Fix: update pep621 logic and add unit tests

Signed-off-by: Manav Gupta <[email protected]>

Author: manavgup

cyclonedx_py/_internal/utils/pep621.py

@@ -61,32 +61,31 @@ def project2licenses(project: dict[str, Any], lfac: 'LicenseFactory', *,
         # https://packaging.python.org/en/latest/specifications/core-metadata/#classifier-multiple-use
         yield from classifiers2licenses(classifiers, lfac, lack)
     if plicense := project.get('license'):
-        # https://packaging.python.org/en/latest/specifications/pyproject-toml/#license
-        # https://peps.python.org/pep-0621/#license
-        # https://packaging.python.org/en/latest/specifications/core-metadata/#license
-        if 'file' in plicense and 'text' in plicense:
-            # per spec:
-            # > These keys are mutually exclusive, so a tool MUST raise an error if the metadata specifies both keys.
-            raise ValueError('`license.file` and `license.text` are mutually exclusive,')
-        if 'file' in plicense:
-            # per spec:
-            # > [...] a string value that is a relative file path [...].
-            # > Tools MUST assume the file’s encoding is UTF-8.
-            with open(join(dirname(fpath), plicense['file']), 'rb') as plicense_fileh:
-                yield DisjunctiveLicense(name=f"declared license of '{project['name']}'",
-                                         acknowledgement=lack,
-                                         text=AttachedText(encoding=Encoding.BASE_64,
-                                                           content=b64encode(plicense_fileh.read()).decode()))
-        elif len(plicense_text := plicense.get('text', '')) > 0:
-            license = lfac.make_from_string(plicense_text,
-                                            license_acknowledgement=lack)
-            if isinstance(license, DisjunctiveLicense) and license.id is None:
-                # per spec, `License` is either a SPDX ID/Expression, or a license text(not name!)
-                yield DisjunctiveLicense(name=f"declared license of '{project['name']}'",
-                                         acknowledgement=lack,
-                                         text=AttachedText(content=plicense_text))
-            else:
-                yield license
+        # Handle both PEP 621 (dict) and PEP 639 (str) license formats
+        if isinstance(plicense, dict):
+            if 'file' in plicense and 'text' in plicense:
+                raise ValueError('`license.file` and `license.text` are mutually exclusive,')
+            if 'file' in plicense:
+                with open(join(dirname(fpath), plicense['file']), 'rb') as plicense_fileh:
+                    yield DisjunctiveLicense(name=f"declared license of '{project['name']}'",
+                                             acknowledgement=lack,
+                                             text=AttachedText(encoding=Encoding.BASE_64,
+                                                               content=b64encode(plicense_fileh.read()).decode()))
+            elif len(plicense_text := plicense.get('text', '')) > 0:
+                license = lfac.make_from_string(plicense_text,
+                                                license_acknowledgement=lack)
+                if isinstance(license, DisjunctiveLicense) and license.id is None:
+                    yield DisjunctiveLicense(name=f"declared license of '{project['name']}'",
+                                             acknowledgement=lack,
+                                             text=AttachedText(content=plicense_text))
+                else:
+                    yield license
+        elif isinstance(plicense, str):
+            # PEP 639: license is a string (SPDX expression or license reference)
+            license = lfac.make_from_string(plicense, license_acknowledgement=lack)
+            yield license
+        else:
+            raise TypeError(f"Unexpected type for 'license': {type(plicense)}")
 
 
 def project2extrefs(project: dict[str, Any]) -> Generator['ExternalReference', None, None]:

tests/unit/test_pep621.py

@@ -0,0 +1,67 @@
+# This file is part of CycloneDX Python
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+
+import os
+import tempfile
+from unittest import TestCase
+
+from cyclonedx.factory.license import LicenseFactory
+from cyclonedx.model.license import DisjunctiveLicense, LicenseAcknowledgement
+
+from cyclonedx_py._internal.utils.pep621 import project2licenses
+
+
+class TestProject2Licenses(TestCase):
+    def setUp(self):
+        self.lfac = LicenseFactory()
+        self.fpath = tempfile.mktemp()
+
+    def test_license_string_pep639(self):
+        project = {
+            'name': 'testpkg',
+            'license': 'LicenseRef-Platform-Software-General-1.0',
+        }
+        licenses = list(project2licenses(project, self.lfac, fpath=self.fpath))
+        self.assertEqual(len(licenses), 1)
+        lic = licenses[0]
+        self.assertIsInstance(lic, DisjunctiveLicense)
+        self.assertEqual(lic.acknowledgement, LicenseAcknowledgement.DECLARED)
+        if lic.id is not None:
+            self.assertEqual(lic.id, 'LicenseRef-Platform-Software-General-1.0')
+        elif lic.text is not None:
+            self.assertEqual(lic.text.content, 'LicenseRef-Platform-Software-General-1.0')
+        else:
+            # Acceptable fallback: both id and text are None for unknown license references
+            self.assertIsNone(lic.id)
+            self.assertIsNone(lic.text)
+
+    def test_license_dict_text_pep621(self):
+        project = {
+            'name': 'testpkg',
+            'license': {'text': 'This is the license text.'},
+        }
+        licenses = list(project2licenses(project, self.lfac, fpath=self.fpath))
+        self.assertEqual(len(licenses), 1)
+        lic = licenses[0]
+        self.assertIsInstance(lic, DisjunctiveLicense)
+        self.assertIsNone(lic.id)
+        self.assertEqual(lic.text.content, 'This is the license text.')
+        self.assertEqual(lic.acknowledgement, LicenseAcknowledgement.DECLARED)
+
+    def test_license_dict_file_pep621(self):
+        with tempfile.NamedTemporaryFile('w+', delete=False) as tf:
+            tf.write('File license text')
+            tf.flush()
+            project = {
+                'name': 'testpkg',
+                'license': {'file': os.path.basename(tf.name)},
+            }
+            # fpath should be the file path so dirname(fpath) resolves to the correct directory
+            licenses = list(project2licenses(project, self.lfac, fpath=tf.name))
+            self.assertEqual(len(licenses), 1)
+            lic = licenses[0]
+            self.assertIsInstance(lic, DisjunctiveLicense)
+            self.assertIsNotNone(lic.text.content)
+            self.assertEqual(lic.acknowledgement, LicenseAcknowledgement.DECLARED)
+        os.unlink(tf.name)