Attach canonical SPDX URLs to each identifier

Author: kdeldycke

changelog.md

@@ -13,6 +13,7 @@
 - [zerobrew] Add `upgrade` and `upgrade_all` support by wrapping the `zb upgrade` command introduced in zerobrew `0.3.0`, and bump the minimum required `zb` version from `0.2.0` to `0.3.0`. `0.3.0` also fixes the Linux Python install failures reported in https://github.com/lucasgelfond/zerobrew/issues/336, so the `zerobrew` install tests now run as stable on both x86 and ARM Linux.
 - [mpm] Add a `scope` attribute (`ManagerScope.SYSTEM` or `ManagerScope.PROJECT`) to `PackageManager` to distinguish system-wide installers from project-local dependency managers, plus a `discover_projects()` extension point reserved for the latter. All maintained managers are system-scoped; project scope is not supported yet.
 - [mpm] Make `mpm sbom` maximalist by default: the renderer now collects rich per-package metadata (license, supplier, originator, homepage, source URL, checksums, declared dependency graph) from each manager and embeds it in both SPDX and CycloneDX exports. `brew`'s extractor sources data from a single `brew info --json=v2 --installed` shell-out and, when `HOMEBREW_SBOM=1` was set at install time, splices per-formula SBOM files from the Cellar into the aggregate document under auditable `externalDocumentRefs`; `pip`'s extractor reads each distribution's `METADATA` file via `importlib.metadata` with no shell-outs. A `--bundled / --minimal` flag (default `--bundled`) restores the previous bare inventory shape. Bumps the CycloneDX schema to `1.7` and raises the `mpm[sbom]` floor on `cyclonedx-python-lib` from `>=11.2` to `>=11.4`, the first release to expose the `JsonV1Dot7` outputter and `SchemaVersion.V1_7` enum.
+- [mpm] Attach canonical SPDX URLs to each identifier inside compound license expressions in CycloneDX 1.7 output (`licenses[].expressionDetails[]`), so consumers like Dependency-Track and GUAC can dereference every license referenced by `AND`/`OR`/`WITH` clauses. Bumps the `mpm[sbom]` floor on `cyclonedx-python-lib` from `>=11.4` to `>=11.9`, the first release to expose `LicenseExpression.details` and the `LicenseExpressionDetails` payload.
 - [mpm] Rename the global `--stats / --no-stats` flag to `--summary / --no-summary`, and move the rendering surface into a dedicated `meta_package_manager/summary.py` module. The underlying `SBOM.stats()` data accessor keeps its name. Breaking change for scripts that pass the old flag.
 - [mpm] Move `cyclonedx-python-lib` and `spdx-tools` out of the runtime install into a new `[sbom]` extra: `pip install meta-package-manager` no longer pulls CycloneDX or SPDX, and `mpm sbom` requires `pip install meta-package-manager[sbom]`. `packageurl-python` stays in the runtime install since it is used by `meta_package_manager.package` and `meta_package_manager.specifier`. Drops `jsonschema`, `rfc3987-syntax`, `lark`, and `lxml` from `mpm`'s install footprint by moving CycloneDX schema validation into the test suite. Breaking change for anyone that relied on `mpm sbom` from a default install.
 - [mpm] Reduce default-verbosity noise on operational subcommands: captured stderr from underlying CLIs now logs at DEBUG instead of WARNING/ERROR; per-manager `Skip` and `does not implement` messages drop to DEBUG for implicit manager selection but stay at INFO/WARNING when the user explicitly targeted the manager; a one-line error summary fires at the end of any subcommand whose CLIs accumulated errors.

meta_package_manager/sbom/cyclonedx.py

@@ -53,7 +53,11 @@
     from cyclonedx.model.bom import Bom
     from cyclonedx.model.component import Component, ComponentType
     from cyclonedx.model.contact import OrganizationalContact, OrganizationalEntity
-    from cyclonedx.model.license import DisjunctiveLicense, LicenseExpression
+    from cyclonedx.model.license import (
+        DisjunctiveLicense,
+        LicenseExpression,
+        LicenseExpressionDetails,
+    )
     from cyclonedx.model.lifecycle import LifecyclePhase, PredefinedLifecycle
     from cyclonedx.output import make_outputter
     from cyclonedx.output.json import JsonV1Dot7
@@ -253,7 +257,24 @@ def _licenses_for(metadata: PackageMetadata) -> list:
             else:
                 return out
         if parsed is not None:
-            out.append(LicenseExpression(value=candidate))
+            # Attach SPDX canonical URLs to each identifier inside the
+            # expression. ``parsed.symbols`` is the deduped symbol set
+            # produced by the ``license_expression`` parser; every
+            # ``LicenseRef-`` and unknown-symbol case has already been
+            # rejected by ``_parse_license_expression``. Sorting by key
+            # keeps the emitted ``details`` order deterministic across
+            # runs, independent of CycloneDX's internal ``SortedSet``.
+            identifiers = sorted(
+                {getattr(s, "key", None) or str(s) for s in parsed.symbols},
+            )
+            details = tuple(
+                LicenseExpressionDetails(
+                    license_identifier=ident,
+                    url=XsUri(f"https://spdx.org/licenses/{ident}.html"),
+                )
+                for ident in identifiers
+            )
+            out.append(LicenseExpression(value=candidate, details=details))
         else:
             out.append(DisjunctiveLicense(name=candidate))
         return out

pyproject.toml

@@ -198,9 +198,12 @@ xml = [ "click-extra[xml]" ]
 # with `mpm[sbom]`.  cyclonedx-python-lib 11.4.0 is the first to expose the
 # CycloneDX 1.7 schema (`JsonV1Dot7`, `SchemaVersion.V1_7`) that
 # `meta_package_manager.sbom.CycloneDX` targets, and is also new enough to
-# support Python 3.14; spdx-tools 0.8.2 is the first version we used to
-# implement SPDX support.
-sbom = [ "cyclonedx-python-lib>=11.4", "spdx-tools>=0.8.2" ]
+# support Python 3.14; 11.9.0 introduced `LicenseExpression.details` for
+# per-identifier license-expression metadata (`LicenseExpressionDetails`),
+# which the renderer uses to attach canonical SPDX URLs to each identifier
+# inside a compound expression.  spdx-tools 0.8.2 is the first version we
+# used to implement SPDX support.
+sbom = [ "cyclonedx-python-lib>=11.9", "spdx-tools>=0.8.2" ]
 
 [project.scripts]
 mpm = "meta_package_manager.__main__:main"

tests/test_cli_sbom.py

@@ -411,6 +411,50 @@ def test_bundled_mode_cyclonedx_populates_rich_fields():
     assert_valid_cyclonedx(c.export(), ExportFormat.JSON)
 
 
+@pytest.mark.parametrize(
+    ("expression", "expected_identifiers"),
+    (
+        # Two-license compound expression.
+        ("MIT AND Apache-2.0", ("Apache-2.0", "MIT")),
+        # License combined with an SPDX exception via WITH.
+        (
+            "MIT WITH Classpath-exception-2.0",
+            ("Classpath-exception-2.0", "MIT"),
+        ),
+        # Nested parenthesized expression with three identifiers.
+        (
+            "MIT OR (Apache-2.0 AND BSD-3-Clause)",
+            ("Apache-2.0", "BSD-3-Clause", "MIT"),
+        ),
+        # Duplicates in the source collapse to a single ``details`` entry.
+        ("MIT AND MIT", ("MIT",)),
+    ),
+)
+def test_cyclonedx_compound_license_expression_details(
+    expression, expected_identifiers
+):
+    """Compound expressions emit ``LicenseExpression.details`` with a
+    canonical SPDX URL per identifier, deduped and sorted by identifier.
+    """
+    c = CycloneDX()
+    c.init_doc()
+    c.set_scan_completeness(bundled=True)
+    manager = _as_manager(_StubManager("brew", "Homebrew Formulae"))
+    pkg = _make_package("brew", "curl", "8.9.0")
+    md = PackageMetadata(license_declared=expression, license_concluded=expression)
+    c.add_package(manager, pkg, md)
+    c.finalize()
+    doc = json.loads(c.export())
+    license_obj = doc["components"][0]["licenses"][0]
+    assert license_obj["expression"] == expression
+    details = license_obj["expressionDetails"]
+    assert tuple(d["licenseIdentifier"] for d in details) == expected_identifiers
+    assert tuple(d["url"] for d in details) == tuple(
+        f"https://spdx.org/licenses/{ident}.html" for ident in expected_identifiers
+    )
+    assert_valid_cyclonedx(c.export(), ExportFormat.JSON)
+
+
 @pytest.mark.parametrize(
     ("declared", "expected_present"),
     (