edgefirst-imu 3.0.2

EdgeFirst IMU Service for BNO08x sensors
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265

#!/usr/bin/env python3
"""
Validate NOTICE file against SBOM (CycloneDX format)
Ensures NOTICE file lists all first-level dependencies requiring attribution

LICENSE POLICY SOURCE:
This script implements NOTICE file validation per the Au-Zone Software Process Specification.
Last synchronized with policy version: 2.0 (2025-11-24)

IMPORTANT: The NOTICE file is manually curated by developers and describes:
  1. First-level dependencies requiring attribution (MIT, Apache-2.0, BSD, etc.)
  2. Proprietary licenses with special terms (e.g., NXP Proprietary)
  3. License exceptions approved by VP R&D

The NOTICE file is NOT auto-generated. This validator only checks that first-level
dependencies match between NOTICE and sbom.json, and warns about discrepancies.

CUSTOMIZATION:
- Update ATTRIBUTION_REQUIRED_LICENSES to match your attribution requirements
- Update PROPRIETARY_LICENSES to match your approved proprietary licenses
"""

import json
import sys
import re
from typing import Set, List, Dict, Tuple

# Licenses that require attribution in NOTICE file
ATTRIBUTION_REQUIRED_LICENSES: Set[str] = {
    "Apache-2.0",
    "BSD-2-Clause",
    "BSD-3-Clause",
    "BSD-4-Clause",
    "MIT",
    "ISC",
    "IJG",
}

# Proprietary licenses that should always be in NOTICE
PROPRIETARY_LICENSES: Set[str] = {
    "NXP-Proprietary",
    "NXP Proprietary",
    "Proprietary",
}

# Known packages with correct licenses that cargo-cyclonedx fails to detect
# These are manually verified and should be included in NOTICE validation
KNOWN_ATTRIBUTION_PACKAGES: Set[str] = {
    "dma-buf",   # MIT license (cargo-cyclonedx reports as "Unknown")
    "dma-heap",  # MIT license (cargo-cyclonedx reports as "Unknown")
}


def extract_license_from_component(component: Dict) -> Set[str]:
    """Extract all license identifiers from a component."""
    licenses: Set[str] = set()

    if "licenses" not in component:
        return licenses

    for lic_entry in component["licenses"]:
        # Check for direct license ID
        if "license" in lic_entry:
            if "id" in lic_entry["license"]:
                licenses.add(lic_entry["license"]["id"])
            # Also check for license name (for proprietary/non-SPDX licenses)
            elif "name" in lic_entry["license"]:
                licenses.add(lic_entry["license"]["name"])

        # Check for SPDX expression
        if "expression" in lic_entry:
            expr = lic_entry["expression"]
            # Parse expression (simplified - splits on OR/AND/WITH)
            parts = expr.replace("(", "").replace(")", "")
            parts = parts.replace(" OR ", " ").replace(" AND ", " ").replace(" WITH ", " ")
            for part in parts.split():
                if part and not part.isspace():
                    licenses.add(part)

    return licenses


def get_first_level_dependencies(sbom: Dict) -> Set[str]:
    """
    Extract first-level (direct) dependencies from SBOM.

    First-level dependencies are those directly required by the project,
    not transitive dependencies of dependencies.
    """
    first_level: Set[str] = set()

    # Get the metadata component (the project itself)
    metadata = sbom.get("metadata", {})
    project_component = metadata.get("component", {})
    project_ref = project_component.get("bom-ref", "")

    # Get dependencies graph
    dependencies = sbom.get("dependencies", [])

    # Find the project's direct dependencies
    first_level_refs = []
    for dep_entry in dependencies:
        if dep_entry.get("ref") == project_ref:
            # These are the direct dependencies of the project
            first_level_refs = dep_entry.get("dependsOn", [])
            break
    
    # If no dependency graph found, this is likely from cargo-cyclonedx
    # In this case, we should skip validation or use a different approach
    if not first_level_refs and not dependencies:
        print("⚠️  WARNING: No dependency graph found in SBOM.")
        print("   Skipping NOTICE validation - SBOM may be incomplete.")
        print("   Ensure cargo-cyclonedx runs with --all flag.")
        return set()  # Return empty set to skip validation

    # Map bom-ref to component name+version
    components = sbom.get("components", [])
    ref_to_component = {c.get("bom-ref"): c for c in components}

    for ref in first_level_refs:
        if ref in ref_to_component:
            component = ref_to_component[ref]
            name = component.get("name", "unknown")
            version = component.get("version", "unknown")
            licenses = extract_license_from_component(component)

            # Include if it requires attribution, is proprietary, or is in known packages list
            if (licenses.intersection(ATTRIBUTION_REQUIRED_LICENSES) or
                licenses.intersection(PROPRIETARY_LICENSES) or
                name in KNOWN_ATTRIBUTION_PACKAGES):
                first_level.add(f"{name} {version}")

    return first_level


def parse_notice_file(notice_path: str) -> Set[str]:
    """
    Parse NOTICE file to extract listed dependencies.

    Looks for lines like:
      * package-name 1.2.3 (MIT)
      * NXP BSP - NXP Proprietary
    """
    listed_deps: Set[str] = set()

    try:
        with open(notice_path, 'r') as f:
            content = f.read()
    except Exception as e:
        print(f"Error reading NOTICE file: {e}", file=sys.stderr)
        sys.exit(1)

    # Match patterns like: "  * package-name 1.2.3 (License)"
    pattern = r'^\s*\*\s+(\S+)\s+([\d.]+(?:-[\w.]+)?)\s+\(.*?\)'

    # Also match proprietary entries: "  * NXP BSP - NXP Proprietary"
    proprietary_pattern = r'^\s*\*\s+(.+?)\s+-\s+.*Proprietary'

    for line in content.split('\n'):
        match = re.match(pattern, line)
        if match:
            name = match.group(1)
            version = match.group(2)
            listed_deps.add(f"{name} {version}")
        else:
            prop_match = re.match(proprietary_pattern, line)
            if prop_match:
                # For proprietary entries, just use the name
                listed_deps.add(prop_match.group(1))

    return listed_deps


def validate_notice(notice_path: str, sbom_path: str) -> Tuple[bool, List[str], List[str]]:
    """
    Validate NOTICE file against SBOM.

    Returns:
        (passed, missing_deps, extra_deps)
    """
    try:
        with open(sbom_path, 'r') as f:
            sbom = json.load(f)
    except Exception as e:
        print(f"Error reading SBOM: {e}", file=sys.stderr)
        sys.exit(1)

    # Get first-level dependencies from SBOM
    sbom_first_level = get_first_level_dependencies(sbom)

    # Get listed dependencies from NOTICE
    notice_deps = parse_notice_file(notice_path)

    # Find missing and extra dependencies
    missing_deps = list(sbom_first_level - notice_deps)
    extra_deps = list(notice_deps - sbom_first_level)

    missing_deps.sort()
    extra_deps.sort()

    passed = len(missing_deps) == 0 and len(extra_deps) == 0

    return passed, missing_deps, extra_deps


def main():
    if len(sys.argv) != 3:
        print("Usage: validate_notice.py <NOTICE> <sbom.json>", file=sys.stderr)
        sys.exit(1)

    notice_path = sys.argv[1]
    sbom_path = sys.argv[2]

    passed, missing_deps, extra_deps = validate_notice(notice_path, sbom_path)

    print("=" * 80)
    print("NOTICE File Validation")
    print("=" * 80)
    print()

    if missing_deps:
        print("MISSING FROM NOTICE FILE:")
        print("-" * 80)
        print("The following first-level dependencies require attribution but are")
        print("missing from the NOTICE file:")
        print()
        for dep in missing_deps:
            print(f"{dep}")
        print()

    if extra_deps:
        print("EXTRA IN NOTICE FILE:")
        print("-" * 80)
        print("The following dependencies are listed in NOTICE but are not")
        print("first-level dependencies in sbom.json:")
        print()
        for dep in extra_deps:
            print(f"{dep}")
        print()

    if passed:
        print("✓ NOTICE file validation PASSED!")
        print("  All first-level dependencies are properly documented.")
        print()
        sys.exit(0)
    elif len(missing_deps) == 0 and len(extra_deps) == 0:
        # Validation was skipped due to missing dependency graph
        print("⚠️  NOTICE file validation SKIPPED!")
        print("  SBOM does not contain dependency graph.")
        print("  This is a warning, not a failure.")
        print()
        sys.exit(0)
    else:
        print("✗ NOTICE file validation FAILED!")
        print()
        print("ACTION REQUIRED:")
        print("  1. Review the missing/extra dependencies above")
        print("  2. Manually update the NOTICE file to match first-level dependencies")
        print("  3. Re-run this validation script")
        print()
        sys.exit(1)


if __name__ == "__main__":
    main()