Skip to content

fix: make pep621 license detections type-aware #920

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jkowalleck merged 11 commits into from
Jun 26, 2025
Merged

fix: make pep621 license detections type-aware #920

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
e048980
Fix: update pep621 logic and add unit tests
manavgup Jun 23, 2025
d5eb743
removed implementation of PEP639, removed raise, and updated test file
manavgup Jun 24, 2025
90b85af
fix(pep621): Only handle dict license values, skip others silently
manavgup Jun 24, 2025
0faa6da
improved documentation in pep621.py, moved test_pep621.py to integrat…
manavgup Jun 24, 2025
06a22c7
Added missing docs
manavgup Jun 25, 2025
c2d0830
Update pep621.py
jkowalleck Jun 25, 2025
acbffb4
fixed bandit and linting issues.
manavgup Jun 26, 2025
107864e
tests
jkowalleck Jun 26, 2025
5ec1314
tests
jkowalleck Jun 26, 2025
dedf64d
tests
jkowalleck Jun 26, 2025
0f4a2b2
tests
jkowalleck Jun 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion cyclonedx_py/_internal/utils/pep621.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ def project2licenses(project: dict[str, Any], lfac: 'LicenseFactory', *,
# https://peps.python.org/pep-0621/#classifiers
# https://packaging.python.org/en/latest/specifications/core-metadata/#classifier-multiple-use
yield from classifiers2licenses(classifiers, lfac, lack)
if plicense := project.get('license'):
if isinstance(plicense := project.get('license'), dict):
# https://packaging.python.org/en/latest/specifications/pyproject-toml/#license
# https://peps.python.org/pep-0621/#license
# https://packaging.python.org/en/latest/specifications/core-metadata/#license
Expand All @@ -87,6 +87,7 @@ def project2licenses(project: dict[str, Any], lfac: 'LicenseFactory', *,
text=AttachedText(content=plicense_text))
else:
yield license
# Silently skip any other types (including string/PEP 639)


def project2extrefs(project: dict[str, Any]) -> Generator['ExternalReference', None, None]:
Expand Down
79 changes: 79 additions & 0 deletions tests/integration/test_utils_pep621.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
# This file is part of CycloneDX Python
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0
# Copyright (c) OWASP Foundation. All Rights Reserved.

from os.path import join
from tempfile import TemporaryDirectory
from unittest import TestCase

from cyclonedx.factory.license import LicenseFactory
from cyclonedx.model import Encoding
from cyclonedx.model.license import DisjunctiveLicense, LicenseAcknowledgement
from ddt import ddt, named_data

from cyclonedx_py._internal.utils.pep621 import project2licenses


@ddt()
class TestUtilsPEP621(TestCase):

def test_project2licenses_license_dict_text(self) -> None:
project = {
'name': 'testpkg',
'license': {'text': 'This is the license text.'},
}
lfac = LicenseFactory()
with TemporaryDirectory() as tmpdir:
licenses = list(project2licenses(project, lfac, fpath=join(tmpdir, 'pyproject.toml')))
self.assertEqual(len(licenses), 1)
lic = licenses[0]
self.assertIsInstance(lic, DisjunctiveLicense)
self.assertIsNone(lic.id)
self.assertIsNone(lic.text.encoding)
self.assertEqual(lic.text.content, 'This is the license text.')
self.assertEqual(lic.acknowledgement, LicenseAcknowledgement.DECLARED)

def test_project2licenses_license_dict_file(self) -> None:
project = {
'name': 'testpkg',
'license': {'file': 'license.txt'},
}
lfac = LicenseFactory()
with TemporaryDirectory() as tmpdir:
with open(join(tmpdir, project['license']['file']), 'w') as tf:
tf.write('File license text')
licenses = list(project2licenses(project, lfac, fpath=join(tmpdir, 'pyproject.toml')))
self.assertEqual(len(licenses), 1)
lic = licenses[0]
self.assertIsInstance(lic, DisjunctiveLicense)
self.assertIs(lic.text.encoding, Encoding.BASE_64)
self.assertEqual(lic.text.content, 'RmlsZSBsaWNlbnNlIHRleHQ=')
self.assertEqual(lic.acknowledgement, LicenseAcknowledgement.DECLARED)

@named_data(
('none', None),
('string', 'MIT'),
('list', ['MIT', 'Apache-2.0'])
)
def test_project2licenses_license_non_dict(self, license: any) -> None:
project = {
'name': 'testpkg',
'license': license,
}
lfac = LicenseFactory()
with TemporaryDirectory() as tmpdir:
licenses = list(project2licenses(project, lfac, fpath=join(tmpdir, 'pyproject.toml')))
self.assertEqual(len(licenses), 0)