fix: schema-invalid CycloneDX when running PEP639 analysis (#828)

fixes #826

---------

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

cyclonedx_py/_internal/environment.py

@@ -27,13 +27,13 @@
 from typing import TYPE_CHECKING, Any, Dict, Iterable, List, Optional, Tuple
 
 from cyclonedx.model import Property
-from cyclonedx.model.component import Component, ComponentType
+from cyclonedx.model.component import Component, ComponentEvidence, ComponentType
 from packageurl import PackageURL
 from packaging.requirements import Requirement
 
 from . import BomBuilder, PropertyName, PurlTypePypi
 from .cli_common import add_argument_mc_type, add_argument_pyproject
-from .utils.cdx import licenses_fixup, make_bom
+from .utils.cdx import find_LicenseExpression, licenses_fixup, make_bom
 from .utils.packaging import metadata2extrefs, metadata2licenses, normalize_packagename
 from .utils.pep610 import PackageSourceArchive, PackageSourceVcs, packagesource2extref, packagesource4dist
 from .utils.pep639 import dist2licenses as dist2licenses_pep639
@@ -183,10 +183,21 @@ def __add_components(self, bom: 'Bom',
                 # path of dist-package on disc? naaa... a package may have multiple files/folders on disc
             )
             if self._pep639:
-                component.licenses.update(
-                    dist2licenses_pep639(dist,
-                                         self._gather_license_texts,
-                                         self._logger))
+                pep639_licenses = list(dist2licenses_pep639(dist, self._gather_license_texts, self._logger))
+                pep639_lexp = find_LicenseExpression(pep639_licenses)
+                if pep639_lexp is not None:
+                    component.licenses = (pep639_lexp,)  # type:ignore[assignment]
+                    pep639_licenses.remove(pep639_lexp)
+                if len(pep639_licenses) > 0:
+                    if find_LicenseExpression(component.licenses) is None:
+                        component.licenses.update(pep639_licenses)
+                    else:
+                        # hack for preventing expressions AND named licenses.
+                        # see https://github.com/CycloneDX/cyclonedx-python/issues/826
+                        # see https://github.com/CycloneDX/specification/issues/454
+                        component.evidence = ComponentEvidence(licenses=pep639_licenses)
+                del pep639_lexp, pep639_licenses
+
             del dist_meta, dist_name, dist_version
             self.__component_add_extref_and_purl(component, packagesource4dist(dist))
             all_components[normalize_packagename(component.name)] = (

cyclonedx_py/_internal/utils/cdx.py

@@ -21,7 +21,7 @@
 """
 
 from re import compile as re_compile
-from typing import Any, Dict, Iterable
+from typing import Any, Dict, Iterable, Optional
 
 from cyclonedx.builder.this import this_component as lib_component
 from cyclonedx.model import ExternalReference, ExternalReferenceType, XsUri
@@ -87,11 +87,17 @@ def make_bom(**kwargs: Any) -> Bom:
     return bom
 
 
-def licenses_fixup(licenses: Iterable['License']) -> Iterable['License']:
-    licenses = set(licenses)
+def find_LicenseExpression(licenses: Iterable['License']) -> Optional[LicenseExpression]:  # noqa: N802
     for license in licenses:
         if isinstance(license, LicenseExpression):
-            return (license,)
+            return license
+    return None
+
+
+def licenses_fixup(licenses: Iterable['License']) -> Iterable['License']:
+    licenses = set(licenses)
+    if (lexp := find_LicenseExpression(licenses)) is not None:
+        return (lexp,)
     return licenses
 
 

cyclonedx_py/_internal/utils/mimetypes.py

@@ -19,22 +19,42 @@
 from os.path import splitext
 from typing import Optional
 
+_MIME_TEXT_PLAIN = 'text/plain'
+
 _MAP_EXT_MIME = {
     # https://www.iana.org/assignments/media-types/media-types.xhtml
+    '.csv': 'text/csv',
+    '.htm': 'text/html',
+    '.html': 'text/html',
     '.md': 'text/markdown',
     '.txt': 'text/plain',
     '.rst': 'text/prs.fallenstein.rst',
+    '.xml': 'text/xml',  # not `application/xml` -- our scope is text!
+    # license-specific files
+    '.license': _MIME_TEXT_PLAIN,
+    '.licence': _MIME_TEXT_PLAIN,
     # add more mime types. pull-requests welcome!
 }
 
+_LICENSE_FNAME_BASE = ('licence', 'license')
+_LICENSE_FNAME_EXT = (
+    '.apache',
+    '.bsd',
+    '.gpl',
+    '.mit',
+)
+
 
 def guess_type(file_name: str) -> Optional[str]:
     """
     The stdlib `mimetypes.guess_type()` is inconsistent, as it depends heavily on type registry in the env/os.
     Therefore, this polyfill exists.
     """
-    ext = splitext(file_name)[1].lower()
-    return _MAP_EXT_MIME.get(
-        ext,
-        _stdlib_guess_type(file_name)[0]
-    )
+    file_name_l = file_name.lower()
+    base, ext = splitext(file_name_l)
+    if ext == '':
+        return None
+    if base in _LICENSE_FNAME_BASE and ext in _LICENSE_FNAME_EXT:
+        return _MIME_TEXT_PLAIN
+    return _MAP_EXT_MIME.get(ext) \
+        or _stdlib_guess_type(file_name_l)[0]

tests/_data/infiles/environment/with-license-pep639/init.py

@@ -63,13 +63,16 @@ def main() -> None:
     ).create(env_dir)
 
     pip_install(
+        '--no-dependencies',
         # with License-Expression
         'attrs',
         # with License-File
         'boolean.py',
         'jsonpointer',
         'license_expression',
         'lxml',
+        # with expression-like License AND License-File
+        'cryptography==43.0.1',  # https://github.com/CycloneDX/cyclonedx-python/issues/826
     )
 
 

tests/_data/infiles/environment/with-license-pep639/pinning.txt

@@ -1,5 +1,6 @@
 attrs==23.2.0
 boolean.py==4.0
+cryptography==43.0.1
 jsonpointer==2.4
 license-expression==30.3.0
 lxml==5.3.0

tests/_data/infiles/environment/with-license-pep639/pyproject.toml

@@ -12,4 +12,6 @@ dependencies = [
   "jsonpointer",
   "license_expression",
   "lxml",
+  # with expression-like License AND License-File
+  "cryptography",
 ]