README
¶
cdxlr - CycloneDX License Resolver
This library supports mapping different types of valid CycloneDX licenses to valid SPDX License-IDs.
The initial problem is that the CycloneDX Components Licenses format allows for a various definition of licenses. On the other hand, for automated tooling, the licenses must be provided in a standardized format. The most widely used one is SPDX Reference Format with the SPDX License identifiers.
This library uses the official License List Data from github and tries to match the CycloneDX License to an SPDX ID by different potential matchers. The matching tries first to match the more qualified matchers and if no match was found, uses the next-well-qualifying one.
The implemented Matchers are:
- If no
licensefield, but anexpressionfield is set, the contained licenses are extracted using the spdxexp library. - If a
licensefield is set- if the
idfield is set, it is validated as valid SPDX identifier and used. - if the
namefield is set, it is compared with the SPDX licenses name and the best-matching result is used. - if the
urlfield is set, the url is being tried to match the SPDX licenses'reference,detailsUrl, andseeAlsofields.
- if the
This way, most generated CycloneDX files can be used in automated CI/CD pipelines
Basic operation
Install the package by installing the module:
go get github.com/innomotics/cyclonedx-license-resolver
In your code, you can then use the library through the one-stop-shop method GenerateMapping:
var cdxLicenses *cyclonedx.Licenses
...
spdxList, err := cdxlr.GenerateMapping(cdxLicenses)
if err != nil {
log.Fatalf("error parsing CycloneDX licenses: %v\n", err)
}
fmt.Prinln(spdxList)
License
This library is released under the Apache License Version 2.0 (see LICENSE).
Contribution
Any contributions welcome. Please suggest any enhancements as issues.
Documentation
¶
Index ¶
Constants ¶
const (
LicenseListSourceUrl = "https://raw.githubusercontent.com/spdx/license-list-data/main/json/licenses.json"
)
const SimilarityThreshold = 0.9
SimilarityThreshold defines that names must meet a threshold of at least 90%
Variables ¶
This section is empty.
Functions ¶
func GenerateMapping ¶
GenerateMapping extracts SPDX license identifiers from a CycloneDC license list. * If a SPDX expression is provided, it is parsed and the found licenses * Else if an ID is provided, it is verified and added to the results * Else if a name is passed, the best matching (at least 90% match) name, on equality, the latest is selected * Else if a URL is passed, the SPDX license containing the URL is selected
Types ¶
type License ¶
type License struct {
Reference string `json:"reference"`
IsDeprecatedLicenseId bool `json:"isDeprecatedLicenseId"`
DetailsUrl string `json:"detailsUrl"`
ReferenceNumber int `json:"referenceNumber"`
Name string `json:"name"`
LicenseId string `json:"licenseId"`
SeeAlso []string `json:"seeAlso"`
IsOsiApproved bool `json:"isOsiApproved"`
}
License represents a single license of the SPDX license list in JSON format
type LicenseList ¶
type LicenseList struct {
LicenseListVersion string `json:"licenseListVersion"`
Licenses []License `json:"licenses"`
}
LicenseList represents the structure of the SPDX license list in JSON format
func (*LicenseList) FindByName ¶
func (ll *LicenseList) FindByName(name string) (License, float64)
FindByName searches for licenses ba similar names Returns the best-matching license and the similarity percentage
func (*LicenseList) FindByUrl ¶
func (ll *LicenseList) FindByUrl(url string) *License
FindByUrl searches an url in all SPDX licenses in the fields reference, detailsUrl and all seeAlso additional links
func (*LicenseList) ValidId ¶
func (ll *LicenseList) ValidId(id string) bool
ValidId checks if an ID is a valid SPDX license IO
Source Files