fix: declared license texts as such, not as license name (#694)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

Author: jkowalleck

cyclonedx_py/_internal/environment.py

@@ -130,7 +130,7 @@ def __call__(self, *,  # type:ignore[override]
             rc = None
         else:
             pyproject = pyproject_load(pyproject_file)
-            root_c = pyproject2component(pyproject, type=mc_type)
+            root_c = pyproject2component(pyproject, ctype=mc_type, fpath=pyproject_file)
             root_c.bom_ref.value = 'root-component'
             root_d = tuple(pyproject2dependencies(pyproject))
             rc = (root_c, root_d)

cyclonedx_py/_internal/pipenv.py

@@ -127,7 +127,7 @@ def __call__(self, *,  # type:ignore[override]
             if pyproject_file is None:
                 rc = None
             else:
-                rc = pyproject_file2component(pyproject_file, type=mc_type)
+                rc = pyproject_file2component(pyproject_file, ctype=mc_type)
                 rc.bom_ref.value = 'root-component'
 
             return self._make_bom(rc,

cyclonedx_py/_internal/poetry.py

@@ -230,7 +230,7 @@ def _make_bom(self, project: 'T_NameDict', locker: 'T_NameDict',
 
         po_cfg = project['tool']['poetry']
 
-        bom.metadata.component = root_c = poetry2component(po_cfg, type=mc_type)
+        bom.metadata.component = root_c = poetry2component(po_cfg, ctype=mc_type)
         root_c.bom_ref.value = root_c.name
         root_c.properties.update(
             Property(

cyclonedx_py/_internal/requirements.py

@@ -114,7 +114,7 @@ def __call__(self, *,  # type:ignore[override]
         if pyproject_file is None:
             rc = None
         else:
-            rc = pyproject_file2component(pyproject_file, type=mc_type)
+            rc = pyproject_file2component(pyproject_file, ctype=mc_type)
             rc.bom_ref.value = 'root-component'
 
         if requirements_file == '-':

cyclonedx_py/_internal/utils/packaging.py

@@ -20,7 +20,8 @@
 
 from cyclonedx.exception.model import InvalidUriException
 from cyclonedx.factory.license import LicenseFactory
-from cyclonedx.model import ExternalReference, ExternalReferenceType, XsUri
+from cyclonedx.model import AttachedText, ExternalReference, ExternalReferenceType, XsUri
+from cyclonedx.model.license import DisjunctiveLicense
 
 from .cdx import url_label_to_ert
 from .pep621 import classifiers2licenses
@@ -42,9 +43,15 @@ def metadata2licenses(metadata: 'PackageMetadata') -> Generator['License', None,
         # see https://packaging.python.org/en/latest/specifications/core-metadata/#classifier-multiple-use
         classifiers: List[str] = metadata.get_all('Classifier')  # type:ignore[assignment]
         yield from classifiers2licenses(classifiers, lfac)
-    if 'License' in metadata:
+    if 'License' in metadata and len(mlicense := metadata['License']) > 0:
         # see https://packaging.python.org/en/latest/specifications/core-metadata/#license
-        yield lfac.make_from_string(metadata['License'])
+        license = lfac.make_from_string(mlicense)
+        if isinstance(license, DisjunctiveLicense) and license.id is None:
+            # per spec, `License` is either a SPDX ID/Expression, or a license text(not name!)
+            yield DisjunctiveLicense(name=f"declared license of '{metadata['Name']}'",
+                                     text=AttachedText(content=mlicense))
+        else:
+            yield license
 
 
 def metadata2extrefs(metadata: 'PackageMetadata') -> Generator['ExternalReference', None, None]:

cyclonedx_py/_internal/utils/pep621.py

@@ -15,21 +15,23 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright (c) OWASP Foundation. All Rights Reserved.
 
-
 """
 Functionality related to PEP 621.
 
 See https://packaging.python.org/en/latest/specifications/declaring-project-metadata/
 See https://peps.python.org/pep-0621/
 """
 
+from base64 import b64encode
 from itertools import chain
+from os.path import dirname, join
 from typing import TYPE_CHECKING, Any, Dict, Generator, Iterable, Iterator
 
 from cyclonedx.exception.model import InvalidUriException
 from cyclonedx.factory.license import LicenseFactory
-from cyclonedx.model import ExternalReference, XsUri
+from cyclonedx.model import AttachedText, Encoding, ExternalReference, XsUri
 from cyclonedx.model.component import Component
+from cyclonedx.model.license import DisjunctiveLicense
 from packaging.requirements import Requirement
 
 from .cdx import licenses_fixup, url_label_to_ert
@@ -50,18 +52,37 @@ def classifiers2licenses(classifiers: Iterable[str], lfac: 'LicenseFactory') ->
                               classifiers)))
 
 
-def project2licenses(project: Dict[str, Any], lfac: 'LicenseFactory') -> Generator['License', None, None]:
-    if 'classifiers' in project:
+def project2licenses(project: Dict[str, Any], lfac: 'LicenseFactory', *,
+                     fpath: str) -> Generator['License', None, None]:
+    if classifiers := project.get('classifiers'):
         # https://packaging.python.org/en/latest/specifications/pyproject-toml/#classifiers
         # https://peps.python.org/pep-0621/#classifiers
         # https://packaging.python.org/en/latest/specifications/core-metadata/#classifier-multiple-use
-        yield from classifiers2licenses(project['classifiers'], lfac)
-    license = project.get('license')
-    # https://packaging.python.org/en/latest/specifications/pyproject-toml/#license
-    # https://peps.python.org/pep-0621/#license
-    # https://packaging.python.org/en/latest/specifications/core-metadata/#license
-    if isinstance(license, dict) and 'text' in license:
-        yield lfac.make_from_string(license['text'])
+        yield from classifiers2licenses(classifiers, lfac)
+    if plicense := project.get('license'):
+        # https://packaging.python.org/en/latest/specifications/pyproject-toml/#license
+        # https://peps.python.org/pep-0621/#license
+        # https://packaging.python.org/en/latest/specifications/core-metadata/#license
+        if 'file' in plicense and 'text' in plicense:
+            # per spec:
+            # > These keys are mutually exclusive, so a tool MUST raise an error if the metadata specifies both keys.
+            raise ValueError('`license.file` and `license.text` are mutually exclusive,')
+        if 'file' in plicense:
+            # per spec:
+            # > [...] a string value that is a relative file path [...].
+            # > Tools MUST assume the file’s encoding is UTF-8.
+            with open(join(dirname(fpath), plicense['file']), 'rb') as plicense_fileh:
+                yield DisjunctiveLicense(name=f"declared license of '{project['name']}'",
+                                         text=AttachedText(encoding=Encoding.BASE_64,
+                                                           content=b64encode(plicense_fileh.read()).decode()))
+        elif len(plicense_text := plicense.get('text', '')) > 0:
+            license = lfac.make_from_string(plicense_text)
+            if isinstance(license, DisjunctiveLicense) and license.id is None:
+                # per spec, `License` is either a SPDX ID/Expression, or a license text(not name!)
+                yield DisjunctiveLicense(name=f"declared license of '{project['name']}'",
+                                         text=AttachedText(content=plicense_text))
+            else:
+                yield license
 
 
 def project2extrefs(project: Dict[str, Any]) -> Generator['ExternalReference', None, None]:
@@ -77,14 +98,14 @@ def project2extrefs(project: Dict[str, Any]) -> Generator['ExternalReference', N
 
 
 def project2component(project: Dict[str, Any], *,
-                      type: 'ComponentType') -> 'Component':
+                      ctype: 'ComponentType', fpath: str) -> 'Component':
     dynamic = project.get('dynamic', ())
     return Component(
-        type=type,
+        type=ctype,
         name=project['name'],
         version=project.get('version', None) if 'version' not in dynamic else None,
         description=project.get('description', None) if 'description' not in dynamic else None,
-        licenses=licenses_fixup(project2licenses(project, LicenseFactory())),
+        licenses=licenses_fixup(project2licenses(project, LicenseFactory(), fpath=fpath)),
         external_references=project2extrefs(project),
         # TODO add more properties according to spec
     )

cyclonedx_py/_internal/utils/poetry.py

@@ -61,17 +61,18 @@ def poetry2extrefs(poetry: Dict[str, Any]) -> Generator['ExternalReference', Non
             pass
 
 
-def poetry2component(poetry: Dict[str, Any], *, type: 'ComponentType') -> 'Component':
+def poetry2component(poetry: Dict[str, Any], *, ctype: 'ComponentType') -> 'Component':
     licenses: List['License'] = []
     lfac = LicenseFactory()
     if 'classifiers' in poetry:
         licenses.extend(classifiers2licenses(poetry['classifiers'], lfac))
     if 'license' in poetry:
+        # per spec(https://python-poetry.org/docs/pyproject#license):
+        # the `license` is intended to be the name of a license, not the license text itself.
         licenses.append(lfac.make_from_string(poetry['license']))
-    del lfac
 
     return Component(
-        type=type,
+        type=ctype,
         name=poetry['name'],
         version=poetry.get('version'),
         description=poetry.get('description'),

cyclonedx_py/_internal/utils/pyproject.py

@@ -14,12 +14,12 @@
 
 
 def pyproject2component(data: Dict[str, Any], *,
-                        type: 'ComponentType') -> 'Component':
+                        ctype: 'ComponentType', fpath: str) -> 'Component':
     tool = data.get('tool', {})
-    if 'poetry' in tool:
-        return poetry2component(tool['poetry'], type=type)
-    if 'project' in data:
-        return project2component(data['project'], type=type)
+    if poetry := tool.get('poetry'):
+        return poetry2component(poetry, ctype=ctype)
+    if project := data.get('project'):
+        return project2component(project, ctype=ctype, fpath=fpath)
     raise ValueError('Unable to build component from pyproject')
 
 
@@ -33,10 +33,10 @@ def pyproject_load(pyproject_file: str) -> Dict[str, Any]:
 
 
 def pyproject_file2component(pyproject_file: str, *,
-                             type: 'ComponentType') -> 'Component':
+                             ctype: 'ComponentType') -> 'Component':
     return pyproject2component(
         pyproject_load(pyproject_file),
-        type=type
+        ctype=ctype, fpath=pyproject_file
     )
 
 

tests/_data/infiles/.gitattributes

@@ -1,3 +1,2 @@
 *.bin       binary
 *.txt.bin   binary diff=text
-

tests/_data/infiles/_helpers/local_pckages/a/README.md

@@ -1 +1,4 @@
-build via `python -m build`
+build via :
+```shell
+python -m build
+```