Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When converting cyclonedx xml to json and a dependency has multiple licenses, only the first license is taken into account #322

Closed
mawl opened this issue Jun 20, 2023 · 2 comments
Closed

When converting cyclonedx xml to json and a dependency has multiple licenses, only the first license is taken into account #322

mawl opened this issue Jun 20, 2023 · 2 comments

Comments

@mawl
Copy link

mawl commented Jun 20, 2023

When converting a cyclonedx.xml to json and a dependency/component has multiple licenses, only the first license is taken into account.

cyclonedx-cli convert \
        --input-format xml \
        --input-file ${ORT_OUTPUT_DIR}/bom.cyclonedx.xml \
        --output-format json \
        --output-file ${ORT_OUTPUT_DIR}/bom.cyclonedx.converted.json

Example:
bom.cyclonedx.xml

    <component type="library">
      <name>pizzip</name>
      <version>3.1.4</version>
      <description>Create, read and edit .zip files synchronously with Javascript</description>
      <scope>required</scope>
      <hashes>
        <hash alg="SHA-1">0c2578506ce5b487fa00bc2dd62eebeb291ee677</hash>
      </hashes>
      <licenses>
        <license>
          <id>GPL-3.0-only</id>
          <text content-type="plain/text" encoding="base64">...
        </license>
        <license>
          <id>MIT</id>
          <text content-type="plain/text" encoding="base64">...
        </license>
      </licenses>
      <copyright>Copyright (C) Edgar Hipp</copyright>
      <purl>pkg:npm/pizzip@3.1.4?classifier=sources</purl>
      <modified>false</modified>
      <externalReferences><reference type="website"><url>https://github.com/open-xml-templating/pizzip#readme</url></reference></externalReferences><ort:dependencyType xmlns:ort="http://www.w3.org/1999/xhtml">direct</ort:dependencyType>
    </component>

bom.cyclonedx.json

     "type": "library",
      "name": "pizzip",
      "version": "3.1.4",
      "description": "Create, read and edit .zip files synchronously with Javascript",
      "scope": "required",
      "hashes": [
        {
          "alg": "SHA-1",
          "content": "0c2578506ce5b487fa00bc2dd62eebeb291ee677"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "GPL-3.0-only",
            "text": {
              "contentType": "plain/text",
              "encoding": "base64",
              "content": "..."
            }
          }
        }
      ],
      "copyright": "Copyright (C) Edgar Hipp",
      "purl": "pkg:npm/pizzip@3.1.4?classifier=sources",
      "modified": false,
      "externalReferences": [
        {
          "url": "https://github.com/open-xml-templating/pizzip#readme",
          "type": "website",
          "hashes": []
        }
      ]
    },
@andreas-hilti
Copy link
Contributor

@mawl I think this is related to CycloneDX/cyclonedx-dotnet-library#187.

@andreas-hilti
Copy link
Contributor

With release 0.26.0, this should be fixed.

@mtsfoni mtsfoni closed this as completed Aug 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mawl @andreas-hilti @mtsfoni