fix: fallback to license_declared when loading SPDX SBOM

Signed-off-by: tdruez <tdruez@aboutcode.org>

Author: tdruez

scanpipe/pipes/resolve.py

@@ -327,7 +327,11 @@ def spdx_package_to_package_data(spdx_package):
         for checksum in spdx_package.checksums
     }
 
-    declared_license_expression_spdx = spdx_package.license_concluded
+    if spdx_package.license_concluded not in spdx.EMPTY:
+        declared_license_expression_spdx = spdx_package.license_concluded
+    else:
+        declared_license_expression_spdx = spdx_package.license_declared
+
     declared_expression = ""
     if declared_license_expression_spdx:
         declared_expression = convert_spdx_expression(declared_license_expression_spdx)
@@ -350,9 +354,7 @@ def spdx_package_to_package_data(spdx_package):
     }
 
     return {
-        key: value
-        for key, value in package_data.items()
-        if value not in [None, "", "NOASSERTION"]
+        key: value for key, value in package_data.items() if value not in spdx.EMPTY
     }
 
 

scanpipe/pipes/spdx.py

@@ -47,6 +47,8 @@
     "https://github.com/spdx/spdx-spec/raw/development/v2.2/schemas/spdx-schema.json"
 )
 
+EMPTY = [None, "", "NOASSERTION"]
+
 """
 Generate SPDX Documents.
 Spec documentation: https://spdx.github.io/spdx-spec/v2.3/

scanpipe/tests/data/spdx/license-fields.spdx.json

@@ -0,0 +1,31 @@
+{
+  "spdxVersion": "SPDX-2.3",
+  "dataLicense": "CC0-1.0",
+  "SPDXID": "SPDXRef-DOCUMENT",
+  "name": "analysis",
+  "documentNamespace": "https://scancode.io/spdxdocs/abc",
+  "creationInfo": {
+    "created": "2000-01-01T01:02:03Z",
+    "creators": [
+      "Tool: ABC"
+    ],
+    "licenseListVersion": "3.27"
+  },
+  "packages": [
+    {
+      "SPDXID": "SPDXRef-Package-abc",
+      "name": "abc",
+      "downloadLocation": "NOASSERTION",
+      "licenseInfoFromFiles": [
+        "NOASSERTION"
+      ],
+      "licenseConcluded": "NOASSERTION",
+      "licenseDeclared": "(GPL-2.0-only AND LGPL-2.1-only)",
+      "copyrightText": "NOASSERTION",
+      "versionInfo": "1.0"
+    }
+  ],
+  "documentDescribes": [
+    "SPDXRef-Package-abc"
+  ]
+}

scanpipe/tests/pipes/test_resolve.py

@@ -250,6 +250,21 @@ def test_scanpipe_pipes_resolve_spdx_packages(self):
         packages_data = resolve.resolve_spdx_packages(input_location)
         self.assertEqual(4, len(packages_data))
 
+    def test_scanpipe_pipes_resolve_spdx_packages_license_fields(self):
+        input_location = self.data / "spdx" / "license-fields.spdx.json"
+        packages_data = resolve.resolve_spdx_packages(input_location)
+        expected = [
+            {
+                "package_uid": "SPDXRef-Package-abc",
+                "name": "abc",
+                "declared_license_expression": "gpl-2.0 AND lgpl-2.1",
+                "declared_license_expression_spdx": "(GPL-2.0-only AND LGPL-2.1-only)",
+                "extracted_license_statement": "(GPL-2.0-only AND LGPL-2.1-only)",
+                "version": "1.0",
+            }
+        ]
+        self.assertEqual(expected, packages_data)
+
     def test_scanpipe_pipes_resolve_spdx_dependencies(self):
         input_location = self.data / "spdx" / "SPDXJSONExample-v2.3.spdx.json"
         dependencies_data = resolve.resolve_spdx_dependencies(input_location)