uv-sbom 2.2.0

SBOM generation tool for uv projects - Generate CycloneDX SBOMs from uv.lock files
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265

/// How to handle packages with unknown (None) licenses.
#[derive(Debug, Clone, PartialEq, Default)]
pub enum UnknownLicenseHandling {
    /// Emit a warning but do not fail (default).
    #[default]
    Warn,
    /// Treat as a violation.
    Deny,
    /// Silently allow.
    Allow,
}

/// A case-insensitive glob pattern for matching license identifiers.
#[derive(Debug, Clone)]
pub struct LicensePattern {
    original: String,
    matcher: LicensePatternMatcher,
}

#[derive(Debug, Clone)]
enum LicensePatternMatcher {
    /// Exact match (no wildcards).
    Exact(String),
    /// Prefix match: `MIT*` → starts with "mit".
    Prefix(String),
    /// Suffix match: `*GPL` → ends with "gpl".
    Suffix(String),
    /// Contains match: `*GPL*` → contains "gpl".
    Contains(String),
    /// Multiple wildcards: split into segments between `*`.
    Multiple(Vec<String>),
}

impl LicensePattern {
    pub fn new(pattern: &str) -> Option<Self> {
        let trimmed = pattern.trim();
        if trimmed.is_empty() || trimmed == "*" {
            return None;
        }

        let lower = trimmed.to_lowercase();

        let matcher = if !lower.contains('*') {
            LicensePatternMatcher::Exact(lower)
        } else if let Some(rest) = lower.strip_prefix('*') {
            if let Some(inner) = rest.strip_suffix('*') {
                // *inner* pattern
                if inner.contains('*') {
                    Self::build_multiple(&lower)
                } else {
                    LicensePatternMatcher::Contains(inner.to_string())
                }
            } else if rest.contains('*') {
                Self::build_multiple(&lower)
            } else {
                LicensePatternMatcher::Suffix(rest.to_string())
            }
        } else if let Some(prefix) = lower.strip_suffix('*') {
            if prefix.contains('*') {
                Self::build_multiple(&lower)
            } else {
                LicensePatternMatcher::Prefix(prefix.to_string())
            }
        } else {
            Self::build_multiple(&lower)
        };

        Some(Self {
            original: trimmed.to_string(),
            matcher,
        })
    }

    fn build_multiple(lower: &str) -> LicensePatternMatcher {
        let segments: Vec<String> = lower
            .split('*')
            .filter(|s| !s.is_empty())
            .map(|s| s.to_string())
            .collect();
        LicensePatternMatcher::Multiple(segments)
    }

    /// Returns the original pattern string.
    pub fn as_str(&self) -> &str {
        &self.original
    }

    /// Tests whether `license` matches this pattern (case-insensitive).
    pub fn matches(&self, license: &str) -> bool {
        let lower = license.to_lowercase();
        match &self.matcher {
            LicensePatternMatcher::Exact(val) => lower == *val,
            LicensePatternMatcher::Prefix(prefix) => lower.starts_with(prefix.as_str()),
            LicensePatternMatcher::Suffix(suffix) => lower.ends_with(suffix.as_str()),
            LicensePatternMatcher::Contains(inner) => lower.contains(inner.as_str()),
            LicensePatternMatcher::Multiple(segments) => {
                let mut pos = 0;
                for seg in segments {
                    match lower[pos..].find(seg.as_str()) {
                        Some(idx) => pos += idx + seg.len(),
                        None => return false,
                    }
                }
                true
            }
        }
    }
}

/// A license compliance policy with allow/deny lists and unknown handling.
#[derive(Debug, Clone)]
pub struct LicensePolicy {
    pub allow: Vec<LicensePattern>,
    pub deny: Vec<LicensePattern>,
    pub unknown: UnknownLicenseHandling,
}

impl LicensePolicy {
    /// Constructs a policy by compiling string patterns.
    ///
    /// Invalid patterns (empty / wildcard-only) are silently skipped.
    pub fn new(allow: &[String], deny: &[String], unknown: UnknownLicenseHandling) -> Self {
        Self {
            allow: allow
                .iter()
                .filter_map(|p| LicensePattern::new(p))
                .collect(),
            deny: deny.iter().filter_map(|p| LicensePattern::new(p)).collect(),
            unknown,
        }
    }
}

/// Reason a package violated the policy.
#[derive(Debug, Clone, PartialEq)]
pub enum ViolationReason {
    /// License matched a deny pattern.
    Denied,
    /// License did not match any allow pattern.
    NotAllowed,
    /// License is unknown and the policy denies unknowns.
    UnknownLicense,
}

impl ViolationReason {
    pub fn as_str(&self) -> &'static str {
        match self {
            Self::Denied => "Denied by policy",
            Self::NotAllowed => "Not in allow list",
            Self::UnknownLicense => "Unknown license",
        }
    }
}

/// A single package that violates the license policy.
#[derive(Debug, Clone)]
pub struct LicenseViolation {
    pub package_name: String,
    pub package_version: String,
    pub license: Option<String>,
    pub reason: ViolationReason,
    pub matched_pattern: Option<String>,
}

/// A package whose license is unknown, handled as a warning.
#[derive(Debug, Clone)]
pub struct LicenseWarning {
    pub package_name: String,
    pub package_version: String,
}

/// Result of a license compliance check.
#[derive(Debug, Clone)]
pub struct LicenseComplianceResult {
    pub violations: Vec<LicenseViolation>,
    pub warnings: Vec<LicenseWarning>,
}

impl LicenseComplianceResult {
    pub fn has_violations(&self) -> bool {
        !self.violations.is_empty()
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    // -- LicensePattern tests --

    #[test]
    fn test_empty_pattern_rejected() {
        assert!(LicensePattern::new("").is_none());
        assert!(LicensePattern::new("  ").is_none());
    }

    #[test]
    fn test_wildcard_only_rejected() {
        assert!(LicensePattern::new("*").is_none());
    }

    #[test]
    fn test_exact_match_case_insensitive() {
        let p = LicensePattern::new("MIT").unwrap();
        assert!(p.matches("MIT"));
        assert!(p.matches("mit"));
        assert!(p.matches("Mit"));
        assert!(!p.matches("MIT-0"));
    }

    #[test]
    fn test_prefix_match() {
        let p = LicensePattern::new("BSD-*").unwrap();
        assert!(p.matches("BSD-2-Clause"));
        assert!(p.matches("BSD-3-Clause"));
        assert!(p.matches("bsd-3-clause"));
        assert!(!p.matches("MIT"));
    }

    #[test]
    fn test_suffix_match() {
        let p = LicensePattern::new("*-only").unwrap();
        assert!(p.matches("GPL-3.0-only"));
        assert!(p.matches("gpl-3.0-only"));
        assert!(!p.matches("GPL-3.0-or-later"));
    }

    #[test]
    fn test_contains_match() {
        let p = LicensePattern::new("*GPL*").unwrap();
        assert!(p.matches("GPL-3.0"));
        assert!(p.matches("LGPL-2.1"));
        assert!(p.matches("AGPL-3.0-only"));
        assert!(!p.matches("MIT"));
    }

    #[test]
    fn test_multiple_wildcards() {
        let p = LicensePattern::new("*GPL*only").unwrap();
        assert!(p.matches("GPL-3.0-only"));
        assert!(p.matches("AGPL-3.0-only"));
        assert!(!p.matches("GPL-3.0-or-later"));
    }

    // -- LicensePolicy tests --

    #[test]
    fn test_policy_skips_invalid_patterns() {
        let policy = LicensePolicy::new(
            &["MIT".to_string(), "".to_string(), "*".to_string()],
            &[],
            UnknownLicenseHandling::Warn,
        );
        assert_eq!(policy.allow.len(), 1);
    }

    // -- ViolationReason display --

    #[test]
    fn test_violation_reason_as_str() {
        assert_eq!(ViolationReason::Denied.as_str(), "Denied by policy");
        assert_eq!(ViolationReason::NotAllowed.as_str(), "Not in allow list");
        assert_eq!(ViolationReason::UnknownLicense.as_str(), "Unknown license");
    }
}