scanoss · Alex-1089 · Oct 21, 2025 · Oct 21, 2025 · Oct 21, 2025 · coderabbitai
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Upcoming changes...
 
+## [1.37.1] - 2025-10-21
+### Added
+- Added source filtering to cyclonedx conversion
+### Fixed
+- Fixed dependencies being skipped during spdx conversion
+
 ## [1.37.0] - 2025-10-17
 ### Added
 - Added delta folder and file copy command
@@ -689,3 +695,4 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [1.35.0]: https://github.com/scanoss/scanoss.py/compare/v1.34.0...v1.35.0
 [1.36.0]: https://github.com/scanoss/scanoss.py/compare/v1.35.0...v1.36.0
 [1.37.0]: https://github.com/scanoss/scanoss.py/compare/v1.36.0...v1.37.0
+[1.37.1]: https://github.com/scanoss/scanoss.py/compare/v1.37.0...v1.37.1
diff --git a/src/scanoss/__init__.py b/src/scanoss/__init__.py
@@ -22,4 +22,4 @@
   THE SOFTWARE.
 """
 
-__version__ = '1.37.0'
+__version__ = '1.37.1'
diff --git a/src/scanoss/cyclonedx.py b/src/scanoss/cyclonedx.py
@@ -152,7 +152,11 @@ def parse(self, data: dict):  # noqa: PLR0912, PLR0915
                     fdl = []
                     if licenses:
                         for lic in licenses:
-                            fdl.append({'id': lic.get('name')})
+                            name = lic.get('name')
+                            source = lic.get('source')
+                            if source not in ('component_declared', 'license_file', 'file_header'):
+                                continue
+                            fdl.append({'id': name})
                     fd['licenses'] = fdl
                     cdx[purl] = fd
         # self.print_stderr(f'VD: {vdx}')
@@ -295,7 +299,8 @@ def produce_from_str(self, json_str: str, output_file: str = None) -> bool:
         except Exception as e:
             self.print_stderr(f'ERROR: Problem parsing input JSON: {e}')
             return False
-        return self.produce_from_json(data, output_file)
+        success, _ = self.produce_from_json(data, output_file)
+        return success
 
     def _normalize_vulnerability_id(self, vuln: dict) -> tuple[str, str]:
         """

diff --git a/src/scanoss/spdxlite.py b/src/scanoss/spdxlite.py
@@ -226,7 +226,9 @@ def _process_licenses(self, licenses: list) -> list:
             Process license information and remove duplicates.
 
             This method filters license information to include only licenses from trusted sources
-            ('component_declared' or 'license_file') and removes any duplicate license names.
+            ('component_declared', 'license_file', 'file_header'). Licenses with an unspecified
+            source (None or '') are allowed. Non-empty, non-allowed sources are excluded. It also
+            removes any duplicate license names.
             The result is a simplified list of license dictionaries containing only the 'id' field.
 
             Args:
@@ -247,7 +249,7 @@ def _process_licenses(self, licenses: list) -> list:
         for license_info in licenses:
             name = license_info.get('name')
             source = license_info.get('source')
-            if source not in ("component_declared", "license_file", "file_header"):
+            if source not in (None, '') and source not in ("component_declared", "license_file", "file_header"):
                 continue
             if name and name not in seen_names:
                 processed_licenses.append({'id': name})