github.com/anchore/syft@v1.4.2-0.20240516191711-1bec1fc5d397/syft/license/license.go

github.com/anchore/syft@v1.4.2-0.20240516191711-1bec1fc5d397/syft/license/license.go (about)

     1  // package license provides common methods for working with SPDX license data
     2  package license
     3  
     4  import (
     5  	"fmt"
     6  	"runtime/debug"
     7  
     8  	"github.com/github/go-spdx/v2/spdxexp"
     9  
    10  	"github.com/anchore/syft/internal/spdxlicense"
    11  )
    12  
    13  type Type string
    14  
    15  const (
    16  	Declared  Type = "declared"
    17  	Concluded Type = "concluded"
    18  )
    19  
    20  func ParseExpression(expression string) (ex string, err error) {
    21  	// https://github.com/anchore/syft/issues/1837
    22  	// The current spdx library can panic when parsing some expressions
    23  	// This is a temporary fix to recover and patch until we can investigate and contribute
    24  	// a fix to the upstream github library
    25  	defer func() {
    26  		if r := recover(); r != nil {
    27  			err = fmt.Errorf("recovered from panic while parsing license expression at: \n%s", string(debug.Stack()))
    28  		}
    29  	}()
    30  
    31  	licenseID, exists := spdxlicense.ID(expression)
    32  	if exists {
    33  		return licenseID, nil
    34  	}
    35  	// If it doesn't exist initially in the SPDX list it might be a more complex expression
    36  	// ignored variable is any invalid expressions
    37  	// TODO: contribute to spdxexp to expose deprecated license IDs
    38  	// https://github.com/anchore/syft/issues/1814
    39  	valid, _ := spdxexp.ValidateLicenses([]string{expression})
    40  	if !valid {
    41  		return "", fmt.Errorf("invalid SPDX expression: %s", expression)
    42  	}
    43  
    44  	return expression, nil
    45  }