chore: trimp patch version for spdx validation

anchore · May 23, 2024 · 7f0ca2d · 7f0ca2d
1 parent b81bc08
commit 7f0ca2d
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/syft/format/common/spdxhelpers/to_format_model.go b/syft/format/common/spdxhelpers/to_format_model.go
@@ -124,7 +124,7 @@ func ToFormatModel(s sbom.SBOM) *spdx.Document {
 		CreationInfo: &spdx.CreationInfo{
 			// 6.7: License List Version
 			// Cardinality: optional, one
-			LicenseListVersion: spdxlicense.Version,
+			LicenseListVersion: trimPatchVersion(spdxlicense.Version),
 
 			// 6.8: Creators: may have multiple keys for Person, Organization
 			//      and/or Tool
@@ -791,3 +791,14 @@ func newPackageVerificationCode(p pkg.Package, sbom sbom.SBOM) *spdx.PackageVeri
 		Value: fmt.Sprintf("%+x", hasher.Sum(nil)),
 	}
 }
+
+// SPDX 2.2 spec requires that the patch version be removed from the semver string
+// for the license list version field
+func trimPatchVersion(semver string) string {
+    parts := strings.Split(semver, ".")
+    if len(parts) >= 3 {
+        return strings.Join(parts[:2], ".")
+    }
+    return semver
+}
+