feat(1.6): add License.Acknowledgement

Closes #166. Signed-off-by: Maximilian Combüchen <max.combuchen@snyk.io>
CycloneDX · May 16, 2024 · 2dc599a · 2dc599a
1 parent 6bae75a
commit 2dc599a
Show file tree

Hide file tree

Showing 11 changed files with 64 additions and 17 deletions.
diff --git a/convert.go b/convert.go
@@ -178,16 +178,18 @@ func convertEvidence(c *Component, specVersion SpecVersion) {
 		return
 	}
 
-	for i := range *c.Evidence.Occurrences {
-		occ := &(*c.Evidence.Occurrences)[i]
+	if specVersion < SpecVersion1_6 {
+		for i := range *c.Evidence.Occurrences {
+			occ := &(*c.Evidence.Occurrences)[i]
 
-		if specVersion < SpecVersion1_6 {
 			occ.Line = nil
 			occ.Offset = nil
 			occ.Symbol = ""
 			occ.AdditionalContext = ""
 		}
 	}
+
+	convertLicenses(c.Evidence.Licenses, specVersion)
 }
 
 func convertCompositions(comps *[]Composition, specVersion SpecVersion) {
@@ -286,6 +288,15 @@ func convertLicenses(licenses *Licenses, specVersion SpecVersion) {
 			}
 		}
 	}
+
+	if specVersion < SpecVersion1_6 {
+		for i := range *licenses {
+			choice := &(*licenses)[i]
+			if choice.License != nil {
+				choice.License.Acknowledgement = ""
+			}
+		}
+	}
 }
 
 func convertVulnerabilities(vulns *[]Vulnerability, specVersion SpecVersion) {

diff --git a/convert_test.go b/convert_test.go
@@ -69,3 +69,27 @@ func Test_componentConverter_convertEvidence(t *testing.T) {
 		assert.Zero(t, occ.AdditionalContext)
 	})
 }
+
+func Test_convertLicenses(t *testing.T) {
+	t.Run("spec 1.5 and lower", func(t *testing.T) {
+		bom := NewBOM()
+		bom.Metadata = &Metadata{
+			Licenses: &Licenses{
+				{License: &License{Name: "Apache License 2.0", Acknowledgement: LicenseAcknowledgementDeclared}},
+			},
+		}
+		bom.Components = &[]Component{
+			{
+				Name: "foo",
+				Licenses: &Licenses{
+					{License: &License{Name: "Apache License 2.0", Acknowledgement: LicenseAcknowledgementConcluded}},
+				},
+			},
+		}
+
+		bom.convert(SpecVersion1_5)
+
+		assert.Zero(t, (*bom.Metadata.Licenses)[0].License.Acknowledgement)
+		assert.Zero(t, (*(*bom.Components)[0].Licenses)[0].License.Acknowledgement)
+	})
+}
diff --git a/cyclonedx.go b/cyclonedx.go
@@ -91,7 +91,7 @@ type BOM struct {
 	Vulnerabilities    *[]Vulnerability     `json:"vulnerabilities,omitempty" xml:"vulnerabilities>vulnerability,omitempty"`
 	Annotations        *[]Annotation        `json:"annotations,omitempty" xml:"annotations>annotation,omitempty"`
 	Formulation        *[]Formula           `json:"formulation,omitempty" xml:"formulation>formula,omitempty"`
-	Definitions        *Definitions         `json:"definitions" xml:"definitions,omitempty"`
+	Definitions        *Definitions         `json:"definitions,omitempty" xml:"definitions,omitempty"`
 }
 
 func NewBOM() *BOM {
@@ -539,15 +539,23 @@ type JSFPublicKey struct {
 }
 
 type License struct {
-	BOMRef     string        `json:"bom-ref,omitempty" xml:"bom-ref,attr,omitempty"`
-	ID         string        `json:"id,omitempty" xml:"id,omitempty"`
-	Name       string        `json:"name,omitempty" xml:"name,omitempty"`
-	Text       *AttachedText `json:"text,omitempty" xml:"text,omitempty"`
-	URL        string        `json:"url,omitempty" xml:"url,omitempty"`
-	Licensing  *Licensing    `json:"licensing,omitempty" xml:"licensing,omitempty"`
-	Properties *[]Property   `json:"properties,omitempty" xml:"properties>property,omitempty"`
+	BOMRef          string                 `json:"bom-ref,omitempty" xml:"bom-ref,attr,omitempty"`
+	ID              string                 `json:"id,omitempty" xml:"id,omitempty"`
+	Name            string                 `json:"name,omitempty" xml:"name,omitempty"`
+	Acknowledgement LicenseAcknowledgement `json:"acknowledgement,omitempty" xml:"acknowledgement,attr,omitempty"`
+	Text            *AttachedText          `json:"text,omitempty" xml:"text,omitempty"`
+	URL             string                 `json:"url,omitempty" xml:"url,omitempty"`
+	Licensing       *Licensing             `json:"licensing,omitempty" xml:"licensing,omitempty"`
+	Properties      *[]Property            `json:"properties,omitempty" xml:"properties>property,omitempty"`
 }
 
+type LicenseAcknowledgement string
+
+const (
+	LicenseAcknowledgementDeclared  LicenseAcknowledgement = "declared"
+	LicenseAcknowledgementConcluded LicenseAcknowledgement = "concluded"
+)
+
 type Licenses []LicenseChoice
 
 type LicenseChoice struct {

diff --git a/testdata/snapshots/cyclonedx-go-TestRoundTripJSON-func1-valid-license-licensing.json b/testdata/snapshots/cyclonedx-go-TestRoundTripJSON-func1-valid-license-licensing.json
@@ -15,6 +15,7 @@
           "license": {
             "bom-ref": "acme-license-1",
             "name": "Acme Commercial License",
+            "acknowledgement": "concluded",
             "licensing": {
               "altIds": [
                 "acme",

diff --git a/testdata/snapshots/cyclonedx-go-TestRoundTripJSON-func1-valid-license-name.json b/testdata/snapshots/cyclonedx-go-TestRoundTripJSON-func1-valid-license-name.json
@@ -13,7 +13,8 @@
       "licenses": [
         {
           "license": {
-            "name": "Apache License 2.0"
+            "name": "Apache License 2.0",
+            "acknowledgement": "concluded"
           }
         }
       ]

diff --git a/testdata/snapshots/cyclonedx-go-TestRoundTripXML-func1-valid-license-licensing.xml b/testdata/snapshots/cyclonedx-go-TestRoundTripXML-func1-valid-license-licensing.xml
@@ -7,7 +7,7 @@
       <name>cryptographic-provider</name>
       <version>2.2.0</version>
       <licenses>
-        <license bom-ref="acme-license-1">
+        <license bom-ref="acme-license-1" acknowledgement="concluded">
           <name>Acme Commercial License</name>
           <licensing>
             <altIds>

diff --git a/testdata/snapshots/cyclonedx-go-TestRoundTripXML-func1-valid-license-name.xml b/testdata/snapshots/cyclonedx-go-TestRoundTripXML-func1-valid-license-name.xml
@@ -15,7 +15,7 @@
         <hash alg="SHA-512">e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282</hash>
       </hashes>
       <licenses>
-        <license>
+        <license acknowledgement="concluded">
           <name>Apache License 2.0</name>
         </license>
       </licenses>

diff --git a/testdata/valid-license-licensing.json b/testdata/valid-license-licensing.json
@@ -15,6 +15,7 @@
           "license": {
             "bom-ref": "acme-license-1",
             "name": "Acme Commercial License",
+            "acknowledgement": "concluded",
             "licensing": {
               "altIds": [
                 "acme", "acme-license"

diff --git a/testdata/valid-license-licensing.xml b/testdata/valid-license-licensing.xml
@@ -7,7 +7,7 @@
             <name>cryptographic-provider</name>
             <version>2.2.0</version>
             <licenses>
-                <license bom-ref="acme-license-1">
+                <license bom-ref="acme-license-1" acknowledgement="concluded">
                     <name>Acme Commercial License</name>
                     <licensing>
                         <altIds>

diff --git a/testdata/valid-license-name.json b/testdata/valid-license-name.json
@@ -13,7 +13,8 @@
       "licenses": [
         {
           "license": {
-            "name": "Apache License 2.0"
+            "name": "Apache License 2.0",
+            "acknowledgement": "concluded"
           }
         }
       ]

diff --git a/testdata/valid-license-name.xml b/testdata/valid-license-name.xml
@@ -15,7 +15,7 @@
                 <hash alg="SHA-512">e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282</hash>
             </hashes>
             <licenses>
-                <license>
+                <license acknowledgement="concluded">
                     <name>Apache License 2.0</name>
                 </license>
             </licenses>