Review comments

spoorcc · spoorcc · commit f0c4bdce9eda · 2026-04-08T21:59:06.000Z
diff --git a/dfetch/commands/report.py b/dfetch/commands/report.py
@@ -136,7 +136,7 @@ def _determine_licenses(project: ProjectEntry) -> LicenseScanResult:
 
                 if (
                     guessed_license
-                    and guessed_license.probability > LICENSE_PROBABILITY_THRESHOLD
+                    and guessed_license.probability >= LICENSE_PROBABILITY_THRESHOLD
                 ):
                     identified.append(guessed_license)
                 else:
diff --git a/dfetch/reporting/sbom_reporter.py b/dfetch/reporting/sbom_reporter.py
@@ -131,7 +131,7 @@
 )
 from cyclonedx.model.contact import OrganizationalEntity
 from cyclonedx.model.license import DisjunctiveLicense as CycloneDxLicense
-from cyclonedx.model.license import LicenseAcknowledgement, LicenseExpression
+from cyclonedx.model.license import LicenseAcknowledgement
 from cyclonedx.output import make_outputter
 from cyclonedx.schema import OutputFormat, SchemaVersion
 from packageurl import PackageURL
@@ -408,7 +408,7 @@ def _apply_licenses(component: Component, license_scan: LicenseScanResult) -> No
                     component.evidence.licenses.add(cdx_license)
                 # Record per-license confidence so auditors can compare against
                 # the threshold and re-evaluate if the threshold changes.
-                label = lic.spdx_id or lic.name
+                label = lic.spdx_id or lic.name or "unknown"
                 component.properties.add(
                     Property(
                         name=f"dfetch:license:{label}:confidence",
@@ -417,7 +417,7 @@ def _apply_licenses(component: Component, license_scan: LicenseScanResult) -> No
                 )
             return
 
-        noassertion = LicenseExpression("NOASSERTION")
+        noassertion = CycloneDxLicense(name="NOASSERTION")
         component.licenses.add(noassertion)
         if component.evidence:
             component.evidence.licenses.add(noassertion)
diff --git a/features/report-sbom-license.feature b/features/report-sbom-license.feature
@@ -35,7 +35,9 @@ Feature: SBOM license transparency for unresolved licenses
                         "name": "SomeProject",
                         "licenses": [
                             {
-                                "expression": "NOASSERTION"
+                                "license": {
+                                    "name": "NOASSERTION"
+                                }
                             }
                         ],
                         "properties": [
@@ -55,7 +57,9 @@ Feature: SBOM license transparency for unresolved licenses
                         "evidence": {
                             "licenses": [
                                 {
-                                    "expression": "NOASSERTION"
+                                    "license": {
+                                        "name": "NOASSERTION"
+                                    }
                                 }
                             ]
                         }
@@ -88,7 +92,9 @@ Feature: SBOM license transparency for unresolved licenses
                         "name": "SomeProject",
                         "licenses": [
                             {
-                                "expression": "NOASSERTION"
+                                "license": {
+                                    "name": "NOASSERTION"
+                                }
                             }
                         ],
                         "properties": [
@@ -108,7 +114,9 @@ Feature: SBOM license transparency for unresolved licenses
                         "evidence": {
                             "licenses": [
                                 {
-                                    "expression": "NOASSERTION"
+                                    "license": {
+                                        "name": "NOASSERTION"
+                                    }
                                 }
                             ]
                         }

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,9 @@ Feature: SBOM license transparency for unresolved licenses`
`35`	`35`	`"name": "SomeProject",`
`36`	`36`	`"licenses": [`
`37`	`37`	`{`
`38`		`- "expression": "NOASSERTION"`
	`38`	`+ "license": {`
	`39`	`+ "name": "NOASSERTION"`
	`40`	`+ }`
`39`	`41`	`}`
`40`	`42`	`],`
`41`	`43`	`"properties": [`
`@@ -55,7 +57,9 @@ Feature: SBOM license transparency for unresolved licenses`
`55`	`57`	`"evidence": {`
`56`	`58`	`"licenses": [`
`57`	`59`	`{`
`58`		`- "expression": "NOASSERTION"`
	`60`	`+ "license": {`
	`61`	`+ "name": "NOASSERTION"`
	`62`	`+ }`
`59`	`63`	`}`
`60`	`64`	`]`
`61`	`65`	`}`
`@@ -88,7 +92,9 @@ Feature: SBOM license transparency for unresolved licenses`
`88`	`92`	`"name": "SomeProject",`
`89`	`93`	`"licenses": [`
`90`	`94`	`{`
`91`		`- "expression": "NOASSERTION"`
	`95`	`+ "license": {`
	`96`	`+ "name": "NOASSERTION"`
	`97`	`+ }`
`92`	`98`	`}`
`93`	`99`	`],`
`94`	`100`	`"properties": [`
`@@ -108,7 +114,9 @@ Feature: SBOM license transparency for unresolved licenses`
`108`	`114`	`"evidence": {`
`109`	`115`	`"licenses": [`
`110`	`116`	`{`
`111`		`- "expression": "NOASSERTION"`
	`117`	`+ "license": {`
	`118`	`+ "name": "NOASSERTION"`
	`119`	`+ }`
`112`	`120`	`}`
`113`	`121`	`]`
`114`	`122`	`}`