Include licence information in CycloneDX SBOMs

anthonyharrison · Aug 8, 2022 · 4e92734 · 4e92734
1 parent 107014e
commit 4e92734
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 8 deletions.
diff --git a/sbom4python/cyclonedxgenerator.py b/sbom4python/cyclonedxgenerator.py
@@ -97,24 +97,34 @@ def generateRelationship(self, parent_id, package_id):
             dependency["dependsOn"] = [package_id]
             self.relationship.append(dependency)
 
-    def generateComponent(self, id, type, name, supplier, version):
+    def generateComponent(self, id, type, name, supplier, version, licence):
         if self.format == "xml":
-            self.generateXMLComponent(id, type, name, supplier, version)
+            self.generateXMLComponent(id, type, name, supplier, version, licence)
         else:
-            self.generateJSONComponent(id, type, name, supplier, version)
+            self.generateJSONComponent(id, type, name, supplier, version, licence)
 
-    def generateJSONComponent(self, id, type, name, supplier, version):
+    def generateJSONComponent(self, id, type, name, supplier, version, identified_licence):
         component = dict()
         component["type"] = type
         component["bom-ref"] = id
         component["name"] = name
         component["version"] = version
         component["cpe"] = f"cpe:/a:{supplier}:{name}:{version}"
+        license = dict()
+        license["id"] = identified_licence
+        item = dict()
+        item["license"] = license
+        component["licenses"] = [ item ]
         self.component.append(component)
 
-    def generateXMLComponent(self, id, type, name, supplier, version):
+    def generateXMLComponent(self, id, type, name, supplier, version, identified_licence):
         self.store(f'<component type="{type}" bom-ref="{id}">')
         self.store(f"<name>{name}<\\name>")
         self.store(f"<version>{version}<\\version>")
         self.store(f"<cpe>cpe:/a:{supplier}:{name}:{version}<\\cpe>")
-        self.store("<\\component>")
+        self.store("<licenses>")
+        self.store("<license>")
+        self.store(f"<id>{identified_licence}<\\id>")
+        self.store("<\\license>")
+        self.store("<\\licenses>")
+        self.store("<\\component>")
diff --git a/sbom4python/generator.py b/sbom4python/generator.py
@@ -84,7 +84,7 @@ def generate_cyclonedx(self, project_name, packages):
             product = package[1]
             version = package[2]
             supplier = package[3]
-            # licence = package[4]
+            licence = package[4]
             parent = package[0].lower()
             if product not in package_set:
                 package_set[product] = str(id) + "-" + product
@@ -93,7 +93,7 @@ def generate_cyclonedx(self, project_name, packages):
                 else:
                     type = "library"
                 self.bom.generateComponent(
-                    package_set[product], type, product, supplier, version
+                    package_set[product], type, product, supplier, version, licence
                 )
                 if parent != "-":
                     self.bom.generateRelationship(