diff --git a/convert.go b/convert.go
index 8d78ddc..7bd9957 100644
--- a/convert.go
+++ b/convert.go
@@ -178,16 +178,18 @@ func convertEvidence(c *Component, specVersion SpecVersion) {
return
}
- for i := range *c.Evidence.Occurrences {
- occ := &(*c.Evidence.Occurrences)[i]
+ if specVersion < SpecVersion1_6 {
+ for i := range *c.Evidence.Occurrences {
+ occ := &(*c.Evidence.Occurrences)[i]
- if specVersion < SpecVersion1_6 {
occ.Line = nil
occ.Offset = nil
occ.Symbol = ""
occ.AdditionalContext = ""
}
}
+
+ convertLicenses(c.Evidence.Licenses, specVersion)
}
func convertCompositions(comps *[]Composition, specVersion SpecVersion) {
@@ -286,6 +288,15 @@ func convertLicenses(licenses *Licenses, specVersion SpecVersion) {
}
}
}
+
+ if specVersion < SpecVersion1_6 {
+ for i := range *licenses {
+ choice := &(*licenses)[i]
+ if choice.License != nil {
+ choice.License.Acknowledgement = ""
+ }
+ }
+ }
}
func convertVulnerabilities(vulns *[]Vulnerability, specVersion SpecVersion) {
diff --git a/convert_test.go b/convert_test.go
index 4b5bb16..9699ecb 100644
--- a/convert_test.go
+++ b/convert_test.go
@@ -69,3 +69,27 @@ func Test_componentConverter_convertEvidence(t *testing.T) {
assert.Zero(t, occ.AdditionalContext)
})
}
+
+func Test_convertLicenses(t *testing.T) {
+ t.Run("spec 1.5 and lower", func(t *testing.T) {
+ bom := NewBOM()
+ bom.Metadata = &Metadata{
+ Licenses: &Licenses{
+ {License: &License{Name: "Apache License 2.0", Acknowledgement: LicenseAcknowledgementDeclared}},
+ },
+ }
+ bom.Components = &[]Component{
+ {
+ Name: "foo",
+ Licenses: &Licenses{
+ {License: &License{Name: "Apache License 2.0", Acknowledgement: LicenseAcknowledgementConcluded}},
+ },
+ },
+ }
+
+ bom.convert(SpecVersion1_5)
+
+ assert.Zero(t, (*bom.Metadata.Licenses)[0].License.Acknowledgement)
+ assert.Zero(t, (*(*bom.Components)[0].Licenses)[0].License.Acknowledgement)
+ })
+}
diff --git a/cyclonedx.go b/cyclonedx.go
index aaa0fd1..3e75737 100644
--- a/cyclonedx.go
+++ b/cyclonedx.go
@@ -91,7 +91,7 @@ type BOM struct {
Vulnerabilities *[]Vulnerability `json:"vulnerabilities,omitempty" xml:"vulnerabilities>vulnerability,omitempty"`
Annotations *[]Annotation `json:"annotations,omitempty" xml:"annotations>annotation,omitempty"`
Formulation *[]Formula `json:"formulation,omitempty" xml:"formulation>formula,omitempty"`
- Definitions *Definitions `json:"definitions" xml:"definitions,omitempty"`
+ Definitions *Definitions `json:"definitions,omitempty" xml:"definitions,omitempty"`
}
func NewBOM() *BOM {
@@ -539,15 +539,23 @@ type JSFPublicKey struct {
}
type License struct {
- BOMRef string `json:"bom-ref,omitempty" xml:"bom-ref,attr,omitempty"`
- ID string `json:"id,omitempty" xml:"id,omitempty"`
- Name string `json:"name,omitempty" xml:"name,omitempty"`
- Text *AttachedText `json:"text,omitempty" xml:"text,omitempty"`
- URL string `json:"url,omitempty" xml:"url,omitempty"`
- Licensing *Licensing `json:"licensing,omitempty" xml:"licensing,omitempty"`
- Properties *[]Property `json:"properties,omitempty" xml:"properties>property,omitempty"`
+ BOMRef string `json:"bom-ref,omitempty" xml:"bom-ref,attr,omitempty"`
+ ID string `json:"id,omitempty" xml:"id,omitempty"`
+ Name string `json:"name,omitempty" xml:"name,omitempty"`
+ Acknowledgement LicenseAcknowledgement `json:"acknowledgement,omitempty" xml:"acknowledgement,attr,omitempty"`
+ Text *AttachedText `json:"text,omitempty" xml:"text,omitempty"`
+ URL string `json:"url,omitempty" xml:"url,omitempty"`
+ Licensing *Licensing `json:"licensing,omitempty" xml:"licensing,omitempty"`
+ Properties *[]Property `json:"properties,omitempty" xml:"properties>property,omitempty"`
}
+type LicenseAcknowledgement string
+
+const (
+ LicenseAcknowledgementDeclared LicenseAcknowledgement = "declared"
+ LicenseAcknowledgementConcluded LicenseAcknowledgement = "concluded"
+)
+
type Licenses []LicenseChoice
type LicenseChoice struct {
diff --git a/testdata/snapshots/cyclonedx-go-TestRoundTripJSON-func1-valid-license-licensing.json b/testdata/snapshots/cyclonedx-go-TestRoundTripJSON-func1-valid-license-licensing.json
index 57007b0..c3d0a36 100644
--- a/testdata/snapshots/cyclonedx-go-TestRoundTripJSON-func1-valid-license-licensing.json
+++ b/testdata/snapshots/cyclonedx-go-TestRoundTripJSON-func1-valid-license-licensing.json
@@ -15,6 +15,7 @@
"license": {
"bom-ref": "acme-license-1",
"name": "Acme Commercial License",
+ "acknowledgement": "concluded",
"licensing": {
"altIds": [
"acme",
diff --git a/testdata/snapshots/cyclonedx-go-TestRoundTripJSON-func1-valid-license-name.json b/testdata/snapshots/cyclonedx-go-TestRoundTripJSON-func1-valid-license-name.json
index 7ac9759..6d39f0c 100644
--- a/testdata/snapshots/cyclonedx-go-TestRoundTripJSON-func1-valid-license-name.json
+++ b/testdata/snapshots/cyclonedx-go-TestRoundTripJSON-func1-valid-license-name.json
@@ -13,7 +13,8 @@
"licenses": [
{
"license": {
- "name": "Apache License 2.0"
+ "name": "Apache License 2.0",
+ "acknowledgement": "concluded"
}
}
]
diff --git a/testdata/snapshots/cyclonedx-go-TestRoundTripXML-func1-valid-license-licensing.xml b/testdata/snapshots/cyclonedx-go-TestRoundTripXML-func1-valid-license-licensing.xml
index 28552e1..ddcf7a1 100644
--- a/testdata/snapshots/cyclonedx-go-TestRoundTripXML-func1-valid-license-licensing.xml
+++ b/testdata/snapshots/cyclonedx-go-TestRoundTripXML-func1-valid-license-licensing.xml
@@ -7,7 +7,7 @@
cryptographic-provider
2.2.0
-
+
Acme Commercial License
diff --git a/testdata/snapshots/cyclonedx-go-TestRoundTripXML-func1-valid-license-name.xml b/testdata/snapshots/cyclonedx-go-TestRoundTripXML-func1-valid-license-name.xml
index 8b7cece..e6a1166 100644
--- a/testdata/snapshots/cyclonedx-go-TestRoundTripXML-func1-valid-license-name.xml
+++ b/testdata/snapshots/cyclonedx-go-TestRoundTripXML-func1-valid-license-name.xml
@@ -15,7 +15,7 @@
e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282
-
+
Apache License 2.0
diff --git a/testdata/valid-license-licensing.json b/testdata/valid-license-licensing.json
index df2e9c7..2ebafe2 100644
--- a/testdata/valid-license-licensing.json
+++ b/testdata/valid-license-licensing.json
@@ -15,6 +15,7 @@
"license": {
"bom-ref": "acme-license-1",
"name": "Acme Commercial License",
+ "acknowledgement": "concluded",
"licensing": {
"altIds": [
"acme", "acme-license"
diff --git a/testdata/valid-license-licensing.xml b/testdata/valid-license-licensing.xml
index 35447cf..1766500 100644
--- a/testdata/valid-license-licensing.xml
+++ b/testdata/valid-license-licensing.xml
@@ -7,7 +7,7 @@
cryptographic-provider
2.2.0
-
+
Acme Commercial License
diff --git a/testdata/valid-license-name.json b/testdata/valid-license-name.json
index 467222b..8f2c843 100644
--- a/testdata/valid-license-name.json
+++ b/testdata/valid-license-name.json
@@ -13,7 +13,8 @@
"licenses": [
{
"license": {
- "name": "Apache License 2.0"
+ "name": "Apache License 2.0",
+ "acknowledgement": "concluded"
}
}
]
diff --git a/testdata/valid-license-name.xml b/testdata/valid-license-name.xml
index f37b41e..b241db1 100644
--- a/testdata/valid-license-name.xml
+++ b/testdata/valid-license-name.xml
@@ -15,7 +15,7 @@
e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282
-
+
Apache License 2.0