Merge branch 'main' into auto/latest-tools

* main: --- (#2889) chore: update spdx license list to 3.24.0 (#2895) --- (#2888)
anchore · May 23, 2024 · 41c65e3 · 41c65e3
2 parents d85883f + ea50c61
commit 41c65e3
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 7 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -45,7 +45,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@b7cec7526559c32f1616476ff32d17ba4c59b2d6 #v3.25.5
+      uses: github/codeql-action/init@9fdb3e49720b44c48891d036bb502feb25684276 #v3.25.6
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -56,7 +56,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@b7cec7526559c32f1616476ff32d17ba4c59b2d6 #v3.25.5
+      uses: github/codeql-action/autobuild@9fdb3e49720b44c48891d036bb502feb25684276 #v3.25.6
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -70,4 +70,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@b7cec7526559c32f1616476ff32d17ba4c59b2d6 #v3.25.5
+      uses: github/codeql-action/analyze@9fdb3e49720b44c48891d036bb502feb25684276 #v3.25.6
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -140,7 +140,7 @@ jobs:
           # for updating brew formula in anchore/homebrew-syft
           GITHUB_BREW_TOKEN: ${{ secrets.ANCHOREOPS_GITHUB_OSS_WRITE_TOKEN }}
 
-      - uses: anchore/sbom-action@7ccf588e3cf3cc2611714c2eeae48550fbc17552 #v0.15.11
+      - uses: anchore/sbom-action@e8d2a6937ecead383dfe75190d104edd1f9c5751 #v0.16.0
         continue-on-error: true
         with:
           artifact-name: sbom.spdx.json

diff --git a/internal/spdxlicense/license_list.go b/internal/spdxlicense/license_list.go
diff --git a/syft/format/common/spdxhelpers/to_format_model.go b/syft/format/common/spdxhelpers/to_format_model.go
@@ -124,7 +124,7 @@ func ToFormatModel(s sbom.SBOM) *spdx.Document {
 		CreationInfo: &spdx.CreationInfo{
 			// 6.7: License List Version
 			// Cardinality: optional, one
-			LicenseListVersion: spdxlicense.Version,
+			LicenseListVersion: trimPatchVersion(spdxlicense.Version),
 
 			// 6.8: Creators: may have multiple keys for Person, Organization
 			//      and/or Tool
@@ -791,3 +791,13 @@ func newPackageVerificationCode(p pkg.Package, sbom sbom.SBOM) *spdx.PackageVeri
 		Value: fmt.Sprintf("%+x", hasher.Sum(nil)),
 	}
 }
+
+// SPDX 2.2 spec requires that the patch version be removed from the semver string
+// for the license list version field
+func trimPatchVersion(semver string) string {
+	parts := strings.Split(semver, ".")
+	if len(parts) >= 3 {
+		return strings.Join(parts[:2], ".")
+	}
+	return semver
+}