Add support for SPDX as YAML in load_sbom pipeline

tdruez · tdruez · commit 31ba3be518b4 · 2025-09-12T15:49:59.000+04:00
Signed-off-by: tdruez &lt;tdruez@nexb.com&gt;
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -38,6 +38,8 @@ v35.4.0 (unreleased)
 - Add ORT ``package-list.yml`` as new downloadable output format.
   https://github.com/aboutcode-org/scancode.io/pull/1852
 
+- Add support for SPDX as YAML in ``load_sbom`` pipeline.
+
 v35.3.0 (2025-08-20)
 --------------------
 
diff --git a/scanpipe/pipes/resolve.py b/scanpipe/pipes/resolve.py
@@ -30,6 +30,7 @@
 from django.core.exceptions import ObjectDoesNotExist
 
 import python_inspector.api as python_inspector
+import saneyaml
 from attributecode.model import About
 from packagedcode import APPLICATION_PACKAGE_DATAFILE_HANDLERS
 from packagedcode.licensing import get_license_detections_and_expression
@@ -378,7 +379,11 @@ def spdx_relationship_to_dependency_data(spdx_relationship):
 def get_spdx_document_from_file(input_location):
     """Return the loaded SPDX document from the `input_location` file."""
     input_path = Path(input_location)
-    spdx_document = json.loads(input_path.read_text())
+
+    if str(input_path).endswith((".yml", ".yaml")):
+        spdx_document = saneyaml.load(input_path.read_text())
+    else:
+        spdx_document = json.loads(input_path.read_text())
 
     try:
         spdx.validate_document(spdx_document)
@@ -425,13 +430,13 @@ def get_default_package_type(input_location):
         if handler.is_datafile(input_location):
             return handler.default_package_type
 
-    if input_location.endswith((".spdx", ".spdx.json")):
+    if input_location.endswith((".spdx", ".spdx.json", ".spdx.yml")):
         return "spdx"
 
     if input_location.endswith(("bom.json", ".cdx.json", "bom.xml", ".cdx.xml")):
         return "cyclonedx"
 
-    if input_location.endswith((".json", ".xml")):
+    if input_location.endswith((".json", ".xml", ".yml", ".yaml")):
         if cyclonedx.is_cyclonedx_bom(input_location):
             return "cyclonedx"
         if spdx.is_spdx_document(input_location):
diff --git a/scanpipe/pipes/spdx.py b/scanpipe/pipes/spdx.py
@@ -29,6 +29,8 @@
 from datetime import timezone
 from pathlib import Path
 
+import saneyaml
+
 SPDX_SPEC_VERSION = "2.3"
 SPDX_LICENSE_LIST_VERSION = "3.20"
 SPDX_SCHEMA_NAME = "spdx-schema-2.3.json"
@@ -653,8 +655,15 @@ def validate_document(document, schema=SPDX_SCHEMA_PATH):
 
 def is_spdx_document(input_location):
     """Return True if the file at `input_location` is a SPDX Document."""
+    input_location = str(input_location)
+    data = {}
+
     with suppress(Exception):
-        data = json.loads(Path(input_location).read_text())
-        if data.get("SPDXID"):
-            return True
+        if input_location.endswith(".json"):
+            data = json.loads(Path(input_location).read_text())
+        elif input_location.endswith((".yml", ".yaml")):
+            data = saneyaml.load(Path(input_location).read_text())
+
+    if data.get("SPDXID"):
+        return True
     return False
diff --git a/scanpipe/tests/data/manifests/curl-7.70.0-v2.2.spdx.yml b/scanpipe/tests/data/manifests/curl-7.70.0-v2.2.spdx.yml
@@ -0,0 +1,32 @@
+SPDXID: "SPDXRef-DOCUMENT"
+spdxVersion: "SPDX-2.2"
+creationInfo:
+  created: "2020-07-23T18:30:22Z"
+  creators:
+  - "Organization: Example Inc."
+  - "Person: Thomas Steenbergen"
+  licenseListVersion: "3.9"
+name: "curl-7.70.0"
+dataLicense: "CC0-1.0"
+documentNamespace: "http://spdx.org/spdxdocs/spdx-document-curl"
+documentDescribes:
+- "SPDXRef-Package-curl"
+packages:
+- SPDXID: "SPDXRef-Package-curl"
+  description: "A command line tool and library for transferring data with URL syntax, supporting \
+    HTTP, HTTPS, FTP, FTPS, GOPHER, TFTP, SCP, SFTP, SMB, TELNET, DICT, LDAP, LDAPS, MQTT, FILE, \
+    IMAP, SMTP, POP3, RTSP and RTMP. libcurl offers a myriad of powerful features."
+  copyrightText: "Copyright (c) 1996 - 2020, Daniel Stenberg, <daniel@haxx.se>, and many
+    contributors, see the THANKS file."
+  downloadLocation: "https://github.com/curl/curl/releases/download/curl-7_70_0/curl-7.70.0.tar.gz"
+  externalRefs:
+  - referenceCategory: "SECURITY"
+    referenceLocator: "cpe:2.3:a:http:curl:7.70.0:*:*:*:*:*:*:*"
+    referenceType: "cpe23Type"
+  filesAnalyzed: false
+  homepage: "https://curl.haxx.se/"
+  licenseConcluded: "NOASSERTION"
+  licenseDeclared: "curl"
+  name: "curl"
+  versionInfo: "7.70.0"
+  originator: "Person: Daniel Stenberg (daniel@haxx.se)"
diff --git a/scanpipe/tests/data/manifests/curl-7.70.0.yaml b/scanpipe/tests/data/manifests/curl-7.70.0.yaml
@@ -0,0 +1,32 @@
+SPDXID: "SPDXRef-DOCUMENT"
+spdxVersion: "SPDX-2.2"
+creationInfo:
+  created: "2020-07-23T18:30:22Z"
+  creators:
+  - "Organization: Example Inc."
+  - "Person: Thomas Steenbergen"
+  licenseListVersion: "3.9"
+name: "curl-7.70.0"
+dataLicense: "CC0-1.0"
+documentNamespace: "http://spdx.org/spdxdocs/spdx-document-curl"
+documentDescribes:
+- "SPDXRef-Package-curl"
+packages:
+- SPDXID: "SPDXRef-Package-curl"
+  description: "A command line tool and library for transferring data with URL syntax, supporting \
+    HTTP, HTTPS, FTP, FTPS, GOPHER, TFTP, SCP, SFTP, SMB, TELNET, DICT, LDAP, LDAPS, MQTT, FILE, \
+    IMAP, SMTP, POP3, RTSP and RTMP. libcurl offers a myriad of powerful features."
+  copyrightText: "Copyright (c) 1996 - 2020, Daniel Stenberg, <daniel@haxx.se>, and many
+    contributors, see the THANKS file."
+  downloadLocation: "https://github.com/curl/curl/releases/download/curl-7_70_0/curl-7.70.0.tar.gz"
+  externalRefs:
+  - referenceCategory: "SECURITY"
+    referenceLocator: "cpe:2.3:a:http:curl:7.70.0:*:*:*:*:*:*:*"
+    referenceType: "cpe23Type"
+  filesAnalyzed: false
+  homepage: "https://curl.haxx.se/"
+  licenseConcluded: "NOASSERTION"
+  licenseDeclared: "curl"
+  name: "curl"
+  versionInfo: "7.70.0"
+  originator: "Person: Daniel Stenberg (daniel@haxx.se)"
diff --git a/scanpipe/tests/pipes/test_resolve.py b/scanpipe/tests/pipes/test_resolve.py
@@ -50,9 +50,15 @@ def test_scanpipe_pipes_resolve_get_default_package_type(self):
         input_location = self.manifest_location / "toml.spdx.json"
         self.assertEqual("spdx", resolve.get_default_package_type(input_location))
 
+        input_location = self.manifest_location / "curl-7.70.0-v2.2.spdx.yml"
+        self.assertEqual("spdx", resolve.get_default_package_type(input_location))
+
         input_location = self.manifest_location / "toml.json"
         self.assertEqual("spdx", resolve.get_default_package_type(input_location))
 
+        input_location = self.manifest_location / "curl-7.70.0.yaml"
+        self.assertEqual("spdx", resolve.get_default_package_type(input_location))
+
         input_location = self.data / "cyclonedx/nested.cdx.json"
         self.assertEqual("cyclonedx", resolve.get_default_package_type(input_location))
 
@@ -181,6 +187,12 @@ def test_scanpipe_pipes_resolve_get_spdx_document_from_file(self):
         self.assertEqual("SPDXRef-DOCUMENT", spdx_document["SPDXID"])
         self.assertEqual("SPDX-2.3", spdx_document["spdxVersion"])
 
+        input_location = self.data / "manifests" / "curl-7.70.0-v2.2.spdx.yml"
+        spdx_document = resolve.get_spdx_document_from_file(input_location)
+        self.assertIsInstance(spdx_document, dict)
+        self.assertEqual("SPDXRef-DOCUMENT", spdx_document["SPDXID"])
+        self.assertEqual("SPDX-2.2", spdx_document["spdxVersion"])
+
     def test_scanpipe_pipes_resolve_spdx_package_to_package_data(self):
         p1 = Project.objects.create(name="Analysis")
         package = pipes.update_or_create_package(p1, package_data1)
