From e18f4270b57875c60e817219db31c120e0c95bef Mon Sep 17 00:00:00 2001
From: mesutoezdil <mesudozdil@gmail.com>
Date: Sat, 13 Jun 2026 12:42:28 +0200
Subject: [PATCH] fix(sbom): handle SPDX expression licenses in
 extract_licenses

CycloneDX allows licenses as either {"license": {"id": "..."}} or
{"expression": "MIT OR Apache-2.0"}. The expression form was silently
dropped, producing an empty license field in the CSV output.
---
 deploy/sbom/sbom_to_csv.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/deploy/sbom/sbom_to_csv.py b/deploy/sbom/sbom_to_csv.py
index 26b236b46..b9c71e4a8 100644
--- a/deploy/sbom/sbom_to_csv.py
+++ b/deploy/sbom/sbom_to_csv.py
@@ -23,8 +23,11 @@ def extract_licenses(component: dict) -> str:
     licenses = component.get("licenses", [])
     ids = []
     for entry in licenses:
-        lic = entry.get("license", {})
-        ids.append(lic.get("id") or lic.get("name", ""))
+        if "expression" in entry:
+            ids.append(entry["expression"])
+        else:
+            lic = entry.get("license", {})
+            ids.append(lic.get("id") or lic.get("name", ""))
     return " | ".join(filter(None, ids))