom=bom, output_format=OutputFormat.JSON)
+        self.assertIsInstance(outputter, JsonV1Dot3)
+        with open(join(dirname(__file__),
+                       'fixtures/bom_v1.3_toml_with_component_license.json')) as expected_json:
+            self.assertEqualJsonBom(a=outputter.output_as_string(), b=expected_json.read())
+            expected_json.close()

tests/test_output_xml.py

@@ -165,3 +165,16 @@ def test_bom_v1_3_with_component_external_references(self):
             self.assertEqualXmlBom(a=outputter.output_as_string(), b=expected_xml.read(),
                                    namespace=outputter.get_target_namespace())
             expected_xml.close()
+
+    def test_with_component_license(self):
+        bom = Bom()
+        c = Component(name='toml', version='0.10.2', qualifiers='extension=tar.gz')
+        c.set_license('MIT License')
+        bom.add_component(c)
+        outputter: Xml = get_instance(bom=bom)
+        self.assertIsInstance(outputter, XmlV1Dot3)
+        with open(join(dirname(__file__),
+                       'fixtures/bom_v1.3_toml_with_component_license.xml')) as expected_xml:
+            self.assertEqualXmlBom(a=outputter.output_as_string(), b=expected_xml.read(),
+                                   namespace=outputter.get_target_namespace())
+            expected_xml.close()

tests/test_parser_environment.py

@@ -20,9 +20,10 @@
 from unittest import TestCase
 
 from cyclonedx.parser.environment import EnvironmentParser
+from cyclonedx.model.component import Component
 
 
-class TestRequirementsParser(TestCase):
+class TestEnvironmentParser(TestCase):
 
     def test_simple(self):
         """
@@ -33,3 +34,8 @@ def test_simple(self):
         """
         parser = EnvironmentParser()
         self.assertGreater(parser.component_count(), 1)
+
+        # We can only be sure that tox is in the environment, for example as we use tox to run tests
+        c_tox: Component = [x for x in parser.get_components() if x.get_name() == 'tox'][0]
+        self.assertIsNotNone(c_tox.get_license())
+        self.assertEqual('MIT License', c_tox.get_license())