fix: Properly detect license evidences like LICEN[CS]E.{Apache,BSD,GPL,MIT} (#1339)

fixes #1337

---------

Signed-off-by: Jan Kowalleck <[email protected]>

Author: jkowalleck

HISTORY.md

@@ -6,6 +6,12 @@ All notable changes to this project will be documented in this file.
 
 <!-- unreleased changes go here -->
 
+* Fixed
+  * Properly detect license evidences like `LICEN[CS]E.{Apache,BSD,GPL,MIT}` ([#1337] via [#1339])
+
+[#1337]: https://github.com/CycloneDX/cyclonedx-webpack-plugin/issues/1337
+[#1339]: https://github.com/CycloneDX/cyclonedx-webpack-plugin/pull/1339
+
 ## 3.15.0 - 2024-10-19
 
 * Added

src/_helpers.ts

@@ -18,7 +18,7 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
 import { existsSync, readFileSync } from 'fs'
-import { dirname, extname, isAbsolute, join, sep } from 'path'
+import { dirname, extname, isAbsolute, join, parse, sep } from 'path'
 
 export function isNonNullable<T> (value: T): value is NonNullable<T> {
   // NonNullable: not null and not undefined
@@ -92,18 +92,41 @@ export function loadJsonFile (path: string): any {
 
 export type MimeType = string
 
+const MIME_TEXT_PLAIN: MimeType = 'text/plain'
+
 const MAP_TEXT_EXTENSION_MIME: Readonly<Record<string, MimeType>> = {
-  '': 'text/plain',
-  '.license': 'text/plain',
-  '.licence': 'text/plain',
+  '': MIME_TEXT_PLAIN,
+  // https://www.iana.org/assignments/media-types/media-types.xhtml
+  '.csv': 'text/csv',
+  '.htm': 'text/html',
+  '.html': 'text/html',
   '.md': 'text/markdown',
+  '.txt': MIME_TEXT_PLAIN,
   '.rst': 'text/prs.fallenstein.rst',
-  '.txt': 'text/plain',
-  '.xml': 'text/xml' // not `application/xml` -- our scope is text!
+  '.xml': 'text/xml', // not `application/xml` -- our scope is text!
+  // add more mime types above this line. pull-requests welcome!
+  // license-specific files
+  '.license': MIME_TEXT_PLAIN,
+  '.licence': MIME_TEXT_PLAIN
 } as const
 
 export function getMimeForTextFile (filename: string): MimeType | undefined {
   return MAP_TEXT_EXTENSION_MIME[extname(filename).toLowerCase()]
 }
 
+const LICENSE_FILENAME_BASE = new Set(['licence', 'license'])
+const LICENSE_FILENAME_EXT = new Set([
+  '.apache',
+  '.bsd',
+  '.gpl',
+  '.mit'
+])
+
+export function getMimeForLicenseFile (filename: string): MimeType | undefined {
+  const { name, ext } = parse(filename.toLowerCase())
+  return LICENSE_FILENAME_BASE.has(name) && LICENSE_FILENAME_EXT.has(ext)
+    ? MIME_TEXT_PLAIN
+    : MAP_TEXT_EXTENSION_MIME[ext]
+}
+
 // endregion MIME

src/extractor.ts

@@ -23,7 +23,7 @@ import * as normalizePackageJson from 'normalize-package-data'
 import { dirname, join } from 'path'
 import type { Compilation, Module } from 'webpack'
 
-import { getMimeForTextFile, getPackageDescription, isNonNullable, type PackageDescription, structuredClonePolyfill } from './_helpers'
+import { getMimeForLicenseFile, getPackageDescription, isNonNullable, type PackageDescription, structuredClonePolyfill } from './_helpers'
 
 type WebpackLogger = Compilation['logger']
 
@@ -148,7 +148,7 @@ export class Extractor {
         continue
       }
 
-      const contentType = getMimeForTextFile(pci.name)
+      const contentType = getMimeForLicenseFile(pci.name)
       if (contentType === undefined) {
         continue
       }

tests/integration/__snapshots__/index.test.js.snap

@@ -214,6 +214,25 @@ const testSetups = [
         file: 'dist/.well-known/sbom'
       }
     ]
+  },
+  {
+    dir: 'regression-issue1337',
+    packageManager: 'npm',
+    purpose: 'regression: find license evidence like `LICENSE.MIT`',
+    results: [ // paths relative to `dir`
+      {
+        format: 'xml',
+        file: 'dist/.bom/bom.xml'
+      },
+      {
+        format: 'json',
+        file: 'dist/.bom/bom.json'
+      },
+      {
+        format: 'json',
+        file: 'dist/.well-known/sbom'
+      }
+    ]
   }
   // endregion regression
 ]

tests/integration/index.test.js

@@ -0,0 +1 @@
+** linguist-vendored

tests/integration/regression-issue1337/.gitattributes

@@ -0,0 +1,10 @@
+*
+!/.gitignore
+!/.gitattributes
+!/README.md
+!/.npmrc
+!/package.json
+!/package-lock.json
+!/webpack.config.js
+!/src
+!/src/*

tests/integration/regression-issue1337/.gitignore

@@ -0,0 +1,4 @@
+;  see the docs: https://docs.npmjs.com/cli/v9/using-npm/config
+
+package-lock=true
+lockfile-version=3

tests/integration/regression-issue1337/.npmrc

@@ -0,0 +1,11 @@
+# Test: regression [issue#1337]
+
+This setup is intended to create reproducible results (SBoM).  
+It might install outdated, unmaintained or vulnerable components, for showcasing purposes.
+
+----
+
+this setup is a regression test for [issue#1337]:
+use packages with license files like `LICENSE.BSD` and such.
+
+[issue#1337]: https://github.com/CycloneDX/cyclonedx-webpack-plugin/issues/1337