Skip to content

fix(sbom): handle SPDX expression licenses in extract_licenses#1898

Open
mesutoezdil wants to merge 1 commit into
NVIDIA:mainfrom
mesutoezdil:fix/sbom-csv-expression-license
Open

fix(sbom): handle SPDX expression licenses in extract_licenses#1898
mesutoezdil wants to merge 1 commit into
NVIDIA:mainfrom
mesutoezdil:fix/sbom-csv-expression-license

Conversation

@mesutoezdil

@mesutoezdil mesutoezdil commented Jun 13, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

CycloneDX allows licenses in 2 forms:

{"license": {"id": "MIT"}}; handled correctly

{"expression": "MIT OR Apache-2.0"}; silently dropped

extract_licenses only checked for the license key, so any component
using the expression form got an empty license field in the CSV output.

Add a check for expression before falling back to the license block.

@mesutoezdil
fix(sbom): handle SPDX expression licenses in extract_licenses
e18f427 
CycloneDX allows licenses as either {"license": {"id": "..."}} or
{"expression": "MIT OR Apache-2.0"}. The expression form was silently
dropped, producing an empty license field in the CSV output.
@mesutoezdil mesutoezdil requested review from a team, derekwaynecarr and mrunalp as code owners June 13, 2026 10:42
@copy-pr-bot

copy-pr-bot Bot commented Jun 13, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@johntmyers johntmyers added the gator:watch-pipeline Gator is monitoring PR CI/CD status label Jun 13, 2026
@johntmyers

johntmyers commented Jun 13, 2026

Copy link
Copy Markdown
Collaborator

gator-agent

PR Review Status

Validation: This is a small, concentrated SBOM tooling bug fix. The PR addresses a documented CycloneDX license form (expression) that the existing CSV export dropped, touches one deploy script, and no duplicate issue or PR was found for the same fix.
Head SHA: e18f4270b57875c60e817219db31c120e0c95bef

Review findings:

  • No blocking findings remain.
  • Non-blocking test note: there is no direct regression coverage for deploy/sbom/sbom_to_csv.py; a focused test for both {"expression": "MIT OR Apache-2.0"} and {"license": {"id": "MIT"}} would reduce reintroduction risk.

Docs: Fern docs update is not needed because this only changes generated SBOM CSV extraction behavior and does not alter a documented user-facing workflow, CLI contract, provider flow, policy syntax, or published API.

E2E: No test:e2e, test:e2e-gpu, or test:e2e-kubernetes label is needed for this SBOM CSV utility change.

Next state: gator:watch-pipeline

@johntmyers

johntmyers commented Jun 13, 2026

Copy link
Copy Markdown
Collaborator

/ok to test e18f427

@johntmyers

johntmyers commented Jun 13, 2026

Copy link
Copy Markdown
Collaborator

gator-agent

Maintainer Approval Needed

Gator validation and PR monitoring are complete.

Validation: This is a small, concentrated SBOM CSV extraction fix for CycloneDX SPDX expression licenses in deploy/sbom/sbom_to_csv.py.
Review: No blocking findings remain. I noted only non-blocking regression-test coverage risk for extract_licenses.
Docs: Fern docs update is not needed because this changes generated SBOM CSV extraction behavior only and does not alter a documented user-facing workflow, CLI contract, provider flow, policy syntax, or published API.
Checks: Required gates are green for head e18f4270b57875c60e817219db31c120e0c95bef: OpenShell / Branch Checks, OpenShell / Helm Lint, OpenShell / E2E, and OpenShell / GPU E2E.
E2E: No test:e2e, test:e2e-gpu, or test:e2e-kubernetes label was needed; the required E2E gate statuses passed as not applied.

Human maintainer approval or merge decision is now required.

@johntmyers johntmyers added gator:approval-needed Gator completed review; maintainer approval needed and removed gator:watch-pipeline Gator is monitoring PR CI/CD status labels Jun 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr derekwaynecarr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

gator:approval-needed Gator completed review; maintainer approval needed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mesutoezdil @johntmyers