CycloneDx: fix traverseComponents and license management

Signed-off-by: mrizzi <[email protected]>
trustification · Oct 3, 2024 · 896fe21 · 896fe21
1 parent 10a710b
commit 896fe21
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 12 deletions.
diff --git a/pkg/assembler/clients/helpers/bulk.go b/pkg/assembler/clients/helpers/bulk.go
@@ -1169,8 +1169,8 @@ func ingestCertifyLegals(ctx context.Context, client graphql.Client, v []assembl
 				return fmt.Errorf("failed to find ingested Package ID for certifyLegal: %s", helpers.GetKey[*model.PkgInputSpec, helpers.PkgIds](ingest.Pkg, helpers.PkgClientKey).VersionId)
 			}
 
-			// Declared Licenses
-			var pkgDecList []model.IDorLicenseInput
+			// Declared Licenses - initialized as it cannot be nil
+			pkgDecList := make([]model.IDorLicenseInput, 0)
 			for _, dec := range ingest.Declared {
 				if licID, found := licenseInputMap[helpers.GetKey[*model.LicenseInputSpec, string](&dec, helpers.LicenseClientKey)]; found {
 					pkgDecList = append(pkgDecList, *licID)
@@ -1180,8 +1180,8 @@ func ingestCertifyLegals(ctx context.Context, client graphql.Client, v []assembl
 			}
 			pkgDecIDs = append(pkgDecIDs, pkgDecList)
 
-			// Discovered Licenses
-			var pkgDisList []model.IDorLicenseInput
+			// Discovered Licenses - initialized as it cannot be nil
+			pkgDisList := make([]model.IDorLicenseInput, 0)
 			for _, dis := range ingest.Discovered {
 				if licID, found := licenseInputMap[helpers.GetKey[*model.LicenseInputSpec, string](&dis, helpers.LicenseClientKey)]; found {
 					pkgDisList = append(pkgDisList, *licID)
@@ -1198,8 +1198,8 @@ func ingestCertifyLegals(ctx context.Context, client graphql.Client, v []assembl
 				return fmt.Errorf("failed to find ingested Source ID for certifyLegal: %s", helpers.GetKey[*model.SourceInputSpec, helpers.SrcIds](ingest.Src, helpers.SrcClientKey).NameId)
 			}
 
-			// Declared Licenses
-			var srcDecList []model.IDorLicenseInput
+			// Declared Licenses - initialized as it cannot be nil
+			srcDecList := make([]model.IDorLicenseInput, 0)
 			for _, dec := range ingest.Declared {
 				if licID, found := licenseInputMap[helpers.GetKey[*model.LicenseInputSpec, string](&dec, helpers.LicenseClientKey)]; found {
 					srcDecList = append(srcDecList, *licID)
@@ -1209,8 +1209,8 @@ func ingestCertifyLegals(ctx context.Context, client graphql.Client, v []assembl
 			}
 			srcDecIDs = append(srcDecIDs, srcDecList)
 
-			// Discovered Licenses
-			var srcDisList []model.IDorLicenseInput
+			// Discovered Licenses - initialized as it cannot be nil
+			srcDisList := make([]model.IDorLicenseInput, 0)
 			for _, dis := range ingest.Discovered {
 				if licID, found := licenseInputMap[helpers.GetKey[*model.LicenseInputSpec, string](&dis, helpers.LicenseClientKey)]; found {
 					srcDisList = append(srcDisList, *licID)

diff --git a/pkg/ingestor/parser/cyclonedx/parser_cyclonedx.go b/pkg/ingestor/parser/cyclonedx/parser_cyclonedx.go
@@ -215,10 +215,6 @@ func traverseComponents(c cyclonedxParser, components *[]cdx.Component) error {
 				} else {
 					purl = asmhelpers.GuacPkgPurl(comp.Name, &comp.Version)
 				}
-				err = traverseComponents(c, comp.Components)
-				if err != nil {
-					return err
-				}
 			}
 			pkg, err := asmhelpers.PurlToPkg(purl)
 			if err != nil {
@@ -241,6 +237,10 @@ func traverseComponents(c cyclonedxParser, components *[]cdx.Component) error {
 			if err := c.getLicenseInformation(comp); err != nil {
 				return fmt.Errorf("failed to get license information for component package with error: %w", err)
 			}
+
+			if err := traverseComponents(c, comp.Components); err != nil {
+				return err
+			}
 		}
 	}
 	return nil
@@ -305,6 +305,7 @@ func getLicenseFromName(c *cyclonedxParser, compLicense cdx.LicenseChoice) strin
 			license = compLicense.License.BOMRef
 		} else {
 			license = common.HashLicense(compLicense.License.Name)
+			c.licenseInLine[license] = compLicense.License.Name
 		}
 	} else {
 		license = compLicense.License.ID

diff --git a/pkg/ingestor/parser/spdx/parse_spdx_test.go b/pkg/ingestor/parser/spdx/parse_spdx_test.go
@@ -1522,7 +1522,9 @@ func Test_spdxParser(t *testing.T) {
 							},
 							Subpath: &packageOfEmptyString,
 						},
+						DepPkgMatchFlag: generated.MatchFlags{Pkg: generated.PkgMatchTypeSpecificVersion},
 						IsDependency: &generated.IsDependencyInputSpec{
+							VersionRange:   "3.0.7-18.el9_2",
 							DependencyType: "UNKNOWN",
 							Justification:  "top-level package GUAC heuristic connecting to each file/package",
 						},
@@ -1545,7 +1547,9 @@ func Test_spdxParser(t *testing.T) {
 							},
 							Subpath: &packageOfEmptyString,
 						},
+						DepPkgMatchFlag: generated.MatchFlags{Pkg: generated.PkgMatchTypeSpecificVersion},
 						IsDependency: &generated.IsDependencyInputSpec{
+							VersionRange:   "3.0.7-18.el9_2",
 							DependencyType: "UNKNOWN",
 							Justification:  "top-level package GUAC heuristic connecting to each file/package",
 						},