Receive incorrect licence information.
aharal opened this issue · comments
I tried using this tool to decode the attached SBOM file, however it gave me the incorrect licence information.
"licenses": [ { "license": { "id": "MIT" }, "license": { "name": "BSD-3-Clause" }, "license": { "id": "0BSD" }, "license": { "name": "WTFPL" }, "license": { "id": "CC0-1.0" } } ],
I anticipated receiving 5 licences again for this licence block, but it only returned 1 one.
@jkowalleck This BOM seems to have been generated by the Composer module. This looks invalid to me:
"licenses": [
{
"license": {
"id": "MIT"
},
"license": {
"name": "BSD-3-Clause"
},
"license": {
"id": "0BSD"
},
"license": {
"name": "WTFPL"
},
"license": {
"id": "CC0-1.0"
}
}
],
Duplicate keys (license
) in JSON objects is ambiguous and cyclonedx-go cannot know which one is the correct one. In any case I'd argue that cyclonedx-go behaves as expected in only returning a single license, given this input.
@aharal HOW did you generate this json file?
Could you provide a reproducible setup or step-by-step instructions?
PS: here is the expected data set: https://github.com/CycloneDX/cyclonedx-php-composer/blob/master/demo/laravel-7.12.0/results/bom.1.2.json#L27-L40
Closing as the SBOM has been modified manually and is now invalid. Thanks @jkowalleck for confirming.
@aharal, have a look at the schema documentation for how multiple licenses may be provided: https://cyclonedx.org/docs/1.2/json/#components_items_licenses_items_license
Thank you for the clarification.