From 0387ed17e521d80481cedef413ca85333399475a Mon Sep 17 00:00:00 2001 From: RJ Trujillo Date: Tue, 3 Feb 2026 15:12:40 -0700 Subject: [PATCH] fix(spdx): Only warn when the same LicenseIDs have different text (#2053) A lot of packages that exist in Wolfi and Chainguard OS have the same LicenseIDs but different license text. Until we've updated all references across the OS to be unique when the text differs, only throw a warning Signed-off-by: RJ Sampson --- pkg/sbom/generator/spdx/spdx.go | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/pkg/sbom/generator/spdx/spdx.go b/pkg/sbom/generator/spdx/spdx.go index 4ad52afbd..4d0ed2b92 100644 --- a/pkg/sbom/generator/spdx/spdx.go +++ b/pkg/sbom/generator/spdx/spdx.go @@ -151,7 +151,7 @@ func (sx *SPDX) Generate(ctx context.Context, opts *options.Options, path string for _, pkg := range opts.Packages { // Check to see if the apk contains an sbom describing itself - if err := sx.ProcessInternalApkSBOM(opts, doc, pkg); err != nil { + if err := sx.ProcessInternalApkSBOM(ctx, opts, doc, pkg); err != nil { return fmt.Errorf("parsing internal apk SBOM: %w", err) } } @@ -201,7 +201,7 @@ func locateApkSBOM(fsys apkfs.ReaderFS, ipkg *apk.InstalledPackage) (string, err return "", nil } -func (sx *SPDX) ProcessInternalApkSBOM(opts *options.Options, doc *Document, ipkg *apk.InstalledPackage) error { +func (sx *SPDX) ProcessInternalApkSBOM(ctx context.Context, opts *options.Options, doc *Document, ipkg *apk.InstalledPackage) error { // Check if apk installed an SBOM path, err := locateApkSBOM(opts.FS, ipkg) if err != nil { @@ -260,9 +260,7 @@ func (sx *SPDX) ProcessInternalApkSBOM(opts *options.Options, doc *Document, ipk return fmt.Errorf("copying element: %w", err) } - if err := mergeLicensingInfos(apkSBOMDoc, doc); err != nil { - return fmt.Errorf("merging LicensingInfos: %w", err) - } + mergeLicensingInfos(ctx, apkSBOMDoc, doc) // Add CONTAINS relationships from the document root package to all top-level elements from the internal SBOM. // This ensures they are reachable from the document root for tools that traverse the SBOM graph. @@ -328,14 +326,14 @@ func copySBOMElements(sourceDoc, targetDoc *Document, todo map[string]struct{}) return nil } -func mergeLicensingInfos(sourceDoc, targetDoc *Document) error { +func mergeLicensingInfos(ctx context.Context, sourceDoc, targetDoc *Document) { var found bool for _, sourceinfo := range sourceDoc.LicensingInfos { found = false for _, targetinfo := range targetDoc.LicensingInfos { if targetinfo.LicenseID == sourceinfo.LicenseID { if targetinfo.ExtractedText != sourceinfo.ExtractedText { - return fmt.Errorf("source & target LicenseID %s differ in Text; perhaps multiple versions of the package have different contents of files provided in license-path", targetinfo.LicenseID) + clog.FromContext(ctx).Warnf("source & target LicenseID %s differ in Text; please either update the package's license-path or use the correct LicenseID", targetinfo.LicenseID) } found = true break @@ -345,7 +343,6 @@ func mergeLicensingInfos(sourceDoc, targetDoc *Document) error { targetDoc.LicensingInfos = append(targetDoc.LicensingInfos, sourceinfo) } } - return nil } // ParseInternalSBOM opens an SBOM inside apks and