Add licenses to SBOM

.gitignore

@@ -3,3 +3,4 @@ node_modules
 dust
 dist/
 .devcontainer
+tmp/

CHANGELOG.md

@@ -4,6 +4,12 @@
 
 ### Enhancement
 
+* Include licenses in SBOM output
+
+## 1.5.0
+
+### Enhancement
+
 * Improve CycloneDX vulnerability IDs
 
 ## 1.4.1

package.json

@@ -1,7 +1,7 @@
 {
   "author": "Erlend Oftedal <[email protected]>",
   "name": "retire-site-scanner",
-  "version": "1.5.0",
+  "version": "1.6.0",
   "license": "Apache-2.0",
   "description": "A scanner for checking a web site using retire.js",
   "main": "dist/index.js",
@@ -24,7 +24,7 @@
   "dependencies": {
     "cacheable-lookup": "^7.0.0",
     "puppeteer": "^22.4.0",
-    "retire": "^5.1.4",
+    "retire": "^5.2.0",
     "source-map": "^0.7.4"
   },
   "devDependencies": {

src/log.ts

@@ -71,6 +71,12 @@ type CycloneDXComponent = {
   version: string;
   "bom-ref": string;
   purl?: string;
+  licenses?: Array<{
+    license?: {
+      name: string;
+    };
+    expression?: string;
+  }>;
   properties: Array<{
     name: string;
     value: string;
@@ -196,6 +202,7 @@ export function convertToCycloneDX(resultToConvert: typeof collectedResults) {
         version: c.version,
         purl: generatePURL(c),
         properties: [],
+        licenses: mapLicenses(c.licenses),
       };
       components.set(key, comp);
       if (!comp.properties.some((c) => c.value == res.url))
@@ -264,6 +271,14 @@ export function convertToCycloneDX(resultToConvert: typeof collectedResults) {
   };
 }
 
+function mapLicenses(licenses: string[] | undefined) {
+  if (!licenses) return [];
+  if (licenses.length == 0) return [];
+  if (licenses[0] == "commercial") return [{ license: { name: "Commercial" } }];
+  return [{ expression: licenses[0] }];
+}
+
+
 export const jsonLogger: Logger = {
   open: (url: string) => {
     collectedResults.url = url;

src/retireWrapper.ts

@@ -1,5 +1,6 @@
 import retire from "retire/lib/retire";
 import { deepScan } from "retire/lib/deepscan";
+import { evaluateLicense } from "retire/lib/license";
 import { type Repository, type Component } from "retire/lib/types";
 import crypto from "crypto";
 import log from "./log";
@@ -180,12 +181,31 @@ const scanner = () =>
   loadRetireJSRepo().then(
     (repo) =>
       ({
-        scanUri: (uri: string) => scanUri(repo, uri),
+        scanUri: (uri: string) =>
+          addLicenses(scanUri(repo, uri), repo.advisories),
         scanContent: (url: string, contents: string) =>
-          scanContent(repo.advisories, contents, url),
-        runFuncs: (evaluate: Evaluator) => runFuncs(repo.advisories, evaluate),
-        scanUrlBackdoored: (url: string) => scanUrlBackdoored(repo, url),
+          addLicenses(
+            scanContent(repo.advisories, contents, url),
+            repo.advisories,
+          ),
+        runFuncs: (evaluate: Evaluator) =>
+          runFuncs(repo.advisories, evaluate).then((r) => {
+            addLicenses(r, repo.advisories);
+            return r;
+          }),
+        scanUrlBackdoored: (url: string) =>
+          addLicenses(scanUrlBackdoored(repo, url), repo.advisories),
       }) as Scanner,
   );
 
+function addLicenses(components: Component[], repo: Repository) {
+  components.forEach((c) => {
+    const possibleLicenses = repo[c.component]?.licenses;
+    if (possibleLicenses) {
+      c.licenses = evaluateLicense(possibleLicenses, c.version);
+    }
+  });
+  return components;
+}
+
 export default scanner;

tests/schematest.ts

@@ -17,6 +17,9 @@ describe("cyclonedx-json", () => {
       "jsf-0.82.schema.json#/definitions/signature",
     );
     const result = validator.validate(cycloneDx, jsonSchema);
+    if (!result.valid) {
+      console.log(result.errors);
+    }
     expect(result.valid).to.eq(true);
   });
 });