Fixed license scoring

pkg/licenses/license.go

@@ -31,6 +31,9 @@ type License interface {
 	Restrictive() bool
 	Exception() bool
 	Source() string
+	Custom() bool
+	Spdx() bool
+	AboutCode() bool
 }
 
 type meta struct {
@@ -81,15 +84,15 @@ func (m meta) Source() string {
 	return m.source
 }
 
-func (m meta) isCustom() bool {
+func (m meta) Custom() bool {
 	return m.source == "custom"
 }
 
-func (m meta) isSpdx() bool {
+func (m meta) Spdx() bool {
 	return m.source == "spdx"
 }
 
-func (m meta) isAboutCode() bool {
+func (m meta) AboutCode() bool {
 	return m.source == "aboutcode"
 }
 

pkg/logger/log.go

@@ -30,13 +30,8 @@ func InitProdLogger() {
 	if err != nil {
 		log.Fatalf("Failed to initialize logger: %v", err)
 	}
-	// l, _ := zap.NewDevelopment()
-	// Defer with error handling
-	defer func() {
-		if err := l.Sync(); err != nil {
-			log.Printf("Failed to sync logger: %v", err)
-		}
-	}()
+
+	defer l.Sync()
 
 	if logger != nil {
 		panic("logger already initialized")
@@ -50,12 +45,8 @@ func InitDebugLogger() {
 		log.Printf("Failed to zap new development: %v", err)
 	}
 
-	// Defer with error handling
-	defer func() {
-		if err := l.Sync(); err != nil {
-			log.Printf("Failed to sync logger: %v", err)
-		}
-	}()
+	defer l.Sync()
+
 	if logger != nil {
 		panic("logger already initialized")
 	}

pkg/sbom/cdx.go

@@ -265,7 +265,6 @@ func copyC(cdxc *cydx.Component, c *cdxDoc) *Component {
 	supplier := c.assignSupplier(cdxc)
 	if supplier != nil {
 		nc.Supplier = *supplier
-		nc.SupplierName = supplier.Name
 	}
 
 	if cdxc.ExternalReferences != nil {

pkg/sbom/component.go

@@ -23,7 +23,6 @@ import (
 
 type GetComponent interface {
 	GetID() string
-	GetSupplierName() string
 	GetName() string
 	GetVersion() string
 	Cpes() []cpe.CPE
@@ -50,7 +49,6 @@ type GetComponent interface {
 }
 
 type Component struct {
-	SupplierName            string
 	Name                    string
 	Version                 string
 	cpes                    []cpe.CPE
@@ -81,10 +79,6 @@ func NewComponent() *Component {
 	return &Component{}
 }
 
-func (c Component) GetSupplierName() string {
-	return c.SupplierName
-}
-
 func (c Component) GetName() string {
 	return c.Name
 }

pkg/sbom/spdx.go

@@ -217,7 +217,6 @@ func (s *SpdxDoc) parseComps() {
 		if supp != nil {
 			nc.Supplier = *supp
 		}
-		nc.SupplierName = s.addSupplierName(index)
 
 		if sc.PackageVerificationCode != nil {
 			nc.sourceCodeHash = sc.PackageVerificationCode.Value

pkg/sbom/supplier.go

@@ -21,6 +21,7 @@ type GetSupplier interface {
 	GetEmail() string
 	GetURL() string
 	GetContacts() []Contact
+	IsPresent() bool
 }
 
 type Supplier struct {
@@ -45,3 +46,7 @@ func (s Supplier) GetURL() string {
 func (s Supplier) GetContacts() []Contact {
 	return s.Contacts
 }
+
+func (s Supplier) IsPresent() bool {
+	return s.Name != "" || s.Email != "" || s.URL != "" || len(s.Contacts) > 0
+}

pkg/scorer/ntia.go

@@ -34,7 +34,7 @@ func compSupplierCheck(d sbom.Document, c *check) score {
 	}
 
 	withNames := lo.CountBy(d.Components(), func(c sbom.GetComponent) bool {
-		return c.GetSupplierName() != ""
+		return c.Suppliers().IsPresent()
 	})
 
 	if totalComponents > 0 {

pkg/scorer/quality.go

@@ -38,10 +38,18 @@ func compWithValidLicensesCheck(d sbom.Document, c *check) score {
 	compScores := lo.Map(d.Components(), func(c sbom.GetComponent, _ int) float64 {
 		tl := len(c.Licenses())
 
+		if tl == 0 {
+			return 0.0
+		}
+
 		validLic := lo.CountBy(c.Licenses(), func(l licenses.License) bool {
-			return l.Deprecated() || l.Source() == "custom"
+			return l.Spdx()
 		})
 
+		if validLic == 0 {
+			return 0.0
+		}
+
 		return (float64(validLic) / float64(tl)) * 10.0
 	})
 
@@ -53,6 +61,7 @@ func compWithValidLicensesCheck(d sbom.Document, c *check) score {
 	}, 0.0)
 
 	finalScore := (totalCompScore / float64(totalComponents))
+
 	compsWithValidScores := lo.CountBy(compScores, func(score float64) bool {
 		return score > 0.0
 	})

samples/test-license.json

@@ -0,0 +1,200 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.4",
+  "serialNumber": "urn:uuid:3337e3a3-62e6-4cbb-abf5-51284a43f9f2",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2023-05-04T02:34:37-07:00",
+    "tools": [
+      {
+        "vendor": "CycloneDX",
+        "name": "cyclonedx-gomod",
+        "version": "v1.4.0",
+        "hashes": [
+          {
+            "alg": "MD5",
+            "content": "f37a3d3473b89e4ad73e84547e0f40ac"
+          },
+          {
+            "alg": "SHA-1",
+            "content": "a984dfd1da110417ac1d961111113a565db172b5"
+          },
+          {
+            "alg": "SHA-256",
+            "content": "3eae94260619fa7a79c64bb0549f7005c9b422306d88251cbcb43f095d978a46"
+          },
+          {
+            "alg": "SHA-384",
+            "content": "eab77f9e180c7846293c859e7ba4779cbd1c41f9414ab7759bb1a59aa2e98957a88f2f58ff74528467e17533b92f759e"
+          },
+          {
+            "alg": "SHA-512",
+            "content": "b1385b31ac001811370f2a2a45c3b5cd3bda9e523c00cc33b55192068bf03b75624d9e86740bf167d9ddd3e7f895913876b8e01221d5a35f9f59913b63cef925"
+          }
+        ],
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-gomod",
+            "type": "vcs"
+          },
+          {
+            "url": "https://cyclonedx.org",
+            "type": "website"
+          }
+        ]
+      }
+    ],
+    "component": {
+      "bom-ref": "pkg:golang/github.com/interlynk-io/[email protected]?type=module",
+      "type": "application",
+      "name": "github.com/interlynk-io/sbomqs",
+      "version": "v0.0.16-0.20230424202416-6a969c2dcfe4",
+      "purl": "pkg:golang/github.com/interlynk-io/[email protected]?type=module\u0026goos=linux\u0026goarch=amd64",
+      "externalReferences": [
+        {
+          "url": "https://github.com/interlynk-io/sbomqs",
+          "type": "vcs"
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:gomod:build:env:CGO_ENABLED",
+          "value": "1"
+        },
+        {
+          "name": "cdx:gomod:build:env:GOARCH",
+          "value": "amd64"
+        },
+        {
+          "name": "cdx:gomod:build:env:GOOS",
+          "value": "linux"
+        },
+        {
+          "name": "cdx:gomod:build:env:GOVERSION",
+          "value": "go1.20.3"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0"
+          }
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "bom-ref": "pkg:golang/github.com/CycloneDX/[email protected]?type=module",
+      "type": "library",
+      "name": "github.com/CycloneDX/cyclonedx-go",
+      "version": "v0.7.1",
+      "scope": "required",
+      "purl": "pkg:golang/github.com/CycloneDX/[email protected]?type=module\u0026goos=linux\u0026goarch=amd64",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-go",
+          "type": "vcs"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0"
+          }
+        }
+      ]
+    },
+    {
+      "bom-ref": "pkg:golang/github.com/DependencyTrack/[email protected]?type=module",
+      "type": "library",
+      "name": "github.com/DependencyTrack/client-go",
+      "version": "v0.9.0",
+      "scope": "required",
+      "purl": "pkg:golang/github.com/DependencyTrack/[email protected]?type=module\u0026goos=linux\u0026goarch=amd64",
+      "externalReferences": [
+        {
+          "url": "https://github.com/DependencyTrack/client-go",
+          "type": "vcs"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0"
+          }
+        }
+      ]
+    },
+    {
+      "bom-ref": "pkg:golang/github.com/common-nighthawk/[email protected]?type=module",
+      "type": "library",
+      "name": "github.com/common-nighthawk/go-figure",
+      "version": "v0.0.0-20210622060536-734e95fb86be",
+      "scope": "required",
+      "purl": "pkg:golang/github.com/common-nighthawk/[email protected]?type=module\u0026goos=linux\u0026goarch=amd64",
+      "externalReferences": [
+        {
+          "url": "https://github.com/common-nighthawk/go-figure",
+          "type": "vcs"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT"
+          }
+        }
+      ]
+    },
+    {
+      "bom-ref": "pkg:golang/github.com/google/[email protected]?type=module",
+      "type": "library",
+      "name": "github.com/google/uuid",
+      "version": "v1.3.0",
+      "scope": "required",
+      "purl": "pkg:golang/github.com/google/[email protected]?type=module\u0026goos=linux\u0026goarch=amd64",
+      "externalReferences": [
+        {
+          "url": "https://github.com/google/uuid",
+          "type": "vcs"
+        }
+      ],
+      "licenses": [
+        {
+          "expression": "Apache-2.0 AND (MIT OR GPL-2.0-only)"
+        }
+      ]
+    },
+    {
+      "bom-ref": "pkg:golang/github.com/mattn/[email protected]?type=module",
+      "type": "library",
+      "name": "github.com/mattn/go-runewidth",
+      "version": "v0.0.14",
+      "scope": "required",
+      "purl": "pkg:golang/github.com/mattn/[email protected]?type=module\u0026goos=linux\u0026goarch=amd64",
+      "externalReferences": [
+        {
+          "url": "https://github.com/mattn/go-runewidth",
+          "type": "vcs"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "name": "Custom MIT"
+          }
+        }
+      ]
+    },
+    {
+      "bom-ref": "pkg:golang/sigs.k8s.io/[email protected]?type=module",
+      "type": "library",
+      "name": "sigs.k8s.io/yaml",
+      "version": "v1.3.0",
+      "scope": "required",
+      "purl": "pkg:golang/sigs.k8s.io/[email protected]?type=module\u0026goos=linux\u0026goarch=amd64"
+    }
+  ]
+}