feat: use CDX-library's license evidence gathering (#1398)

Signed-off-by: Jan Kowalleck <[email protected]>

Author: jkowalleck

HISTORY.md

@@ -6,10 +6,16 @@ All notable changes to this project will be documented in this file.
 
 <!-- unreleased changes go here -->
 
+
+* Changed
+  * Utilizes license file gatherer of `@cyclonedx/cyclonedx-library`, previously used own implementation (via [#1398])
+* Dependencies
+  * Upgraded runtime-dependency `@cyclonedx/cyclonedx-library@^8.4.0`, was `@^8.0.0` (via [#1398])
 * Build
   * Use _TypeScript_ `v5.8.3` now, was `v5.8.2` (via [#1382])
 
 [#1382]: https://github.com/CycloneDX/cyclonedx-webpack-plugin/pull/1382
+[#1398]: https://github.com/CycloneDX/cyclonedx-webpack-plugin/pull/1398
 
 ## 5.0.1 - 2025-03-17
 

package.json

@@ -71,7 +71,7 @@
     "node": ">=20.18.0"
   },
   "dependencies": {
-    "@cyclonedx/cyclonedx-library": "^8.0.0",
+    "@cyclonedx/cyclonedx-library": "^8.4.0",
     "normalize-package-data": "^7.0.0",
     "xmlbuilder2": "^3.0.2"
   },

src/_helpers.ts

@@ -18,7 +18,7 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
 import { existsSync, readFileSync } from 'node:fs'
-import { dirname, extname, isAbsolute, join, parse, sep } from 'node:path'
+import { dirname, isAbsolute, join, sep } from 'node:path'
 
 export function isNonNullable<T>(value: T): value is NonNullable<T> {
   // NonNullable: not null and not undefined
@@ -103,49 +103,6 @@ export function loadJsonFile(path: string): any {
   // see https://github.com/tc39/proposal-import-attributes
 }
 
-// region MIME
-
-export type MimeType = string
-
-const MIME_TEXT_PLAIN: MimeType = 'text/plain'
-
-const MAP_TEXT_EXTENSION_MIME: Readonly<Record<string, MimeType>> = {
-  '': MIME_TEXT_PLAIN,
-  // https://www.iana.org/assignments/media-types/media-types.xhtml
-  '.csv': 'text/csv',
-  '.htm': 'text/html',
-  '.html': 'text/html',
-  '.md': 'text/markdown',
-  '.txt': MIME_TEXT_PLAIN,
-  '.rst': 'text/prs.fallenstein.rst',
-  '.xml': 'text/xml', // not `application/xml` -- our scope is text!
-  // add more mime types above this line. pull-requests welcome!
-  // license-specific files
-  '.license': MIME_TEXT_PLAIN,
-  '.licence': MIME_TEXT_PLAIN
-} as const
-
-export function getMimeForTextFile(filename: string): MimeType | undefined {
-  return MAP_TEXT_EXTENSION_MIME[extname(filename).toLowerCase()]
-}
-
-const LICENSE_FILENAME_BASE = new Set(['licence', 'license'])
-const LICENSE_FILENAME_EXT = new Set([
-  '.apache',
-  '.bsd',
-  '.gpl',
-  '.mit'
-])
-
-export function getMimeForLicenseFile(filename: string): MimeType | undefined {
-  const {name, ext} = parse(filename.toLowerCase())
-  return LICENSE_FILENAME_BASE.has(name) && LICENSE_FILENAME_EXT.has(ext)
-    ? MIME_TEXT_PLAIN
-    : MAP_TEXT_EXTENSION_MIME[ext]
-}
-
-// endregion MIME
-
 // region polyfills
 
 /** Polyfill for Iterator.some() */

src/extractor.ts

@@ -17,15 +17,13 @@ SPDX-License-Identifier: Apache-2.0
 Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
-import { type Dirent,readdirSync, readFileSync } from 'node:fs'
-import { dirname, join } from 'node:path'
+import { dirname } from 'node:path'
 
 import * as CDX from '@cyclonedx/cyclonedx-library'
 import normalizePackageJson from 'normalize-package-data'
 import type { Compilation, Module } from 'webpack'
 
 import {
-  getMimeForLicenseFile,
   getPackageDescription,
   isNonNullable,
   type PackageDescription,
@@ -38,15 +36,18 @@ export class Extractor {
   readonly #compilation: Compilation
   readonly #componentBuilder: CDX.Builders.FromNodePackageJson.ComponentBuilder
   readonly #purlFactory: CDX.Factories.FromNodePackageJson.PackageUrlFactory
+  readonly #leGatherer: CDX.Utils.LicenseUtility.LicenseEvidenceGatherer
 
   constructor (
     compilation: Compilation,
     componentBuilder: CDX.Builders.FromNodePackageJson.ComponentBuilder,
-    purlFactory: CDX.Factories.FromNodePackageJson.PackageUrlFactory
+    purlFactory: CDX.Factories.FromNodePackageJson.PackageUrlFactory,
+    leFetcher: CDX.Utils.LicenseUtility.LicenseEvidenceGatherer
   ) {
     this.#compilation = compilation
     this.#componentBuilder = componentBuilder
     this.#purlFactory = purlFactory
+    this.#leGatherer = leFetcher
   }
 
   generateComponents (modules: Iterable<Module>, collectEvidence: boolean, logger?: WebpackLogger): Iterable<CDX.Models.Component> {
@@ -146,47 +147,24 @@ export class Extractor {
     }
   }
 
-  readonly #LICENSE_FILENAME_PATTERN = /^(?:UN)?LICEN[CS]E|.\.LICEN[CS]E$|^NOTICE$/i
-
   public * getLicenseEvidence (packageDir: string, logger?: WebpackLogger): Generator<CDX.Models.License> {
-    let pcis: Dirent[] = []
-    try {
-      pcis = readdirSync(packageDir, { withFileTypes: true })
-    } catch (e) {
-      logger?.warn('collecting license evidence in', packageDir, 'failed:', e)
-      return
-    }
-    for (const pci of pcis) {
-      if (
-        // Ignore all directories - they are not files :-)
-        // Don't follow symlinks for security reasons!
-        !pci.isFile() ||
-        !this.#LICENSE_FILENAME_PATTERN.test(pci.name)
-      ) {
-        continue
+    const files = this.#leGatherer.getFileAttachments(
+      packageDir,
+      (error: Error): void => {
+        /* c8 ignore next 2 */
+        logger?.info(error.message)
+        logger?.debug(error.message, error)
       }
-
-      const contentType = getMimeForLicenseFile(pci.name)
-      if (contentType === undefined) {
-        continue
-      }
-
-      const fp = join(packageDir, pci.name)
-      try {
-        yield new CDX.Models.NamedLicense(
-          `file: ${pci.name}`,
-          {
-            text: new CDX.Models.Attachment(
-              readFileSync(fp).toString('base64'),
-              {
-                contentType,
-                encoding: CDX.Enums.AttachmentEncoding.Base64
-              }
-            )
-          })
-      } catch (e) { // may throw if `readFileSync()` fails
-        logger?.warn('collecting license evidence from', fp, 'failed:', e)
+    )
+    try {
+      for (const {file, text} of files) {
+        yield new CDX.Models.NamedLicense(`file: ${file}`, { text })
       }
     }
+    /* c8 ignore next 3 */
+    catch (e) {
+      // generator will not throw before first `.nest()` is called ...
+      logger?.warn('collecting license evidence in', packageDir, 'failed:', e)
+    }
   }
 }

src/plugin.ts

@@ -254,7 +254,12 @@ export class CycloneDxWebpackPlugin {
       pluginName,
       (_, modules) => {
         const thisLogger = logger.getChildLogger('ComponentFetcher')
-        const extractor = new Extractor(compilation, cdxComponentBuilder, cdxPurlFactory)
+        const extractor = new Extractor(
+          compilation,
+          cdxComponentBuilder,
+          cdxPurlFactory,
+          new CDX.Utils.LicenseUtility.LicenseEvidenceGatherer()
+        )
 
         thisLogger.log('generating components...')
         for (const component of extractor.generateComponents(modules, this.collectEvidence, thisLogger.getChildLogger('Extractor'))) {