fix: SBOM verifier license match support for deprecated license (#1230)

ratify-project · Jan 2, 2024 · b6db2ee · b6db2ee
1 parent aa8f90c
commit b6db2ee
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 20 deletions.
diff --git a/plugins/verifier/sbom/utils/spdxutils.go b/plugins/verifier/sbom/utils/spdxutils.go
@@ -16,7 +16,7 @@ limitations under the License.
 package utils
 
 import (
-	"strings"
+	"regexp"
 
 	"github.com/spdx/tools-golang/spdx"
 )
@@ -37,22 +37,14 @@ func GetPackageLicenses(doc spdx.Document) []PackageLicense {
 // returns true if the licenseExpression contains the disallowed license
 // this implements a whole word match
 func ContainsLicense(spdxLicenseExpression string, disallowed string) bool {
-	if len(spdxLicenseExpression) == 0 {
-		return false
-	}
-
-	// if the licenseExpression is exactly the same as the disallowed license, return true
-	if spdxLicenseExpression == disallowed {
-		return true
-	}
-
-	disallowed1 := disallowed + " "
-	disallowed2 := " " + disallowed
-
-	// look for whole word match
-	if strings.Contains(spdxLicenseExpression, disallowed1) || strings.Contains(spdxLicenseExpression, disallowed2) {
-		return true
-	}
-
-	return false
+	// match the disallowed license as a whole word
+	// the word boundary can be:
+	// 1. ^/$ , the beginning/ending of the line
+	// 2. \\s, a whitespace
+	// 3. \\(, a left bracket
+	// 4. \\), a right bracket
+	escapedLicense := regexp.QuoteMeta(disallowed)
+	expression := "(?:^|\\(|\\s)(" + escapedLicense + ")(?:$|\\)|\\s)"
+	r := regexp.MustCompile(expression)
+	return r.MatchString(spdxLicenseExpression)
 }
diff --git a/plugins/verifier/sbom/utils/spdxutils_test.go b/plugins/verifier/sbom/utils/spdxutils_test.go
@@ -47,6 +47,12 @@ func TestContainsLicense(t *testing.T) {
 			disallowed:            "MIT",
 			expected:              true,
 		},
+		{
+			name:                  "brackets",
+			spdxLicenseExpression: "(MIT)",
+			disallowed:            "MIT",
+			expected:              true,
+		},
 		{
 			name:                  "exact match with space",
 			spdxLicenseExpression: "MPL-2.0 AND LicenseRef-AND AND MIT",
@@ -65,13 +71,31 @@ func TestContainsLicense(t *testing.T) {
 			disallowed:            "MPL-2.0",
 			expected:              true,
 		},
+		{
+			name:                  "license partial match",
+			spdxLicenseExpression: "MIT AND LicenseRef-BSD AND GPL-2.0-or-later",
+			disallowed:            "GPL-2.0",
+			expected:              false,
+		},
+		{
+			name:                  "license partial match",
+			spdxLicenseExpression: "MIT AND (LicenseRef-BSD OR GPL-2.0-or-later)",
+			disallowed:            "GPL-2.0-or-later",
+			expected:              true,
+		},
+		{
+			name:                  "license partial match",
+			spdxLicenseExpression: "MIT AND (LicenseRef-BSD OR GPL-2.0-or-later)",
+			disallowed:            "(LicenseRef-BSD OR GPL-2.0-or-later)",
+			expected:              true,
+		},
 	}
 
 	for _, tt := range tests {
 		t.Run("test scenario", func(t *testing.T) {
 			result := ContainsLicense(tt.spdxLicenseExpression, tt.disallowed)
 			if result != tt.expected {
-				t.Fatalf("expected %t, got %t", tt.expected, result)
+				t.Fatalf("Looking for %v in %v , expected %t, got %t", tt.disallowed, tt.spdxLicenseExpression, tt.expected, result)
 			}
 		})
 	}