Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: correctly handle object licenses in SBOM generation #6969

Merged
merged 2 commits into from
Nov 6, 2023
Merged

fix: correctly handle object licenses in SBOM generation #6969

merged 2 commits into from
Nov 6, 2023

Conversation

jamietanna
Copy link
Contributor

As a means to resolve #6966, we can tweak the way we handle licenses,
where receiving a license object, instead of license string, results in
a malformed SPDX JSON SBOM.

While working on this, it was noted that CycloneDX also needed to be
amended, as it was omitting any license objects.

Closes #6966.

Also, document current license SPDX behaviour.

References

Closes #6966.

@jamietanna
Document current license SPDX behaviour
002be85 
As a step towards resolving npm#6966, we should document how SPDX SBOM
generation works with a single string license or license expression.
@jamietanna jamietanna requested a review from a team as a code owner November 6, 2023 09:35
@jamietanna jamietanna mentioned this pull request Nov 6, 2023
Closed
2 tasks
@jamietanna
Copy link
Contributor Author

Should be able to re-run now 🤞

@jamietanna jamietanna changed the title Fix: Correctly handle object licenses in SBOM generation fix: Correctly handle object licenses in SBOM generation Nov 6, 2023
@jamietanna jamietanna changed the title fix: Correctly handle object licenses in SBOM generation fix: correctly handle object licenses in SBOM generation Nov 6, 2023
@jamietanna
Correctly handle license objects in SBOM generation
0d1d79f 
As a means to resolve npm#6966, we can tweak the way we handle licenses,
where receiving a license object, instead of license string, results in
a malformed SPDX JSON SBOM.

While working on this, it was noted that CycloneDX also needed to be
amended, as it was omitting any license objects.

Closes npm#6966.
@jamietanna
Copy link
Contributor Author

Sorry, that'll teach me not running the build locally 😞

bdehamer
bdehamer approved these changes Nov 6, 2023
View reviewed changes
Copy link
Contributor

@bdehamer bdehamer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for the fix.

@jamietanna
Copy link
Contributor Author

Very welcome, thanks for the support as it stands 👏🏽

@wraithgar wraithgar merged commit 0f70088 into npm:latest Nov 6, 2023
20 checks passed
@wraithgar
Copy link
Member

@jamietanna if you want this backported to npm@9 you can cherry-pick the commit into a new PR made against the v9 branch

@github-actions github-actions bot mentioned this pull request Nov 6, 2023
Merged
@jamietanna jamietanna deleted the defect/spdx-bom-license branch November 6, 2023 17:56
@bdehamer bdehamer mentioned this pull request Nov 13, 2023
Merged
@npm-cli-bot npm-cli-bot mentioned this pull request Nov 15, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wraithgar wraithgar wraithgar left review comments

@bdehamer bdehamer bdehamer approved these changes

Assignees

@bdehamer bdehamer

Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@jamietanna @wraithgar @bdehamer