fix: normalize expression over license (#623)

Signed-off-by: Jan Kowalleck <[email protected]>

Author: jkowalleck

HISTORY.md

@@ -4,10 +4,15 @@ All notable changes to this project will be documented in this file.
 
 ## unreleased
 
+* Fixed
+  * `Serialize.{JSON,XML}.Normalize.LicenseNormalizer.normalizeIterable()` now omits invalid license combinations ([#602] via [#])  
+    If there is any `Models.LicenseExpression`, then this is the only license normalized; otherwise all licenses are normalized. 
 * Docs
   * Fixed link to CycloneDX-specification in README (via [#617])
 
+[#602]: https://github.com/CycloneDX/cyclonedx-javascript-library/issues/602
 [#617]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/617
+[#]: 
 
 ## 1.13.2 - 2023-03-29
 

src/serialize/json/normalize.ts

@@ -378,13 +378,26 @@ export class LicenseNormalizer extends BaseJsonNormalizer<Models.License> {
     }
   }
 
-  /** @since 1.5.1 */
+  /**
+   * If there is any {@link Models.LicenseExpression | LicenseExpression} in the set, then this is the only item that is normalized.
+   *
+   * @since 1.5.1
+   */
   normalizeIterable (data: SortableIterable<Models.License>, options: NormalizerOptions): Normalized.License[] {
-    return (
-      options.sortLists ?? false
-        ? data.sorted()
-        : Array.from(data)
-    ).map(c => this.normalize(c, options))
+    const licenses = options.sortLists ?? false
+      ? data.sorted()
+      : Array.from(data)
+
+    if (licenses.length > 1) {
+      const expressions = licenses.filter(l => l instanceof Models.LicenseExpression) as Models.LicenseExpression[]
+      if (expressions.length > 0) {
+        // could have thrown {@link RangeError} when there is more than one only {@link Models.LicenseExpression | LicenseExpression}.
+        // but let's be graceful and just normalize to the most relevant choice: any expression
+        return [this.#normalizeLicenseExpression(expressions[0])]
+      }
+    }
+
+    return licenses.map(l => this.normalize(l, options))
   }
 
   /** @deprecated use {@link normalizeIterable} instead of {@link normalizeRepository} */

src/serialize/xml/normalize.ts

@@ -482,13 +482,26 @@ export class LicenseNormalizer extends BaseXmlNormalizer<Models.License> {
     return makeTextElement(data.expression, 'expression')
   }
 
-  /** @since 1.5.1 */
+  /**
+   * If there is any {@link Models.LicenseExpression | LicenseExpression} in the set, then this is the only item that is normalized.
+   *
+   * @since 1.5.1
+   */
   normalizeIterable (data: SortableIterable<Models.License>, options: NormalizerOptions): SimpleXml.Element[] {
-    return (
-      options.sortLists ?? false
-        ? data.sorted()
-        : Array.from(data)
-    ).map(c => this.normalize(c, options))
+    const licenses = options.sortLists ?? false
+      ? data.sorted()
+      : Array.from(data)
+
+    if (licenses.length > 1) {
+      const expressions = licenses.filter(l => l instanceof Models.LicenseExpression) as Models.LicenseExpression[]
+      if (expressions.length > 0) {
+        // could have thrown {@link RangeError} when there is more than one only {@link Models.LicenseExpression | LicenseExpression}.
+        // but let's be graceful and just normalize to the most relevant choice: any expression
+        return [this.#normalizeLicenseExpression(expressions[0])]
+      }
+    }
+
+    return licenses.map(l => this.normalize(l, options))
   }
 
   /** @deprecated use {@link normalizeIterable} instead of {@link normalizeRepository} */

tests/_data/models.js

@@ -23,14 +23,10 @@ const { Enums, Models } = require('../../')
 
 /* eslint-disable jsdoc/valid-types */
 
-/**
- * @typedef {import('../../src/models/bom').Bom} Bom
- */
-
 /* eslint-enable jsdoc/valid-types */
 
 /**
- * @returns {Bom}
+ * @returns {Models.Bom}
  */
 module.exports.createComplexStructure = function () {
   const bom = new Models.Bom({
@@ -127,7 +123,6 @@ module.exports.createComplexStructure = function () {
       license.url = new URL('https://spdx.org/licenses/MIT.html')
       return license
     })(new Models.SpdxLicense('MIT')))
-    component.licenses.add(new Models.LicenseExpression('(MIT or Apache-2.0)'))
     component.publisher = 'the publisher'
     component.purl = new PackageURL('npm', 'acme', 'dummy-component', '1337-beta', undefined, undefined)
     component.scope = Enums.ComponentScope.Required
@@ -201,5 +196,44 @@ module.exports.createComplexStructure = function () {
       ])
     }))
 
+  bom.components.add(
+    new Models.Component(
+      Enums.ComponentType.Library, 'component-with-licenses', {
+        bomRef: 'component-with-licenses',
+        licenses: new Models.LicenseRepository([
+          new Models.NamedLicense('something'),
+          new Models.SpdxLicense('MIT'),
+          new Models.SpdxLicense('Apache-2.0')
+          // no expression
+        ])
+      }
+    )
+  )
+  bom.components.add(
+    new Models.Component(
+      Enums.ComponentType.Library, 'component-with-licenseExpression', {
+        bomRef: 'component-with-licenseExpression',
+        licenses: new Models.LicenseRepository([
+          new Models.LicenseExpression('(MIT OR Apache-2.0)')
+          // no named nor SPDX
+        ])
+      }
+    )
+  )
+  bom.components.add(
+    /* scenario: prefer any expression over other licenses */
+    new Models.Component(
+      Enums.ComponentType.Library, 'component-with-licenses-and-expression', {
+        bomRef: 'component-with-licenses-and-expression',
+        licenses: new Models.LicenseRepository([
+          new Models.NamedLicense('something'),
+          new Models.SpdxLicense('MIT'),
+          new Models.SpdxLicense('Apache-2.0'),
+          new Models.LicenseExpression('(MIT OR Apache-2.0)')
+        ])
+      }
+    )
+  )
+
   return bom
 }