feat: Support properties on license

Signed-off-by: Peter Schuster <p.schuster@pilz.de>

Author: peschuster

src/models/license.ts

@@ -21,6 +21,7 @@ import type { Sortable } from '../_helpers/sortable'
 import type { LicenseAcknowledgement } from '../enums/licenseAcknowledgement'
 import type { SpdxId } from '../spdx'
 import type { Attachment } from './attachment'
+import { PropertyRepository } from './property'
 
 /**
  * (SPDX) License Expression.
@@ -64,11 +65,13 @@ class DisjunctiveLicenseBase {
   acknowledgement?: LicenseAcknowledgement
   text?: Attachment
   #url?: URL | string
+  properties: PropertyRepository
 
   constructor (op: OptionalDisjunctiveLicenseProperties = {}) {
     this.acknowledgement = op.acknowledgement
     this.text = op.text
     this.url = op.url
+    this.properties = op.properties ?? new PropertyRepository()
   }
 
   get url (): URL | string | undefined {
@@ -86,6 +89,7 @@ interface OptionalDisjunctiveLicenseProperties {
   acknowledgement?: DisjunctiveLicenseBase['acknowledgement']
   text?: DisjunctiveLicenseBase['text']
   url?: DisjunctiveLicenseBase['url']
+  properties?: DisjunctiveLicenseBase['properties']
 }
 
 export interface OptionalNamedLicenseProperties extends OptionalDisjunctiveLicenseProperties {}

src/serialize/json/normalize.ts

@@ -529,36 +529,44 @@ export class LicenseNormalizer extends BaseJsonNormalizer<Models.License> {
   }
 
   #normalizeNamedLicense (data: Models.NamedLicense, options: NormalizerOptions): Normalized.NamedLicense {
+    const spec = this._factory.spec
     const url = escapeUri(data.url?.toString())
     return {
       license: {
         name: data.name,
-        acknowledgement: this._factory.spec.supportsLicenseAcknowledgement
+        acknowledgement: spec.supportsLicenseAcknowledgement
           ? data.acknowledgement
           : undefined,
         text: data.text === undefined
           ? undefined
           : this._factory.makeForAttachment().normalize(data.text, options),
         url: JsonSchema.isIriReference(url)
           ? url
+          : undefined,
+        properties: spec.supportsProperties(data) && data.properties.size > 0
+          ? this._factory.makeForProperty().normalizeIterable(data.properties, options)
           : undefined
       }
     }
   }
 
   #normalizeSpdxLicense (data: Models.SpdxLicense, options: NormalizerOptions): Normalized.SpdxLicense {
+    const spec = this._factory.spec
     const url = escapeUri(data.url?.toString())
     return {
       license: {
         id: data.id,
-        acknowledgement: this._factory.spec.supportsLicenseAcknowledgement
+        acknowledgement: spec.supportsLicenseAcknowledgement
           ? data.acknowledgement
           : undefined,
         text: data.text === undefined
           ? undefined
           : this._factory.makeForAttachment().normalize(data.text, options),
         url: JsonSchema.isIriReference(url)
           ? url
+          : undefined,
+        properties: spec.supportsProperties(data) && data.properties.size > 0
+          ? this._factory.makeForProperty().normalizeIterable(data.properties, options)
           : undefined
       }
     }

src/serialize/json/types.ts

@@ -196,6 +196,7 @@ export namespace Normalized {
       acknowledgement?: Enums.LicenseAcknowledgement
       text?: Attachment
       url?: string
+      properties?: Property[]
     }
   }
 
@@ -206,6 +207,7 @@ export namespace Normalized {
       acknowledgement?: Enums.LicenseAcknowledgement
       text?: Attachment
       url?: string
+      properties?: Property[]
     }
   }
 

src/serialize/xml/normalize.ts

@@ -699,12 +699,20 @@ export class LicenseNormalizer extends BaseXmlNormalizer<Models.License> {
   }
 
   #normalizeNamedLicense (data: Models.NamedLicense, options: NormalizerOptions): SimpleXml.Element {
-    const url = escapeUri(data.url?.toString())
+    const spec = this._factory.spec
+    const url = escapeUri(data.url?.toString()) 
+    const properties: SimpleXml.Element | undefined = spec.supportsProperties(data) && data.properties.size > 0
+      ? {
+        type: 'element',
+        name: 'properties',
+        children: this._factory.makeForProperty().normalizeIterable(data.properties, options, 'property')
+      }
+      : undefined
     return {
       type: 'element',
       name: 'license',
       attributes: {
-        acknowledgement: this._factory.spec.supportsLicenseAcknowledgement
+        acknowledgement: spec.supportsLicenseAcknowledgement
           ? data.acknowledgement
           : undefined
       },
@@ -715,18 +723,27 @@ export class LicenseNormalizer extends BaseXmlNormalizer<Models.License> {
           : this._factory.makeForAttachment().normalize(data.text, options, 'text'),
         XmlSchema.isAnyURI(url)
           ? makeTextElement(url, 'url')
-          : undefined
+          : undefined,
+        properties
       ].filter(isNotUndefined)
     }
   }
 
   #normalizeSpdxLicense (data: Models.SpdxLicense, options: NormalizerOptions): SimpleXml.Element {
-    const url = escapeUri(data.url?.toString())
+    const spec = this._factory.spec
+    const url = escapeUri(data.url?.toString())    
+    const properties: SimpleXml.Element | undefined = spec.supportsProperties(data) && data.properties.size > 0
+      ? {
+        type: 'element',
+        name: 'properties',
+        children: this._factory.makeForProperty().normalizeIterable(data.properties, options, 'property')
+      }
+      : undefined
     return {
       type: 'element',
       name: 'license',
       attributes: {
-        acknowledgement: this._factory.spec.supportsLicenseAcknowledgement
+        acknowledgement: spec.supportsLicenseAcknowledgement
           ? data.acknowledgement
           : undefined
       },
@@ -737,7 +754,8 @@ export class LicenseNormalizer extends BaseXmlNormalizer<Models.License> {
           : this._factory.makeForAttachment().normalize(data.text, options, 'text'),
         XmlSchema.isAnyURI(url)
           ? makeTextElement(url, 'url')
-          : undefined
+          : undefined,
+        properties
       ].filter(isNotUndefined)
     }
   }

src/spec/_protocol.ts

@@ -18,7 +18,7 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
 import type { ComponentType, ExternalReferenceType, HashAlgorithm, Vulnerability } from '../enums'
-import type { HashContent } from '../models'
+import { type HashContent, NamedLicense, SpdxLicense } from '../models'
 import type { Format, Version } from './enums'
 
 /**
@@ -79,6 +79,7 @@ export class _Spec implements _SpecProtocol {
   readonly #supportsLicenseAcknowledgement: boolean
   readonly #supportsServices: boolean
   readonly #supportsToolsComponentsServices: boolean
+  readonly #supportsLicenseProperties: boolean
 
   /* eslint-disable-next-line @typescript-eslint/max-params -- architectural decision */
   constructor (
@@ -101,7 +102,8 @@ export class _Spec implements _SpecProtocol {
     supportsExternalReferenceHashes: boolean,
     supportsLicenseAcknowledgement: boolean,
     supportsServices: boolean,
-    supportsToolsComponentsServices: boolean
+    supportsToolsComponentsServices: boolean,
+    supportsLicenseProperties: boolean
   ) {
     this.#version = version
     this.#formats = new Set(formats)
@@ -123,6 +125,7 @@ export class _Spec implements _SpecProtocol {
     this.#supportsLicenseAcknowledgement = supportsLicenseAcknowledgement
     this.#supportsServices = supportsServices
     this.#supportsToolsComponentsServices = supportsToolsComponentsServices
+    this.#supportsLicenseProperties = supportsLicenseProperties
   }
 
   get version (): Version {
@@ -166,9 +169,13 @@ export class _Spec implements _SpecProtocol {
     return this.#requiresComponentVersion
   }
 
-  supportsProperties (): boolean {
-    // currently a global allow/deny -- might work based on input, in the future
-    return this.#supportsProperties
+  supportsProperties (model: any): boolean {
+    switch (true) {
+      case model instanceof NamedLicense || model instanceof SpdxLicense:
+        return this.#supportsLicenseProperties 
+      default:
+        return this.#supportsProperties
+    }
   }
 
   get supportsVulnerabilities (): boolean {

src/spec/consts.ts

@@ -89,6 +89,7 @@ export const Spec1dot2: Readonly<_SpecProtocol> = Object.freeze(new _Spec(
   false,
   false,
   true,
+  false,
   false
 ))
 
@@ -154,6 +155,7 @@ export const Spec1dot3: Readonly<_SpecProtocol> = Object.freeze(new _Spec(
   true,
   false,
   true,
+  false,
   false
 ))
 
@@ -226,6 +228,7 @@ export const Spec1dot4: Readonly<_SpecProtocol> = Object.freeze(new _Spec(
   true,
   false,
   true,
+  false,
   false
 ))
 
@@ -327,6 +330,7 @@ export const Spec1dot5: Readonly<_SpecProtocol> = Object.freeze(new _Spec(
   true,
   false,
   true,
+  true,
   true
 ))
 
@@ -433,6 +437,7 @@ export const Spec1dot6: Readonly<_SpecProtocol> = Object.freeze(new _Spec(
   true,
   true,
   true,
+  true,
   true
 ))
 
@@ -547,6 +552,7 @@ export const Spec1dot7: Readonly<_SpecProtocol> = Object.freeze(new _Spec(
   true,
   true,
   true,
+  true,
   true
 ))
 

tests/_data/models.js

@@ -158,7 +158,11 @@ function createComplexStructure () {
         contentType: 'text/plain',
         encoding: Enums.AttachmentEncoding.Base64
       }),
-      url: 'https://localhost/license'
+      url: 'https://localhost/license',
+      properties: new Models.PropertyRepository([
+        new Models.Property('a', 'b'),
+        new Models.Property('primaryLicense', 'true')
+      ])
     }))
     component.licenses.add((function (license) {
       license.text = new Models.Attachment('TUlUIExpY2Vuc2UKLi4uClRIRSBTT0ZUV0FSRSBJUyBQUk9WSURFRCAiQVMgSVMiLi4u')
@@ -167,7 +171,12 @@ function createComplexStructure () {
       license.url = new URL('https://spdx.org/licenses/MIT.html')
       license.acknowledgement = Enums.LicenseAcknowledgement.Declared
       return license
-    })(new Models.SpdxLicense('MIT')))
+    })(new Models.SpdxLicense('MIT', {
+      properties: new Models.PropertyRepository([
+        new Models.Property('c', 'd'),
+        new Models.Property('primaryLicense', 'false')
+      ])
+    })))
     component.publisher = 'the publisher'
     component.purl = new PackageURL('npm', 'acme', 'dummy-component', '1337-beta', undefined, undefined)
     component.scope = Enums.ComponentScope.Required