scanoss 1.12.2__py3-none-any.whl → 1.43.1__py3-none-any.whl

scanoss/cyclonedx.py

@@ -1,31 +1,37 @@
 """
- SPDX-License-Identifier: MIT
-
-   Copyright (c) 2021, SCANOSS
-
-   Permission is hereby granted, free of charge, to any person obtaining a copy
-   of this software and associated documentation files (the "Software"), to deal
-   in the Software without restriction, including without limitation the rights
-   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-   copies of the Software, and to permit persons to whom the Software is
-   furnished to do so, subject to the following conditions:
-
-   The above copyright notice and this permission notice shall be included in
-   all copies or substantial portions of the Software.
-
-   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-   THE SOFTWARE.
+SPDX-License-Identifier: MIT
+
+  Copyright (c) 2021, SCANOSS
+
+  Permission is hereby granted, free of charge, to any person obtaining a copy
+  of this software and associated documentation files (the "Software"), to deal
+  in the Software without restriction, including without limitation the rights
+  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+  copies of the Software, and to permit persons to whom the Software is
+  furnished to do so, subject to the following conditions:
+
+  The above copyright notice and this permission notice shall be included in
+  all copies or substantial portions of the Software.
+
+  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+  THE SOFTWARE.
 """
+
+import datetime
 import json
 import os.path
 import sys
 import uuid
 
+from cyclonedx.schema import SchemaVersion
+from cyclonedx.validation.json import JsonValidator
+
+from . import __version__
 from .scanossbase import ScanossBase
 from .spdxlite import SpdxLite
 
@@ -45,33 +51,36 @@ class CycloneDx(ScanossBase):
         self.debug = debug
         self._spdx = SpdxLite(debug=debug)
 
-    def parse(self, data: json):
+    def parse(self, data: dict):  # noqa: PLR0912, PLR0915
         """
         Parse the given input (raw/plain) JSON string and return CycloneDX summary
-        :param data: json - JSON object
+        :param data: dict - JSON object
         :return: CycloneDX dictionary, and vulnerability dictionary
         """
-        if not data:
+        if data is None:
             self.print_stderr('ERROR: No JSON data provided to parse.')
             return None, None
-        self.print_debug(f'Processing raw results into CycloneDX format...')
+        if len(data) == 0:
+            self.print_msg('Warning: Empty scan results provided. Returning empty component dictionary.')
+            return {}, {}
+        self.print_debug('Processing raw results into CycloneDX format...')
         cdx = {}
         vdx = {}
         for f in data:
             file_details = data.get(f)
             # print(f'File: {f}: {file_details}')
             for d in file_details:
-                id_details = d.get("id")
+                id_details = d.get('id')
                 if not id_details or id_details == 'none':
                     continue
                 purl = None
                 if id_details == 'dependency':
-                    dependencies = d.get("dependencies")
+                    dependencies = d.get('dependencies')
                     if not dependencies:
                         self.print_stderr(f'Warning: No Dependencies found for {f}: {file_details}')
                         continue
                     for deps in dependencies:
-                        purl = deps.get("purl")
+                        purl = deps.get('purl')
                         if not purl:
                             self.print_stderr(f'Warning: No PURL found for {f}: {deps}')
                             continue
@@ -83,12 +92,13 @@ class CycloneDx(ScanossBase):
                             fd[field] = deps.get(field, '')
                         licenses = deps.get('licenses')
                         fdl = []
-                        dc = []
-                        for lic in licenses:
-                            name = lic.get("name")
-                            if name not in dc:  # Only save the license name once
-                                fdl.append({'id': name})
-                                dc.append(name)
+                        if licenses:
+                            dc = []
+                            for lic in licenses:
+                                name = lic.get('name')
+                                if name not in dc:  # Only save the license name once
+                                    fdl.append({'id': name})
+                                    dc.append(name)
                         fd['licenses'] = fdl
                         cdx[purl] = fd
                 else:
@@ -104,30 +114,33 @@ class CycloneDx(ScanossBase):
                         self.print_stderr(f'Warning: No PURL found for {f}: {file_details}')
                         continue
                     fd = {}
-                    vulnerabilities = d.get("vulnerabilities")
+                    vulnerabilities = d.get('vulnerabilities')
                     if vulnerabilities:
                         for vuln in vulnerabilities:
-                            vuln_id = vuln.get("ID")
+                            vuln_id = vuln.get('ID')
                             if vuln_id == '':
-                                vuln_id = vuln.get("id")
+                                vuln_id = vuln.get('id')
                             if not vuln_id or vuln_id == '':  # Skip empty ids
                                 continue
-                            vuln_cve = vuln.get("CVE", '')
+                            vuln_cve = vuln.get('CVE', '')
                             if vuln_cve == '':
-                                vuln_cve = vuln.get("cve", '')
-                            if vuln_id.upper().startswith("CPE:"):
-                                fd['cpe'] = vuln_id                 # Save the component CPE if we have one
+                                vuln_cve = vuln.get('cve', '')
+                            if vuln_id.upper().startswith('CPE:'):
+                                fd['cpe'] = vuln_id  # Save the component CPE if we have one
                                 if vuln_cve != '':
                                     vuln_id = vuln_cve
                             vd = vdx.get(vuln_id)  # Check if we've already encountered this vulnerability
                             if not vd:
                                 vuln_source = vuln.get('source', '').lower()
-                                vd = {'cve': vuln_cve,
-                                      'source': 'NVD' if vuln_source == 'nvd' else 'GitHub Advisories',
-                                      'url': f'https://nvd.nist.gov/vuln/detail/{vuln_cve}' if vuln_source == 'nvd' else f'https://github.com/advisories/{vuln_id}',
-                                      'severity': self._sev_lookup(vuln.get('severity', 'unknown').lower()),
-                                      'affects': set()
-                                      }
+                                vd = {
+                                    'cve': vuln_cve,
+                                    'source': 'NVD' if vuln_source == 'nvd' else 'GitHub Advisories',
+                                    'url': f'https://nvd.nist.gov/vuln/detail/{vuln_cve}'
+                                    if vuln_source == 'nvd'
+                                    else f'https://github.com/advisories/{vuln_id}',
+                                    'severity': self._sev_lookup(vuln.get('severity', 'unknown').lower()),
+                                    'affects': set(),
+                                }
                             vd.get('affects').add(purl)
                             vdx[vuln_id] = vd
                     if cdx.get(purl):
@@ -137,8 +150,13 @@ class CycloneDx(ScanossBase):
                         fd[field] = d.get(field)
                     licenses = d.get('licenses')
                     fdl = []
-                    for lic in licenses:
-                        fdl.append({'id': lic.get("name")})
+                    if licenses:
+                        for lic in licenses:
+                            name = lic.get('name')
+                            source = lic.get('source')
+                            if source not in ('component_declared', 'license_file', 'file_header'):
+                                continue
+                            fdl.append({'id': name})
                     fd['licenses'] = fdl
                     cdx[purl] = fd
         # self.print_stderr(f'VD: {vdx}')
@@ -162,17 +180,24 @@ class CycloneDx(ScanossBase):
             success = self.produce_from_str(f.read(), output_file)
         return success
 
-    def produce_from_json(self, data: json, output_file: str = None) -> bool:
+    def produce_from_json(self, data: dict, output_file: str = None) -> tuple[bool, dict]:  # noqa: PLR0912
         """
-        Produce the CycloneDX output from the input data
-        :param data: JSON object
-        :param output_file: Output file (optional)
-        :return: True if successful, False otherwise
+        Produce the CycloneDX output from the raw scan results input data
+
+        Args:
+            data (dict): JSON object
+            output_file (str, optional): Output file (optional). Defaults to None.
+
+        Returns:
+            bool: True if successful, False otherwise
+            json: The CycloneDX output
         """
         cdx, vdx = self.parse(data)
-        if not cdx:
+        if cdx is None:
             self.print_stderr('ERROR: No CycloneDX data returned for the JSON string provided.')
-            return False
+            return False, {}
+        if len(cdx) == 0:
+            self.print_msg('Warning: Empty scan results - generating minimal CycloneDX SBOM with no components.')
         self._spdx.load_license_data()  # Load SPDX license name data for later reference
         #
         # Using CDX version 1.4: https://cyclonedx.org/docs/1.4/json/
@@ -184,8 +209,19 @@ class CycloneDx(ScanossBase):
             'specVersion': '1.4',
             'serialNumber': f'urn:uuid:{uuid.uuid4()}',
             'version': 1,
+            'metadata': {
+                'timestamp': datetime.datetime.now(datetime.timezone.utc).strftime('%Y-%m-%dT%H:%M:%SZ'),
+                'tools': [
+                    {
+                        'vendor': 'SCANOSS',
+                        'name': 'scanoss-py',
+                        'version': __version__,
+                    }
+                ],
+                'component': {'type': 'application', 'name': 'NOASSERTION', 'version': 'NOASSERTION'},
+            },
             'components': [],
-            'vulnerabilities': []
+            'vulnerabilities': [],
         }
         for purl in cdx:
             comp = cdx.get(purl)
@@ -195,6 +231,8 @@ class CycloneDx(ScanossBase):
                 lic_set = set()
                 for lic in licenses:  # Get a unique set of licenses
                     lc_id = lic.get('id')
+                    if not lc_id:
+                        continue
                     spdx_id = self._spdx.get_spdx_license_id(lc_id)
                     lic_set.add(spdx_id if spdx_id else lc_id)
                 for lc_id in lic_set:  # Store licenses for later inclusion
@@ -210,7 +248,7 @@ class CycloneDx(ScanossBase):
                 'version': comp.get('version'),
                 'purl': purl,
                 'bom-ref': purl,
-                'licenses': lic_text
+                'licenses': lic_text,
             }
             cpe = comp.get('cpe', '')
             if cpe and cpe != '':
@@ -230,7 +268,7 @@ class CycloneDx(ScanossBase):
                     'id': vuln_id,
                     'source': {'name': v_source, 'url': vulns.get('url')},
                     'ratings': [{'severity': vulns.get('severity', 'unknown')}],
-                    'affects': affects
+                    'affects': affects,
                 }
                 data['vulnerabilities'].append(vd)
             # End for loop
@@ -244,7 +282,7 @@ class CycloneDx(ScanossBase):
         if output_file:
             file.close()
 
-        return True
+        return True, data
 
     def produce_from_str(self, json_str: str, output_file: str = None) -> bool:
         """
@@ -261,7 +299,84 @@ class CycloneDx(ScanossBase):
         except Exception as e:
             self.print_stderr(f'ERROR: Problem parsing input JSON: {e}')
             return False
-        return self.produce_from_json(data, output_file)
+        success, _ = self.produce_from_json(data, output_file)
+        return success
+
+    def _normalize_vulnerability_id(self, vuln: dict) -> tuple[str, str]:
+        """
+        Normalize vulnerability ID and CVE from different possible field names.
+        Returns tuple of (vuln_id, vuln_cve).
+        """
+        vuln_id = vuln.get('ID', '') or vuln.get('id', '')
+        vuln_cve = vuln.get('CVE', '') or vuln.get('cve', '')
+
+        # Skip CPE entries, use CVE if available
+        if vuln_id.upper().startswith('CPE:') and vuln_cve:
+            vuln_id = vuln_cve
+
+        return vuln_id, vuln_cve
+
+    def _create_vulnerability_entry(self, vuln_id: str, vuln: dict, vuln_cve: str, purl: str) -> dict:
+        """
+        Create a new vulnerability entry for CycloneDX format.
+        """
+        vuln_source = vuln.get('source', '').lower()
+        return {
+            'id': vuln_id,
+            'source': {
+                'name': 'NVD' if vuln_source == 'nvd' else 'GitHub Advisories',
+                'url': f'https://nvd.nist.gov/vuln/detail/{vuln_cve}'
+                if vuln_source == 'nvd'
+                else f'https://github.com/advisories/{vuln_id}',
+            },
+            'ratings': [{'severity': self._sev_lookup(vuln.get('severity', 'unknown').lower())}],
+            'affects': [{'ref': purl}],
+        }
+
+    def append_vulnerabilities(self, cdx_dict: dict, vulnerabilities_data: dict, purl: str) -> dict:
+        """
+        Append vulnerabilities to an existing CycloneDX dictionary
+
+        Args:
+            cdx_dict (dict): The existing CycloneDX dictionary
+            vulnerabilities_data (dict): The vulnerabilities data from get_vulnerabilities_json
+            purl (str): The PURL of the component these vulnerabilities affect
+
+        Returns:
+            dict: The updated CycloneDX dictionary with vulnerabilities appended
+        """
+        if not cdx_dict or not vulnerabilities_data:
+            return cdx_dict
+
+        if 'vulnerabilities' not in cdx_dict:
+            cdx_dict['vulnerabilities'] = []
+
+        # Extract vulnerabilities from the response
+        vulns_list = vulnerabilities_data.get('purls', [])
+        if not vulns_list:
+            return cdx_dict
+
+        vuln_items = vulns_list[0].get('vulnerabilities', [])
+
+        for vuln in vuln_items:
+            vuln_id, vuln_cve = self._normalize_vulnerability_id(vuln)
+
+            # Skip empty IDs or CPE-only entries
+            if not vuln_id or vuln_id.upper().startswith('CPE:'):
+                continue
+
+            # Check if vulnerability already exists
+            existing_vuln = next((v for v in cdx_dict['vulnerabilities'] if v.get('id') == vuln_id), None)
+
+            if existing_vuln:
+                # Add this PURL to the affects list if not already present
+                if not any(ref.get('ref') == purl for ref in existing_vuln.get('affects', [])):
+                    existing_vuln['affects'].append({'ref': purl})
+            else:
+                # Create new vulnerability entry
+                cdx_dict['vulnerabilities'].append(self._create_vulnerability_entry(vuln_id, vuln, vuln_cve, purl))
+
+        return cdx_dict
 
     @staticmethod
     def _sev_lookup(value: str):
@@ -278,8 +393,51 @@ class CycloneDx(ScanossBase):
             'low': 'low',
             'info': 'info',
             'none': 'none',
-            'unknown': 'unknown'
-            }.get(value, 'unknown')
+            'unknown': 'unknown',
+        }.get(value, 'unknown')
+
+    def is_cyclonedx_json(self, json_string: str) -> bool:
+        """
+        Validate if the given JSON string is a valid CycloneDX JSON string
+
+        Args:
+            json_string (str): JSON string to validate
+        Returns:
+            bool: True if the JSON string is valid, False otherwise
+        """
+        try:
+            cdx_json_validator = JsonValidator(SchemaVersion.V1_6)
+            json_validation_errors = cdx_json_validator.validate_str(json_string)
+            if json_validation_errors:
+                self.print_stderr(f'ERROR: Problem parsing input JSON: {json_validation_errors}')
+                return False
+            return True
+        except Exception as e:
+            self.print_stderr(f'ERROR: Problem parsing input JSON: {e}')
+            return False
+
+    def get_purls_request_from_cdx(self, cdx_dict: dict, field: str = 'purls') -> dict:
+        """
+        Get the list of PURL requests (purl + requirement) from the given CDX dictionary
+
+        Args:
+            cdx_dict (dict): CDX dictionary to parse
+            field (str): Field to extract from the CDX dictionary
+        Returns:
+            list[dict]: List of PURL requests (purl + requirement)
+        """
+        components = cdx_dict.get('components', [])
+        parsed_purls = []
+        for component in components:
+            version = component.get('version')
+            if version:
+                parsed_purls.append({'purl': component.get('purl'), 'requirement': version})
+            else:
+                parsed_purls.append({'purl': component.get('purl')})
+        purl_request = {field: parsed_purls}
+        return purl_request
+
+
 #
 # End of CycloneDX Class
 #

scanoss/data/build_date.txt

@@ -1 +1 @@
-date: 20240417094300, utime: 1713346980
+date: 20260105120224, utime: 1767614544

scanoss/data/osadl-copyleft.json

@@ -0,0 +1,133 @@
+{
+    "title": "OSADL Open Source License Obligations Checklist (https:\/\/www.osadl.org\/Checklists)",
+    "license": "Creative Commons Attribution 4.0 International license (CC-BY-4.0)",
+    "attribution": "A project by the Open Source Automation Development Lab (OSADL) eG. For further information about the project see the description at www.osadl.org\/checklists.",
+    "copyright": "(C) 2017 - 2024 Open Source Automation Development Lab (OSADL) eG and contributors, info@osadl.org",
+    "disclaimer": "The checklists and particularly the copyleft data have been assembled with maximum diligence and care; however, the authors do not warrant nor can be held liable in any way for its correctness, usefulness, merchantibility or fitness for a particular purpose as far as permissible by applicable law. Anyone who uses the information does this on his or her sole responsibility. For any individual legal advice, it is recommended to contact a lawyer.",
+    "timeformat": "%Y-%m-%dT%H:%M:%S%z",
+    "timestamp": "2025-10-30T11:23:00+0000",
+    "copyleft": 
+    {
+        "0BSD": "No",
+        "AFL-2.0": "No",
+        "AFL-2.1": "No",
+        "AFL-3.0": "No",
+        "AGPL-3.0-only": "Yes",
+        "AGPL-3.0-or-later": "Yes",
+        "Apache-1.0": "No",
+        "Apache-1.1": "No",
+        "Apache-2.0": "No",
+        "APSL-2.0": "Yes (restricted)",
+        "Artistic-1.0": "No",
+        "Artistic-1.0-Perl": "No",
+        "Artistic-2.0": "No",
+        "Bitstream-Vera": "No",
+        "blessing": "No",
+        "BlueOak-1.0.0": "No",
+        "BSD-1-Clause": "No",
+        "BSD-2-Clause": "No",
+        "BSD-2-Clause-Patent": "No",
+        "BSD-3-Clause": "No",
+        "BSD-3-Clause-Open-MPI": "No",
+        "BSD-4-Clause": "No",
+        "BSD-4-Clause-UC": "No",
+        "BSD-4.3TAHOE": "No",
+        "BSD-Source-Code": "No",
+        "BSL-1.0": "No",
+        "bzip2-1.0.5": "No",
+        "bzip2-1.0.6": "No",
+        "CC-BY-2.5": "No",
+        "CC-BY-3.0": "No",
+        "CDDL-1.0": "Yes (restricted)",
+        "CDDL-1.1": "Yes (restricted)",
+        "CPL-1.0": "Yes",
+        "curl": "No",
+        "ECL-1.0": "No",
+        "ECL-2.0": "No",
+        "EFL-2.0": "No",
+        "EPL-1.0": "Yes",
+        "EPL-2.0": "Yes (restricted)",
+        "EUPL-1.1": "Yes",
+        "EUPL-1.2": "Yes",
+        "FSFAP": "No",
+        "FSFUL": "No",
+        "FSFULLR": "No",
+        "FSFULLRWD": "No",
+        "FTL": "No",
+        "GPL-1.0-only": "Yes",
+        "GPL-1.0-or-later": "Yes",
+        "GPL-2.0-only": "Yes",
+        "GPL-2.0-only WITH Classpath-exception-2.0": "Yes (restricted)",
+        "GPL-2.0-or-later": "Yes",
+        "GPL-3.0-only": "Yes",
+        "GPL-3.0-or-later": "Yes",
+        "HPND": "No",
+        "IBM-pibs": "No",
+        "ICU": "No",
+        "IJG": "No",
+        "ImageMagick": "No",
+        "Info-ZIP": "No",
+        "IPL-1.0": "Yes",
+        "ISC": "No",
+        "JasPer-2.0": "No",
+        "LGPL-2.0-only": "Yes (restricted)",
+        "LGPL-2.0-or-later": "Yes (restricted)",
+        "LGPL-2.1-only": "Yes (restricted)",
+        "LGPL-2.1-or-later": "Yes (restricted)",
+        "LGPL-3.0-only": "Yes (restricted)",
+        "LGPL-3.0-or-later": "Yes (restricted)",
+        "Libpng": "No",
+        "libpng-2.0": "No",
+        "libtiff": "No",
+        "LicenseRef-scancode-bsla-no-advert": "No",
+        "LicenseRef-scancode-info-zip-2003-05": "No",
+        "LicenseRef-scancode-ppp": "No",
+        "Minpack": "No",
+        "MirOS": "No",
+        "MIT": "No",
+        "MIT-0": "No",
+        "MIT-CMU": "No",
+        "MPL-1.1": "Yes (restricted)",
+        "MPL-2.0": "Yes (restricted)",
+        "MPL-2.0-no-copyleft-exception": "Yes (restricted)",
+        "MS-PL": "Questionable",
+        "MS-RL": "Yes (restricted)",
+        "NBPL-1.0": "No",
+        "NCSA": "No",
+        "NTP": "No",
+        "OFL-1.1": "Yes (restricted)",
+        "OGC-1.0": "No",
+        "OLDAP-2.8": "No",
+        "OpenSSL": "Questionable",
+        "OSL-3.0": "Yes",
+        "PHP-3.01": "No",
+        "PostgreSQL": "No",
+        "PSF-2.0": "No",
+        "Python-2.0": "No",
+        "Qhull": "No",
+        "RSA-MD": "No",
+        "Saxpath": "No",
+        "SGI-B-2.0": "No",
+        "Sleepycat": "Yes",
+        "SMLNJ": "No",
+        "Spencer-86": "No",
+        "SSH-OpenSSH": "No",
+        "SSH-short": "No",
+        "SunPro": "No",
+        "Ubuntu-font-1.0": "Yes (restricted)",
+        "Unicode-3.0": "No",
+        "Unicode-DFS-2015": "No",
+        "Unicode-DFS-2016": "No",
+        "Unlicense": "No",
+        "UPL-1.0": "No",
+        "W3C": "No",
+        "W3C-19980720": "No",
+        "W3C-20150513": "No",
+        "WTFPL": "No",
+        "X11": "No",
+        "XFree86-1.1": "No",
+        "Zlib": "No",
+        "zlib-acknowledgement": "No",
+        "ZPL-2.0": "No"
+    }
+}