Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: correctly handle object licenses in SBOM generation #6969

Merged
merged 2 commits into from
Nov 6, 2023

Conversation

jamietanna
Copy link
Contributor

As a means to resolve #6966, we can tweak the way we handle licenses,
where receiving a license object, instead of license string, results in
a malformed SPDX JSON SBOM.

While working on this, it was noted that CycloneDX also needed to be
amended, as it was omitting any license objects.

Closes #6966.

Also, document current license SPDX behaviour.

References

Closes #6966.

As a step towards resolving npm#6966, we should document how SPDX SBOM
generation works with a single string license or license expression.
@jamietanna jamietanna force-pushed the defect/spdx-bom-license branch from bd12035 to e2134d5 Compare November 6, 2023 16:07
@jamietanna
Copy link
Contributor Author

Should be able to re-run now 🤞

@jamietanna jamietanna changed the title Fix: Correctly handle object licenses in SBOM generation fix: Correctly handle object licenses in SBOM generation Nov 6, 2023
@jamietanna jamietanna changed the title fix: Correctly handle object licenses in SBOM generation fix: correctly handle object licenses in SBOM generation Nov 6, 2023
As a means to resolve npm#6966, we can tweak the way we handle licenses,
where receiving a license object, instead of license string, results in
a malformed SPDX JSON SBOM.

While working on this, it was noted that CycloneDX also needed to be
amended, as it was omitting any license objects.

Closes npm#6966.
@jamietanna jamietanna force-pushed the defect/spdx-bom-license branch from e2134d5 to 0d1d79f Compare November 6, 2023 16:45
@jamietanna
Copy link
Contributor Author

Sorry, that'll teach me not running the build locally 😞

Copy link
Contributor

@bdehamer bdehamer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for the fix.

@jamietanna
Copy link
Contributor Author

Very welcome, thanks for the support as it stands 👏🏽

@wraithgar wraithgar merged commit 0f70088 into npm:latest Nov 6, 2023
20 checks passed
@wraithgar
Copy link
Member

@jamietanna if you want this backported to npm@9 you can cherry-pick the commit into a new PR made against the v9 branch

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
3 participants