scanoss 1.27.1__py3-none-any.whl → 1.43.1__py3-none-any.whl

scanoss/cyclonedx.py

@@ -28,6 +28,9 @@ import os.path
 import sys
 import uuid
 
+from cyclonedx.schema import SchemaVersion
+from cyclonedx.validation.json import JsonValidator
+
 from . import __version__
 from .scanossbase import ScanossBase
 from .spdxlite import SpdxLite
@@ -48,15 +51,18 @@ class CycloneDx(ScanossBase):
         self.debug = debug
         self._spdx = SpdxLite(debug=debug)
 
-    def parse(self, data: json):  # noqa: PLR0912, PLR0915
+    def parse(self, data: dict):  # noqa: PLR0912, PLR0915
         """
         Parse the given input (raw/plain) JSON string and return CycloneDX summary
-        :param data: json - JSON object
+        :param data: dict - JSON object
         :return: CycloneDX dictionary, and vulnerability dictionary
         """
-        if not data:
+        if data is None:
             self.print_stderr('ERROR: No JSON data provided to parse.')
             return None, None
+        if len(data) == 0:
+            self.print_msg('Warning: Empty scan results provided. Returning empty component dictionary.')
+            return {}, {}
         self.print_debug('Processing raw results into CycloneDX format...')
         cdx = {}
         vdx = {}
@@ -146,7 +152,11 @@ class CycloneDx(ScanossBase):
                     fdl = []
                     if licenses:
                         for lic in licenses:
-                            fdl.append({'id': lic.get('name')})
+                            name = lic.get('name')
+                            source = lic.get('source')
+                            if source not in ('component_declared', 'license_file', 'file_header'):
+                                continue
+                            fdl.append({'id': name})
                     fd['licenses'] = fdl
                     cdx[purl] = fd
         # self.print_stderr(f'VD: {vdx}')
@@ -170,12 +180,12 @@ class CycloneDx(ScanossBase):
             success = self.produce_from_str(f.read(), output_file)
         return success
 
-    def produce_from_json(self, data: json, output_file: str = None) -> tuple[bool, json]:  # noqa: PLR0912
+    def produce_from_json(self, data: dict, output_file: str = None) -> tuple[bool, dict]:  # noqa: PLR0912
         """
         Produce the CycloneDX output from the raw scan results input data
 
         Args:
-            data (json): JSON object
+            data (dict): JSON object
             output_file (str, optional): Output file (optional). Defaults to None.
 
         Returns:
@@ -183,9 +193,11 @@ class CycloneDx(ScanossBase):
             json: The CycloneDX output
         """
         cdx, vdx = self.parse(data)
-        if not cdx:
+        if cdx is None:
             self.print_stderr('ERROR: No CycloneDX data returned for the JSON string provided.')
-            return False, None
+            return False, {}
+        if len(cdx) == 0:
+            self.print_msg('Warning: Empty scan results - generating minimal CycloneDX SBOM with no components.')
         self._spdx.load_license_data()  # Load SPDX license name data for later reference
         #
         # Using CDX version 1.4: https://cyclonedx.org/docs/1.4/json/
@@ -219,6 +231,8 @@ class CycloneDx(ScanossBase):
                 lic_set = set()
                 for lic in licenses:  # Get a unique set of licenses
                     lc_id = lic.get('id')
+                    if not lc_id:
+                        continue
                     spdx_id = self._spdx.get_spdx_license_id(lc_id)
                     lic_set.add(spdx_id if spdx_id else lc_id)
                 for lc_id in lic_set:  # Store licenses for later inclusion
@@ -285,7 +299,84 @@ class CycloneDx(ScanossBase):
         except Exception as e:
             self.print_stderr(f'ERROR: Problem parsing input JSON: {e}')
             return False
-        return self.produce_from_json(data, output_file)
+        success, _ = self.produce_from_json(data, output_file)
+        return success
+
+    def _normalize_vulnerability_id(self, vuln: dict) -> tuple[str, str]:
+        """
+        Normalize vulnerability ID and CVE from different possible field names.
+        Returns tuple of (vuln_id, vuln_cve).
+        """
+        vuln_id = vuln.get('ID', '') or vuln.get('id', '')
+        vuln_cve = vuln.get('CVE', '') or vuln.get('cve', '')
+
+        # Skip CPE entries, use CVE if available
+        if vuln_id.upper().startswith('CPE:') and vuln_cve:
+            vuln_id = vuln_cve
+
+        return vuln_id, vuln_cve
+
+    def _create_vulnerability_entry(self, vuln_id: str, vuln: dict, vuln_cve: str, purl: str) -> dict:
+        """
+        Create a new vulnerability entry for CycloneDX format.
+        """
+        vuln_source = vuln.get('source', '').lower()
+        return {
+            'id': vuln_id,
+            'source': {
+                'name': 'NVD' if vuln_source == 'nvd' else 'GitHub Advisories',
+                'url': f'https://nvd.nist.gov/vuln/detail/{vuln_cve}'
+                if vuln_source == 'nvd'
+                else f'https://github.com/advisories/{vuln_id}',
+            },
+            'ratings': [{'severity': self._sev_lookup(vuln.get('severity', 'unknown').lower())}],
+            'affects': [{'ref': purl}],
+        }
+
+    def append_vulnerabilities(self, cdx_dict: dict, vulnerabilities_data: dict, purl: str) -> dict:
+        """
+        Append vulnerabilities to an existing CycloneDX dictionary
+
+        Args:
+            cdx_dict (dict): The existing CycloneDX dictionary
+            vulnerabilities_data (dict): The vulnerabilities data from get_vulnerabilities_json
+            purl (str): The PURL of the component these vulnerabilities affect
+
+        Returns:
+            dict: The updated CycloneDX dictionary with vulnerabilities appended
+        """
+        if not cdx_dict or not vulnerabilities_data:
+            return cdx_dict
+
+        if 'vulnerabilities' not in cdx_dict:
+            cdx_dict['vulnerabilities'] = []
+
+        # Extract vulnerabilities from the response
+        vulns_list = vulnerabilities_data.get('purls', [])
+        if not vulns_list:
+            return cdx_dict
+
+        vuln_items = vulns_list[0].get('vulnerabilities', [])
+
+        for vuln in vuln_items:
+            vuln_id, vuln_cve = self._normalize_vulnerability_id(vuln)
+
+            # Skip empty IDs or CPE-only entries
+            if not vuln_id or vuln_id.upper().startswith('CPE:'):
+                continue
+
+            # Check if vulnerability already exists
+            existing_vuln = next((v for v in cdx_dict['vulnerabilities'] if v.get('id') == vuln_id), None)
+
+            if existing_vuln:
+                # Add this PURL to the affects list if not already present
+                if not any(ref.get('ref') == purl for ref in existing_vuln.get('affects', [])):
+                    existing_vuln['affects'].append({'ref': purl})
+            else:
+                # Create new vulnerability entry
+                cdx_dict['vulnerabilities'].append(self._create_vulnerability_entry(vuln_id, vuln, vuln_cve, purl))
+
+        return cdx_dict
 
     @staticmethod
     def _sev_lookup(value: str):
@@ -305,6 +396,47 @@ class CycloneDx(ScanossBase):
             'unknown': 'unknown',
         }.get(value, 'unknown')
 
+    def is_cyclonedx_json(self, json_string: str) -> bool:
+        """
+        Validate if the given JSON string is a valid CycloneDX JSON string
+
+        Args:
+            json_string (str): JSON string to validate
+        Returns:
+            bool: True if the JSON string is valid, False otherwise
+        """
+        try:
+            cdx_json_validator = JsonValidator(SchemaVersion.V1_6)
+            json_validation_errors = cdx_json_validator.validate_str(json_string)
+            if json_validation_errors:
+                self.print_stderr(f'ERROR: Problem parsing input JSON: {json_validation_errors}')
+                return False
+            return True
+        except Exception as e:
+            self.print_stderr(f'ERROR: Problem parsing input JSON: {e}')
+            return False
+
+    def get_purls_request_from_cdx(self, cdx_dict: dict, field: str = 'purls') -> dict:
+        """
+        Get the list of PURL requests (purl + requirement) from the given CDX dictionary
+
+        Args:
+            cdx_dict (dict): CDX dictionary to parse
+            field (str): Field to extract from the CDX dictionary
+        Returns:
+            list[dict]: List of PURL requests (purl + requirement)
+        """
+        components = cdx_dict.get('components', [])
+        parsed_purls = []
+        for component in components:
+            version = component.get('version')
+            if version:
+                parsed_purls.append({'purl': component.get('purl'), 'requirement': version})
+            else:
+                parsed_purls.append({'purl': component.get('purl')})
+        purl_request = {field: parsed_purls}
+        return purl_request
+
 
 #
 # End of CycloneDX Class

scanoss/data/build_date.txt

@@ -1 +1 @@
-date: 20250709092546, utime: 1752053146
+date: 20260105120224, utime: 1767614544

scanoss/data/osadl-copyleft.json

@@ -0,0 +1,133 @@
+{
+    "title": "OSADL Open Source License Obligations Checklist (https:\/\/www.osadl.org\/Checklists)",
+    "license": "Creative Commons Attribution 4.0 International license (CC-BY-4.0)",
+    "attribution": "A project by the Open Source Automation Development Lab (OSADL) eG. For further information about the project see the description at www.osadl.org\/checklists.",
+    "copyright": "(C) 2017 - 2024 Open Source Automation Development Lab (OSADL) eG and contributors, info@osadl.org",
+    "disclaimer": "The checklists and particularly the copyleft data have been assembled with maximum diligence and care; however, the authors do not warrant nor can be held liable in any way for its correctness, usefulness, merchantibility or fitness for a particular purpose as far as permissible by applicable law. Anyone who uses the information does this on his or her sole responsibility. For any individual legal advice, it is recommended to contact a lawyer.",
+    "timeformat": "%Y-%m-%dT%H:%M:%S%z",
+    "timestamp": "2025-10-30T11:23:00+0000",
+    "copyleft": 
+    {
+        "0BSD": "No",
+        "AFL-2.0": "No",
+        "AFL-2.1": "No",
+        "AFL-3.0": "No",
+        "AGPL-3.0-only": "Yes",
+        "AGPL-3.0-or-later": "Yes",
+        "Apache-1.0": "No",
+        "Apache-1.1": "No",
+        "Apache-2.0": "No",
+        "APSL-2.0": "Yes (restricted)",
+        "Artistic-1.0": "No",
+        "Artistic-1.0-Perl": "No",
+        "Artistic-2.0": "No",
+        "Bitstream-Vera": "No",
+        "blessing": "No",
+        "BlueOak-1.0.0": "No",
+        "BSD-1-Clause": "No",
+        "BSD-2-Clause": "No",
+        "BSD-2-Clause-Patent": "No",
+        "BSD-3-Clause": "No",
+        "BSD-3-Clause-Open-MPI": "No",
+        "BSD-4-Clause": "No",
+        "BSD-4-Clause-UC": "No",
+        "BSD-4.3TAHOE": "No",
+        "BSD-Source-Code": "No",
+        "BSL-1.0": "No",
+        "bzip2-1.0.5": "No",
+        "bzip2-1.0.6": "No",
+        "CC-BY-2.5": "No",
+        "CC-BY-3.0": "No",
+        "CDDL-1.0": "Yes (restricted)",
+        "CDDL-1.1": "Yes (restricted)",
+        "CPL-1.0": "Yes",
+        "curl": "No",
+        "ECL-1.0": "No",
+        "ECL-2.0": "No",
+        "EFL-2.0": "No",
+        "EPL-1.0": "Yes",
+        "EPL-2.0": "Yes (restricted)",
+        "EUPL-1.1": "Yes",
+        "EUPL-1.2": "Yes",
+        "FSFAP": "No",
+        "FSFUL": "No",
+        "FSFULLR": "No",
+        "FSFULLRWD": "No",
+        "FTL": "No",
+        "GPL-1.0-only": "Yes",
+        "GPL-1.0-or-later": "Yes",
+        "GPL-2.0-only": "Yes",
+        "GPL-2.0-only WITH Classpath-exception-2.0": "Yes (restricted)",
+        "GPL-2.0-or-later": "Yes",
+        "GPL-3.0-only": "Yes",
+        "GPL-3.0-or-later": "Yes",
+        "HPND": "No",
+        "IBM-pibs": "No",
+        "ICU": "No",
+        "IJG": "No",
+        "ImageMagick": "No",
+        "Info-ZIP": "No",
+        "IPL-1.0": "Yes",
+        "ISC": "No",
+        "JasPer-2.0": "No",
+        "LGPL-2.0-only": "Yes (restricted)",
+        "LGPL-2.0-or-later": "Yes (restricted)",
+        "LGPL-2.1-only": "Yes (restricted)",
+        "LGPL-2.1-or-later": "Yes (restricted)",
+        "LGPL-3.0-only": "Yes (restricted)",
+        "LGPL-3.0-or-later": "Yes (restricted)",
+        "Libpng": "No",
+        "libpng-2.0": "No",
+        "libtiff": "No",
+        "LicenseRef-scancode-bsla-no-advert": "No",
+        "LicenseRef-scancode-info-zip-2003-05": "No",
+        "LicenseRef-scancode-ppp": "No",
+        "Minpack": "No",
+        "MirOS": "No",
+        "MIT": "No",
+        "MIT-0": "No",
+        "MIT-CMU": "No",
+        "MPL-1.1": "Yes (restricted)",
+        "MPL-2.0": "Yes (restricted)",
+        "MPL-2.0-no-copyleft-exception": "Yes (restricted)",
+        "MS-PL": "Questionable",
+        "MS-RL": "Yes (restricted)",
+        "NBPL-1.0": "No",
+        "NCSA": "No",
+        "NTP": "No",
+        "OFL-1.1": "Yes (restricted)",
+        "OGC-1.0": "No",
+        "OLDAP-2.8": "No",
+        "OpenSSL": "Questionable",
+        "OSL-3.0": "Yes",
+        "PHP-3.01": "No",
+        "PostgreSQL": "No",
+        "PSF-2.0": "No",
+        "Python-2.0": "No",
+        "Qhull": "No",
+        "RSA-MD": "No",
+        "Saxpath": "No",
+        "SGI-B-2.0": "No",
+        "Sleepycat": "Yes",
+        "SMLNJ": "No",
+        "Spencer-86": "No",
+        "SSH-OpenSSH": "No",
+        "SSH-short": "No",
+        "SunPro": "No",
+        "Ubuntu-font-1.0": "Yes (restricted)",
+        "Unicode-3.0": "No",
+        "Unicode-DFS-2015": "No",
+        "Unicode-DFS-2016": "No",
+        "Unlicense": "No",
+        "UPL-1.0": "No",
+        "W3C": "No",
+        "W3C-19980720": "No",
+        "W3C-20150513": "No",
+        "WTFPL": "No",
+        "X11": "No",
+        "XFree86-1.1": "No",
+        "Zlib": "No",
+        "zlib-acknowledgement": "No",
+        "ZPL-2.0": "No"
+    }
+}

scanoss/delta.py

@@ -0,0 +1,197 @@
+"""
+SPDX-License-Identifier: MIT
+
+  Copyright (c) 2025, SCANOSS
+
+  Permission is hereby granted, free of charge, to any person obtaining a copy
+  of this software and associated documentation files (the "Software"), to deal
+  in the Software without restriction, including without limitation the rights
+  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+  copies of the Software, and to permit persons to whom the Software is
+  furnished to do so, subject to the following conditions:
+
+  The above copyright notice and this permission notice shall be included in
+  all copies or substantial portions of the Software.
+
+  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+  THE SOFTWARE.
+"""
+import os
+import shutil
+import tempfile
+from typing import Optional
+
+from .scanossbase import ScanossBase
+
+
+class Delta(ScanossBase):
+    """
+    Handle delta scan operations by copying files into a dedicated delta directory.
+
+    This class manages the creation of delta directories and copying of specified files
+    while preserving the directory structure. Files are read from an input file where each
+    line contains a file path to copy.
+    """
+
+    def __init__(  # noqa: PLR0913
+            self,
+            debug: bool = False,
+            trace: bool = False,
+            quiet: bool = False,
+            filepath: str = None,
+            folder: str = None,
+            output: str = None,
+            root_dir: str = None,
+    ):
+        """
+        Initialise the Delta instance.
+
+        :param debug: Enable debug logging.
+        :param trace: Enable trace logging.
+        :param quiet: Enable quiet mode (suppress non-essential output).
+        :param filepath: Path to an input file containing a list of files to copy.
+        :param folder: A target delta directory path (auto-generated if not provided).
+        :param output: Output file path for the delta directory location (stdout if not provided).
+        """
+        super().__init__(debug, trace, quiet)
+        self.filepath = filepath
+        self.folder = folder
+        self.output = output
+        self.root_dir = root_dir if root_dir else '.'
+
+    def copy(self, input_file: str = None):
+        """
+        Copy files listed in the input file to the delta directory.
+
+        Reads the input file line by line, where each line contains a file path.
+        Creates the delta directory if it doesn't exist, then copies each file
+        while preserving its directory structure.
+
+        :return: Tuple of (status_code, folder_path) where status_code is 0 for success,
+                 1 for error, and folder_path is the delta directory path
+        """
+        input_file = input_file if input_file else self.filepath
+        if not input_file:
+            self.print_stderr('ERROR: No input file specified')
+            return 1, ''
+        # Validate that an input file exists
+        if not os.path.isfile(input_file):
+            self.print_stderr(f'ERROR: Input file {input_file} does not exist or is not a file')
+            return 1, ''
+        # Load the input file and validate it contains valid file paths
+        files = self.load_input_file(input_file)
+        if files is None:
+            return 1, ''
+        # Create delta dir (folder)
+        delta_folder = self.create_delta_dir(self.folder, self.root_dir)
+        if not delta_folder:
+            return 1, ''
+        # Print delta folder location to output
+        self.print_to_file_or_stdout(delta_folder, self.output)
+        # Process each file and copy it to the delta dir
+        for source_file in files:
+            # Normalise the source path to handle ".." and redundant separators
+            normalised_source = os.path.normpath(source_file)
+            if '..' in normalised_source:
+                self.print_stderr(f'WARNING: Source path escapes root directory for {source_file}. Skipping.')
+                continue
+            # Resolve to the absolute path for source validation
+            abs_source = os.path.abspath(os.path.join(self.root_dir, normalised_source))
+            # Check if the source file exists and is a file
+            if not os.path.exists(abs_source) or not os.path.isfile(abs_source):
+                self.print_stderr(f'WARNING: File {source_file} does not exist or is not a file, skipping')
+                continue
+            # Use a normalised source for destination to prevent traversal
+            dest_path = os.path.normpath(os.path.join(self.root_dir, delta_folder, normalised_source.lstrip(os.sep)))
+            # Final safety check: ensure destination is within the delta folder
+            abs_dest = os.path.abspath(dest_path)
+            abs_folder = os.path.abspath(os.path.join(self.root_dir, delta_folder))
+            if not abs_dest.startswith(abs_folder + os.sep):
+                self.print_stderr(
+                    f'WARNING: Destination path ({abs_dest}) escapes delta directory for {source_file}. Skipping.')
+                continue
+            # Create the destination directory if it doesn't exist and copy the file
+            try:
+                dest_dir = os.path.dirname(dest_path)
+                if dest_dir:
+                    self.print_trace(f'Creating directory {dest_dir}...')
+                    os.makedirs(dest_dir, exist_ok=True)
+                self.print_debug(f'Copying {source_file} to {dest_path} ...')
+                shutil.copy(abs_source, dest_path)
+            except (OSError, shutil.Error) as e:
+                self.print_stderr(f'ERROR: Failed to copy {source_file} to {dest_path}: {e}')
+                return 1, ''
+        return 0, delta_folder
+
+    def create_delta_dir(self, folder: str, root_dir: str = '.') -> str or None:
+        """
+        Create the delta directory.
+
+        If no folder is specified, creates a unique temporary directory with
+        a 'delta-' prefix in the current directory. If a folder is specified,
+        validates that it doesn't already exist before creating it.
+
+        :param root_dir: Root directory to create the delta directory in (default: current directory)
+        :param folder: Optional target directory
+        :return: Path to the delta directory, or None if it already exists or creation fails
+        """
+        if folder:
+            # Resolve a relative folder under root_dir so checks/creation apply to the right place
+            resolved = folder if os.path.isabs(folder) else os.path.join(root_dir, folder)
+            resolved = os.path.normpath(resolved)
+            # Validate the target directory doesn't already exist and create it
+            if os.path.exists(resolved):
+                self.print_stderr(f'ERROR: Folder {resolved} already exists.')
+                return None
+            else:
+                try:
+                    self.print_debug(f'Creating delta directory {resolved}...')
+                    os.makedirs(resolved)
+                except (OSError, IOError) as e:
+                    self.print_stderr(f'ERROR: Failed to create directory {resolved}: {e}')
+                    return None
+        else:
+            # Create a unique temporary directory in the given root directory
+            try:
+                self.print_debug(f'Creating temporary delta directory in {root_dir} ...')
+                folder = tempfile.mkdtemp(prefix="delta-", dir=root_dir)
+                if folder:
+                    folder = os.path.relpath(folder, start=root_dir)  # Get the relative path from root_dir
+                self.print_debug(f'Created temporary delta directory: {folder}')
+            except (OSError, IOError) as e:
+                self.print_stderr(f'ERROR: Failed to create temporary directory in {root_dir}: {e}')
+                return None
+        return folder
+
+    def load_input_file(self, input_file: str) -> Optional[list[str]]:
+        """
+        Loads and parses the input file line by line. Each line in the input
+        file represents a source file path, which will be stripped of trailing
+        whitespace and appended to the resulting list if it is not empty.
+
+        :param input_file: The path to the input file to be read.
+        :type input_file: String
+        :return: A list of source file paths extracted from the input file,
+            or None if an error occurs or the file path is invalid.
+        :rtype: An array list[str] or None
+        """
+        files = []
+        if input_file:
+            try:
+                with open(input_file, 'r', encoding='utf-8') as f:
+                    for line in f:
+                        source_file = line.rstrip()
+                        if source_file:
+                            # Save the file path without any leading separators
+                            files.append(source_file.lstrip(os.sep))
+                    # End of for loop
+            except (OSError, IOError) as e:
+                self.print_stderr(f'ERROR: Failed to read input file; {input_file}: {e}')
+                return None
+        self.print_debug(f'Loaded {len(files)} files from input file.')
+        return files

scanoss/export/__init__.py

@@ -0,0 +1,23 @@
+"""
+SPDX-License-Identifier: MIT
+
+  Copyright (c) 2025, SCANOSS
+
+  Permission is hereby granted, free of charge, to any person obtaining a copy
+  of this software and associated documentation files (the "Software"), to deal
+  in the Software without restriction, including without limitation the rights
+  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+  copies of the Software, and to permit persons to whom the Software is
+  furnished to do so, subject to the following conditions:
+
+  The above copyright notice and this permission notice shall be included in
+  all copies or substantial portions of the Software.
+
+  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+  THE SOFTWARE.
+"""