diff --git a/conf/licenses/licenses.yml b/conf/licenses/licenses.yml index c61a51c2..6d419f53 100644 --- a/conf/licenses/licenses.yml +++ b/conf/licenses/licenses.yml @@ -205,6 +205,12 @@ initramfs-tools-core: licenses: [ GPL-2 ] +libisl23: + licenses: [ + BSD-2-clause, + LGPL-2.1-or-later, + MIT, + ] klibc-utils: licenses: [ GPL-2 @@ -929,6 +935,11 @@ lrzsz: licenses: [ GPL-2 ] +ruby-narray: + licenses: [ + GPL-2.0-or-later, + Ruby OR GPL-2.0-only, + ] shared-mime-info: licenses: [ GPL-2.0-or-later diff --git a/scripts/lib/python/sbom/licensing.py b/scripts/lib/python/sbom/licensing.py index e54b3e45..2167bd10 100644 --- a/scripts/lib/python/sbom/licensing.py +++ b/scripts/lib/python/sbom/licensing.py @@ -52,6 +52,15 @@ def split_licesense_and_normalize(lic, license_mapping): elif " and-or " in lic: tmp = normalize_licenses(split_licenses(lic, " and-or "), license_mapping) lics.append("-and-or-".join(tmp)) + elif " OR " in lic: + tmp = normalize_licenses(split_licenses(lic, " OR "), license_mapping) + l = f"({' OR '.join(tmp)})" + lics.append(l) + elif " or " in lic: + tmp = normalize_licenses(split_licenses(lic, " or "), license_mapping) + l = f"({' OR '.join(tmp)})" + lics.append(l) + else: lics += normalize_licenses([lic], license_mapping) @@ -68,12 +77,6 @@ def split_licenses_simple(licenses): elif " and " in lic: ret += lic.split(" and ") splited = True - elif " or " in lic: - ret += lic.split(" or ") - splited = True - elif " OR " in lic: - ret += lic.split(" OR ") - splited = True else: ret.append(lic) @@ -82,7 +85,7 @@ def split_licenses_simple(licenses): return ret -def normalize_for_spdx(licenses, license_mapping): +def normalize_for_sbom(licenses, license_mapping): tmp = [] normalized = [] @@ -91,13 +94,9 @@ def normalize_for_spdx(licenses, license_mapping): tmp += split_licesense_and_normalize(lic, license_mapping) for lic in tmp: - if " " in lic: + if not lic.startswith("(") and " " in lic: normalized.append(lic.replace(" ", "-")) else: normalized.append(lic) return list(set(normalized)) - -def normalize_for_cyclonedx(licenses): - return split_licenses_simple(licenses) - diff --git a/scripts/lib/python/sbom/sbom_cyclonedx.py b/scripts/lib/python/sbom/sbom_cyclonedx.py index d466a3ad..1e2ead36 100644 --- a/scripts/lib/python/sbom/sbom_cyclonedx.py +++ b/scripts/lib/python/sbom/sbom_cyclonedx.py @@ -43,12 +43,15 @@ def debian_section_to_component_type(section): return ComponentType.APPLICATION def make_license_info(factory, licenses, license_mapping): - ret = [] + ret = None - uniq_licenses = licensing.normalize_for_cyclonedx(licenses) + uniq_licenses = licensing.normalize_for_sbom(licenses, license_mapping) for lic in uniq_licenses: tmp = factory["lc_factory"].make_with_name(lic) - ret.append(tmp) + if ret is None: + ret = tmp.name + else: + ret = f"{ret} AND {tmp.name}" return ret @@ -78,12 +81,13 @@ def create_component(factory, distro, pkg, license_mapping): purl_info = create_package_url(distro, pkg) pkgname_hash = sbom_common.package_name_hash(pkg['package'], pkg['source']) + licenses_string = make_license_info(factory, pkg["licenses"], license_mapping) return Component( type = debian_section_to_component_type(pkg["section"]), name = pkg["package"], group = pkg["source"], version = pkg["version"], - licenses = make_license_info(factory, pkg["licenses"], license_mapping), + licenses = [LicenseExpression(value=licenses_string)], supplier = create_organization_entity(pkg), bom_ref = BomRef(f"{pkg['package']}@{pkg['version']}-{pkgname_hash}"), purl = purl_info, diff --git a/scripts/lib/python/sbom/sbom_spdx.py b/scripts/lib/python/sbom/sbom_spdx.py index e25c6a6e..ab482845 100644 --- a/scripts/lib/python/sbom/sbom_spdx.py +++ b/scripts/lib/python/sbom/sbom_spdx.py @@ -83,7 +83,7 @@ def create_license_string(pkg, license_mapping): licenses = [] s = "" - licenses_tmp = licensing.normalize_for_spdx(create_uniq_list(pkg["licenses"]), license_mapping) + licenses_tmp = licensing.normalize_for_sbom(create_uniq_list(pkg["licenses"]), license_mapping) try: for lic in licenses_tmp: