fix: SPDX-expression-validation internal crashes are cought and handled (#471)

jkowalleck · web-flow · commit 5fa66a043818 · 2023-10-16T20:09:01.000+02:00
Signed-off-by: Jan Kowalleck &lt;jan.kowalleck@gmail.com&gt;
diff --git a/cyclonedx/spdx.py b/cyclonedx/spdx.py
@@ -66,6 +66,9 @@ def is_compound_expression(value: str) -> bool:
     .. _SPDX license expression spec: https://spdx.github.io/spdx-spec/v2.3/SPDX-license-expressions/
     .. _license-expression library: https://github.com/nexB/license-expression
     """
-    return 0 == len(
-        __SPDX_EXPRESSION_LICENSING.validate(value).errors
-    )
+    try:
+        res = __SPDX_EXPRESSION_LICENSING.validate(value)
+    except Exception:
+        # the throw happens when internals crash due to unexpected input characters.
+        return False
+    return 0 == len(res.errors)
diff --git a/tests/test_spdx.py b/tests/test_spdx.py
@@ -92,6 +92,7 @@ def test_positive(self, valid_expression: str) -> None:
         'MIT AND Apache-2.0 OR something-unknown'
         'something invalid',
         '(c) John Doe',
+        'Apache License, Version 2.0'
     )
     def test_negative(self, invalid_expression: str) -> None:
         actual = spdx.is_compound_expression(invalid_expression)

Original file line number	Diff line number	Diff line change
`@@ -92,6 +92,7 @@ def test_positive(self, valid_expression: str) -> None:`
`92`	`92`	`'MIT AND Apache-2.0 OR something-unknown'`
`93`	`93`	`'something invalid',`
`94`	`94`	`'(c) John Doe',`
	`95`	`+ 'Apache License, Version 2.0'`
`95`	`96`	`)`
`96`	`97`	`def test_negative(self, invalid_expression: str) -> None:`
`97`	`98`	`actual = spdx.is_compound_expression(invalid_expression)`