Support license information in SBOM writers library.
Bug: 324465531
Test: CIs
Test: atest --host sbom_data_test sbom_writers_test
Test: build/soong/tests/sbom_test.sh
Change-Id: Iac2be2e65f308caabb11237e72dbdc6b047cfd55
diff --git a/tools/sbom/sbom_data.py b/tools/sbom/sbom_data.py
index b5ac8a5..fc5c704 100644
--- a/tools/sbom/sbom_data.py
+++ b/tools/sbom/sbom_data.py
@@ -30,6 +30,7 @@
SPDXID_DOC = 'SPDXRef-DOCUMENT'
SPDXID_PRODUCT = 'SPDXRef-PRODUCT'
SPDXID_PLATFORM = 'SPDXRef-PLATFORM'
+SPDXID_LICENSE_APACHE = 'LicenseRef-Android-Apache-2.0'
PACKAGE_NAME_PRODUCT = 'PRODUCT'
PACKAGE_NAME_PLATFORM = 'PLATFORM'
@@ -50,7 +51,7 @@
cpe23Type = 'cpe23Type'
-@dataclass
+@dataclass(frozen=True)
class PackageExternalRef:
category: PackageExternalRefCategory
type: PackageExternalRefType
@@ -68,6 +69,7 @@
verification_code: str = None
file_ids: List[str] = field(default_factory=list)
external_refs: List[PackageExternalRef] = field(default_factory=list)
+ declared_license_ids: List[str] = field(default_factory=list)
@dataclass
@@ -75,6 +77,7 @@
id: str
name: str
checksum: str
+ concluded_license_ids: List[str] = field(default_factory=list)
class RelationshipType:
@@ -85,20 +88,27 @@
STATIC_LINK = 'STATIC_LINK'
-@dataclass
+@dataclass(frozen=True)
class Relationship:
id1: str
relationship: RelationshipType
id2: str
-@dataclass
+@dataclass(frozen=True)
class DocumentExternalReference:
id: str
uri: str
checksum: str
+@dataclass(frozen=True)
+class License:
+ id: str
+ text: str
+ name: str
+
+
@dataclass
class Document:
name: str
@@ -111,20 +121,30 @@
packages: List[Package] = field(default_factory=list)
files: List[File] = field(default_factory=list)
relationships: List[Relationship] = field(default_factory=list)
+ licenses: List[License] = field(default_factory=list)
def add_external_ref(self, external_ref):
if not any(external_ref.uri == ref.uri for ref in self.external_refs):
self.external_refs.append(external_ref)
def add_package(self, package):
- if not any(package.id == p.id for p in self.packages):
+ p = next((p for p in self.packages if package.id == p.id), None)
+ if not p:
self.packages.append(package)
+ else:
+ for license_id in package.declared_license_ids:
+ if license_id not in p.declared_license_ids:
+ p.declared_license_ids.append(license_id)
def add_relationship(self, rel):
if not any(rel.id1 == r.id1 and rel.id2 == r.id2 and rel.relationship == r.relationship
for r in self.relationships):
self.relationships.append(rel)
+ def add_license(self, license):
+ if not any(license.id == l.id for l in self.licenses):
+ self.licenses.append(license)
+
def generate_packages_verification_code(self):
for package in self.packages:
if not package.file_ids:
diff --git a/tools/sbom/sbom_data_test.py b/tools/sbom/sbom_data_test.py
index 69bc9d2..9d987c4 100644
--- a/tools/sbom/sbom_data_test.py
+++ b/tools/sbom/sbom_data_test.py
@@ -23,6 +23,7 @@
SUPPLIER_UPSTREAM = 'Organization: upstream'
SPDXID_PREBUILT_PACKAGE1 = 'SPDXRef-PREBUILT-package1'
+SPDXID_PREBUILT_PACKAGE2 = 'SPDXRef-PREBUILT-package2'
SPDXID_SOURCE_PACKAGE1 = 'SPDXRef-SOURCE-package1'
SPDXID_UPSTREAM_PACKAGE1 = 'SPDXRef-UPSTREAM-package1'
@@ -31,6 +32,9 @@
SPDXID_FILE3 = 'SPDXRef-file3'
SPDXID_FILE4 = 'SPDXRef-file4'
+SPDXID_LICENSE1 = "SPDXRef-License-1"
+SPDXID_LICENSE2 = "SPDXRef-License-2"
+
class SBOMDataTest(unittest.TestCase):
@@ -134,6 +138,47 @@
self.sbom_doc.generate_packages_verification_code()
self.assertEqual(expected_package_verification_code, self.sbom_doc.packages[0].verification_code)
+ def test_add_package_(self):
+ self.sbom_doc.add_package(sbom_data.Package(id=SPDXID_PREBUILT_PACKAGE2,
+ name='Prebuilt package2',
+ download_location=sbom_data.VALUE_NONE,
+ supplier=SUPPLIER_GOOGLE,
+ version=BUILD_FINGER_PRINT,
+ ))
+ p = next((p for p in self.sbom_doc.packages if p.id == SPDXID_PREBUILT_PACKAGE2), None)
+ self.assertNotEqual(p, None)
+ self.assertEqual(p.declared_license_ids, [])
+
+ # Add same package with license 1
+ self.sbom_doc.add_package(sbom_data.Package(id=SPDXID_PREBUILT_PACKAGE2,
+ name='Prebuilt package2',
+ download_location=sbom_data.VALUE_NONE,
+ supplier=SUPPLIER_GOOGLE,
+ version=BUILD_FINGER_PRINT,
+ declared_license_ids=[SPDXID_LICENSE1]
+ ))
+ self.assertEqual(p.declared_license_ids, [SPDXID_LICENSE1])
+
+ # Add same package with license 2
+ self.sbom_doc.add_package(sbom_data.Package(id=SPDXID_PREBUILT_PACKAGE2,
+ name='Prebuilt package2',
+ download_location=sbom_data.VALUE_NONE,
+ supplier=SUPPLIER_GOOGLE,
+ version=BUILD_FINGER_PRINT,
+ declared_license_ids=[SPDXID_LICENSE2]
+ ))
+ self.assertEqual(p.declared_license_ids, [SPDXID_LICENSE1, SPDXID_LICENSE2])
+
+ # Add same package with license 2 again
+ self.sbom_doc.add_package(sbom_data.Package(id=SPDXID_PREBUILT_PACKAGE2,
+ name='Prebuilt package2',
+ download_location=sbom_data.VALUE_NONE,
+ supplier=SUPPLIER_GOOGLE,
+ version=BUILD_FINGER_PRINT,
+ declared_license_ids=[SPDXID_LICENSE2]
+ ))
+ self.assertEqual(p.declared_license_ids, [SPDXID_LICENSE1, SPDXID_LICENSE2])
+
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/tools/sbom/sbom_writers.py b/tools/sbom/sbom_writers.py
index 1cb864d..26b3c57 100644
--- a/tools/sbom/sbom_writers.py
+++ b/tools/sbom/sbom_writers.py
@@ -64,6 +64,11 @@
# Relationship
RELATIONSHIP = 'Relationship'
+ # License
+ LICENSE_ID = 'LicenseID'
+ LICENSE_NAME = 'LicenseName'
+ LICENSE_EXTRACTED_TEXT = 'ExtractedText'
+
class TagValueWriter:
@staticmethod
@@ -99,6 +104,12 @@
tagvalues.append(f'{Tags.PACKAGE_VERSION}: {package.version}')
if package.supplier:
tagvalues.append(f'{Tags.PACKAGE_SUPPLIER}: {package.supplier}')
+
+ license = sbom_data.VALUE_NOASSERTION
+ if package.declared_license_ids:
+ license = ' OR '.join(package.declared_license_ids)
+ tagvalues.append(f'{Tags.PACKAGE_LICENSE_DECLARED}: {license}')
+
if package.verification_code:
tagvalues.append(f'{Tags.PACKAGE_VERIFICATION_CODE}: {package.verification_code}')
if package.external_refs:
@@ -155,8 +166,12 @@
f'{Tags.FILE_NAME}: {file.name}',
f'{Tags.SPDXID}: {file.id}',
f'{Tags.FILE_CHECKSUM}: {file.checksum}',
- '',
]
+ license = sbom_data.VALUE_NOASSERTION
+ if file.concluded_license_ids:
+ license = ' OR '.join(file.concluded_license_ids)
+ tagvalues.append(f'{Tags.FILE_LICENSE_CONCLUDED}: {license}')
+ tagvalues.append('')
return tagvalues
@@ -194,6 +209,22 @@
return tagvalues
@staticmethod
+ def marshal_license(license):
+ tagvalues = []
+ tagvalues.append(f'{Tags.LICENSE_ID}: {license.id}')
+ tagvalues.append(f'{Tags.LICENSE_NAME}: {license.name}')
+ tagvalues.append(f'{Tags.LICENSE_EXTRACTED_TEXT}: <text>{license.text}</text>')
+ return tagvalues
+
+ @staticmethod
+ def marshal_licenses(sbom_doc):
+ tagvalues = []
+ for license in sbom_doc.licenses:
+ tagvalues += TagValueWriter.marshal_license(license)
+ tagvalues.append('')
+ return tagvalues
+
+ @staticmethod
def write(sbom_doc, file, fragment=False):
content = []
if not fragment:
@@ -202,6 +233,7 @@
tagvalues, marshaled_relationships = TagValueWriter.marshal_packages(sbom_doc, fragment)
content += tagvalues
content += TagValueWriter.marshal_relationships(sbom_doc, marshaled_relationships)
+ content += TagValueWriter.marshal_licenses(sbom_doc)
file.write('\n'.join(content))
@@ -236,11 +268,13 @@
PACKAGE_EXTERNAL_REF_TYPE = 'referenceType'
PACKAGE_EXTERNAL_REF_LOCATOR = 'referenceLocator'
PACKAGE_HAS_FILES = 'hasFiles'
+ PACKAGE_LICENSE_DECLARED = 'licenseDeclared'
# File
FILES = 'files'
FILE_NAME = 'fileName'
FILE_CHECKSUMS = 'checksums'
+ FILE_LICENSE_CONCLUDED = 'licenseConcluded'
# Relationship
RELATIONSHIPS = 'relationships'
@@ -248,6 +282,12 @@
REL_RELATED_ELEMENT_ID = 'relatedSpdxElement'
REL_TYPE = 'relationshipType'
+ # License
+ LICENSES = 'hasExtractedLicensingInfos'
+ LICENSE_ID = 'licenseId'
+ LICENSE_NAME = 'name'
+ LICENSE_EXTRACTED_TEXT = 'extractedText'
+
class JSONWriter:
@staticmethod
@@ -294,6 +334,9 @@
package[PropNames.PACKAGE_VERSION] = p.version
if p.supplier:
package[PropNames.PACKAGE_SUPPLIER] = p.supplier
+ package[PropNames.PACKAGE_LICENSE_DECLARED] = sbom_data.VALUE_NOASSERTION
+ if p.declared_license_ids:
+ package[PropNames.PACKAGE_LICENSE_DECLARED] = ' OR '.join(p.declared_license_ids)
if p.verification_code:
package[PropNames.PACKAGE_VERIFICATION_CODE] = {
PropNames.PACKAGE_VERIFICATION_CODE_VALUE: p.verification_code
@@ -329,6 +372,9 @@
PropNames.ALGORITHM: checksum[0],
PropNames.CHECKSUM_VALUE: checksum[1],
}]
+ file[PropNames.FILE_LICENSE_CONCLUDED] = sbom_data.VALUE_NOASSERTION
+ if f.concluded_license_ids:
+ file[PropNames.FILE_LICENSE_CONCLUDED] = ' OR '.join(f.concluded_license_ids)
files.append(file)
return {PropNames.FILES: files}
@@ -347,10 +393,22 @@
return {PropNames.RELATIONSHIPS: relationships}
@staticmethod
+ def marshal_licenses(sbom_doc):
+ licenses = []
+ for l in sbom_doc.licenses:
+ licenses.append({
+ PropNames.LICENSE_ID: l.id,
+ PropNames.LICENSE_NAME: l.name,
+ PropNames.LICENSE_EXTRACTED_TEXT: f'<text>{l.text}</text>'
+ })
+ return {PropNames.LICENSES: licenses}
+
+ @staticmethod
def write(sbom_doc, file):
doc = {}
doc.update(JSONWriter.marshal_doc_headers(sbom_doc))
doc.update(JSONWriter.marshal_packages(sbom_doc))
doc.update(JSONWriter.marshal_files(sbom_doc))
doc.update(JSONWriter.marshal_relationships(sbom_doc))
+ doc.update(JSONWriter.marshal_licenses(sbom_doc))
file.write(json.dumps(doc, indent=4))
diff --git a/tools/sbom/sbom_writers_test.py b/tools/sbom/sbom_writers_test.py
index cf85e01..f9f5230 100644
--- a/tools/sbom/sbom_writers_test.py
+++ b/tools/sbom/sbom_writers_test.py
@@ -33,6 +33,14 @@
SPDXID_FILE3 = 'SPDXRef-file3'
SPDXID_FILE4 = 'SPDXRef-file4'
+SPDXID_LICENSE_1 = 'LicenseRef-Android-License-1'
+SPDXID_LICENSE_2 = 'LicenseRef-Android-License-2'
+SPDXID_LICENSE_3 = 'LicenseRef-Android-License-3'
+
+LICENSE_APACHE_TEXT = "LICENSE_APACHE"
+LICENSE1_TEXT = 'LICENSE 1'
+LICENSE2_TEXT = 'LICENSE 2'
+LICENSE3_TEXT = 'LICENSE 3'
class SBOMWritersTest(unittest.TestCase):
@@ -63,6 +71,7 @@
download_location=sbom_data.VALUE_NONE,
supplier=SUPPLIER_GOOGLE,
version=BUILD_FINGER_PRINT,
+ declared_license_ids=[sbom_data.SPDXID_LICENSE_APACHE]
))
self.sbom_doc.add_package(
@@ -71,6 +80,7 @@
download_location=sbom_data.VALUE_NONE,
supplier=SUPPLIER_GOOGLE,
version=BUILD_FINGER_PRINT,
+ declared_license_ids=[SPDXID_LICENSE_1],
))
self.sbom_doc.add_package(
@@ -79,6 +89,7 @@
download_location=sbom_data.VALUE_NONE,
supplier=SUPPLIER_GOOGLE,
version=BUILD_FINGER_PRINT,
+ declared_license_ids=[SPDXID_LICENSE_2, SPDXID_LICENSE_3],
external_refs=[sbom_data.PackageExternalRef(
category=sbom_data.PackageExternalRefCategory.SECURITY,
type=sbom_data.PackageExternalRefType.cpe22Type,
@@ -90,6 +101,7 @@
name='Upstream package1',
supplier=SUPPLIER_UPSTREAM,
version='1.1',
+ declared_license_ids=[SPDXID_LICENSE_2, SPDXID_LICENSE_3],
))
self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_SOURCE_PACKAGE1,
@@ -97,11 +109,11 @@
id2=SPDXID_UPSTREAM_PACKAGE1))
self.sbom_doc.files.append(
- sbom_data.File(id=SPDXID_FILE1, name='/bin/file1', checksum='SHA1: 11111'))
+ sbom_data.File(id=SPDXID_FILE1, name='/bin/file1', checksum='SHA1: 11111', concluded_license_ids=[sbom_data.SPDXID_LICENSE_APACHE]))
self.sbom_doc.files.append(
- sbom_data.File(id=SPDXID_FILE2, name='/bin/file2', checksum='SHA1: 22222'))
+ sbom_data.File(id=SPDXID_FILE2, name='/bin/file2', checksum='SHA1: 22222', concluded_license_ids=[SPDXID_LICENSE_1]))
self.sbom_doc.files.append(
- sbom_data.File(id=SPDXID_FILE3, name='/bin/file3', checksum='SHA1: 33333'))
+ sbom_data.File(id=SPDXID_FILE3, name='/bin/file3', checksum='SHA1: 33333', concluded_license_ids=[SPDXID_LICENSE_2, SPDXID_LICENSE_3]))
self.sbom_doc.files.append(
sbom_data.File(id=SPDXID_FILE4, name='file4.a', checksum='SHA1: 44444'))
@@ -120,6 +132,11 @@
id2=SPDXID_FILE4
))
+ self.sbom_doc.add_license(sbom_data.License(sbom_data.SPDXID_LICENSE_APACHE, LICENSE_APACHE_TEXT, "License-Apache"))
+ self.sbom_doc.add_license(sbom_data.License(SPDXID_LICENSE_1, LICENSE1_TEXT, "License-1"))
+ self.sbom_doc.add_license(sbom_data.License(SPDXID_LICENSE_2, LICENSE2_TEXT, "License-2"))
+ self.sbom_doc.add_license(sbom_data.License(SPDXID_LICENSE_3, LICENSE3_TEXT, "License-3"))
+
# SBOM fragment of a APK
self.unbundled_sbom_doc = sbom_data.Document(name='test doc',
namespace='http://www.google.com/sbom/spdx/android',
diff --git a/tools/sbom/testdata/expected_json_sbom.spdx.json b/tools/sbom/testdata/expected_json_sbom.spdx.json
index 53936c5..a877810 100644
--- a/tools/sbom/testdata/expected_json_sbom.spdx.json
+++ b/tools/sbom/testdata/expected_json_sbom.spdx.json
@@ -31,6 +31,7 @@
"filesAnalyzed": true,
"versionInfo": "build_finger_print",
"supplier": "Organization: Google",
+ "licenseDeclared": "NOASSERTION",
"packageVerificationCode": {
"packageVerificationCodeValue": "123456"
},
@@ -46,7 +47,8 @@
"downloadLocation": "NONE",
"filesAnalyzed": false,
"versionInfo": "build_finger_print",
- "supplier": "Organization: Google"
+ "supplier": "Organization: Google",
+ "licenseDeclared": "LicenseRef-Android-Apache-2.0"
},
{
"name": "Prebuilt package1",
@@ -54,7 +56,8 @@
"downloadLocation": "NONE",
"filesAnalyzed": false,
"versionInfo": "build_finger_print",
- "supplier": "Organization: Google"
+ "supplier": "Organization: Google",
+ "licenseDeclared": "LicenseRef-Android-License-1"
},
{
"name": "Source package1",
@@ -63,6 +66,7 @@
"filesAnalyzed": false,
"versionInfo": "build_finger_print",
"supplier": "Organization: Google",
+ "licenseDeclared": "LicenseRef-Android-License-2 OR LicenseRef-Android-License-3",
"externalRefs": [
{
"referenceCategory": "SECURITY",
@@ -77,7 +81,8 @@
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"versionInfo": "1.1",
- "supplier": "Organization: upstream"
+ "supplier": "Organization: upstream",
+ "licenseDeclared": "LicenseRef-Android-License-2 OR LicenseRef-Android-License-3"
}
],
"files": [
@@ -89,7 +94,8 @@
"algorithm": "SHA1",
"checksumValue": "11111"
}
- ]
+ ],
+ "licenseConcluded": "LicenseRef-Android-Apache-2.0"
},
{
"fileName": "/bin/file2",
@@ -99,7 +105,8 @@
"algorithm": "SHA1",
"checksumValue": "22222"
}
- ]
+ ],
+ "licenseConcluded": "LicenseRef-Android-License-1"
},
{
"fileName": "/bin/file3",
@@ -109,7 +116,8 @@
"algorithm": "SHA1",
"checksumValue": "33333"
}
- ]
+ ],
+ "licenseConcluded": "LicenseRef-Android-License-2 OR LicenseRef-Android-License-3"
},
{
"fileName": "file4.a",
@@ -119,7 +127,8 @@
"algorithm": "SHA1",
"checksumValue": "44444"
}
- ]
+ ],
+ "licenseConcluded": "NOASSERTION"
}
],
"relationships": [
@@ -148,5 +157,27 @@
"relatedSpdxElement": "SPDXRef-UPSTREAM-package1",
"relationshipType": "VARIANT_OF"
}
+ ],
+ "hasExtractedLicensingInfos": [
+ {
+ "licenseId": "LicenseRef-Android-Apache-2.0",
+ "name": "License-Apache",
+ "extractedText": "<text>LICENSE_APACHE</text>"
+ },
+ {
+ "licenseId": "LicenseRef-Android-License-1",
+ "name": "License-1",
+ "extractedText": "<text>LICENSE 1</text>"
+ },
+ {
+ "licenseId": "LicenseRef-Android-License-2",
+ "name": "License-2",
+ "extractedText": "<text>LICENSE 2</text>"
+ },
+ {
+ "licenseId": "LicenseRef-Android-License-3",
+ "name": "License-3",
+ "extractedText": "<text>LICENSE 3</text>"
+ }
]
}
\ No newline at end of file
diff --git a/tools/sbom/testdata/expected_tagvalue_sbom.spdx b/tools/sbom/testdata/expected_tagvalue_sbom.spdx
index e6fd17e..1c54410 100644
--- a/tools/sbom/testdata/expected_tagvalue_sbom.spdx
+++ b/tools/sbom/testdata/expected_tagvalue_sbom.spdx
@@ -10,6 +10,7 @@
FileName: file4.a
SPDXID: SPDXRef-file4
FileChecksum: SHA1: 44444
+LicenseConcluded: NOASSERTION
PackageName: PRODUCT
SPDXID: SPDXRef-PRODUCT
@@ -17,6 +18,7 @@
FilesAnalyzed: true
PackageVersion: build_finger_print
PackageSupplier: Organization: Google
+PackageLicenseDeclared: NOASSERTION
PackageVerificationCode: 123456
Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-PRODUCT
@@ -24,14 +26,17 @@
FileName: /bin/file1
SPDXID: SPDXRef-file1
FileChecksum: SHA1: 11111
+LicenseConcluded: LicenseRef-Android-Apache-2.0
FileName: /bin/file2
SPDXID: SPDXRef-file2
FileChecksum: SHA1: 22222
+LicenseConcluded: LicenseRef-Android-License-1
FileName: /bin/file3
SPDXID: SPDXRef-file3
FileChecksum: SHA1: 33333
+LicenseConcluded: LicenseRef-Android-License-2 OR LicenseRef-Android-License-3
PackageName: PLATFORM
SPDXID: SPDXRef-PLATFORM
@@ -39,6 +44,7 @@
FilesAnalyzed: false
PackageVersion: build_finger_print
PackageSupplier: Organization: Google
+PackageLicenseDeclared: LicenseRef-Android-Apache-2.0
PackageName: Prebuilt package1
SPDXID: SPDXRef-PREBUILT-package1
@@ -46,6 +52,7 @@
FilesAnalyzed: false
PackageVersion: build_finger_print
PackageSupplier: Organization: Google
+PackageLicenseDeclared: LicenseRef-Android-License-1
PackageName: Source package1
SPDXID: SPDXRef-SOURCE-package1
@@ -53,6 +60,7 @@
FilesAnalyzed: false
PackageVersion: build_finger_print
PackageSupplier: Organization: Google
+PackageLicenseDeclared: LicenseRef-Android-License-2 OR LicenseRef-Android-License-3
ExternalRef: SECURITY cpe22Type cpe:/a:jsoncpp_project:jsoncpp:1.9.4
PackageName: Upstream package1
@@ -61,6 +69,7 @@
FilesAnalyzed: false
PackageVersion: 1.1
PackageSupplier: Organization: upstream
+PackageLicenseDeclared: LicenseRef-Android-License-2 OR LicenseRef-Android-License-3
Relationship: SPDXRef-SOURCE-package1 VARIANT_OF SPDXRef-UPSTREAM-package1
@@ -68,3 +77,19 @@
Relationship: SPDXRef-file2 GENERATED_FROM SPDXRef-PREBUILT-package1
Relationship: SPDXRef-file3 GENERATED_FROM SPDXRef-SOURCE-package1
Relationship: SPDXRef-file1 STATIC_LINK SPDXRef-file4
+
+LicenseID: LicenseRef-Android-Apache-2.0
+LicenseName: License-Apache
+ExtractedText: <text>LICENSE_APACHE</text>
+
+LicenseID: LicenseRef-Android-License-1
+LicenseName: License-1
+ExtractedText: <text>LICENSE 1</text>
+
+LicenseID: LicenseRef-Android-License-2
+LicenseName: License-2
+ExtractedText: <text>LICENSE 2</text>
+
+LicenseID: LicenseRef-Android-License-3
+LicenseName: License-3
+ExtractedText: <text>LICENSE 3</text>
diff --git a/tools/sbom/testdata/expected_tagvalue_sbom_doc_describes_file.spdx b/tools/sbom/testdata/expected_tagvalue_sbom_doc_describes_file.spdx
index 428d7e3..36afc8b 100644
--- a/tools/sbom/testdata/expected_tagvalue_sbom_doc_describes_file.spdx
+++ b/tools/sbom/testdata/expected_tagvalue_sbom_doc_describes_file.spdx
@@ -10,6 +10,7 @@
FileName: file4.a
SPDXID: SPDXRef-file4
FileChecksum: SHA1: 44444
+LicenseConcluded: NOASSERTION
Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-file4
@@ -19,19 +20,23 @@
FilesAnalyzed: true
PackageVersion: build_finger_print
PackageSupplier: Organization: Google
+PackageLicenseDeclared: NOASSERTION
PackageVerificationCode: 123456
FileName: /bin/file1
SPDXID: SPDXRef-file1
FileChecksum: SHA1: 11111
+LicenseConcluded: LicenseRef-Android-Apache-2.0
FileName: /bin/file2
SPDXID: SPDXRef-file2
FileChecksum: SHA1: 22222
+LicenseConcluded: LicenseRef-Android-License-1
FileName: /bin/file3
SPDXID: SPDXRef-file3
FileChecksum: SHA1: 33333
+LicenseConcluded: LicenseRef-Android-License-2 OR LicenseRef-Android-License-3
PackageName: PLATFORM
SPDXID: SPDXRef-PLATFORM
@@ -39,6 +44,7 @@
FilesAnalyzed: false
PackageVersion: build_finger_print
PackageSupplier: Organization: Google
+PackageLicenseDeclared: LicenseRef-Android-Apache-2.0
PackageName: Prebuilt package1
SPDXID: SPDXRef-PREBUILT-package1
@@ -46,6 +52,7 @@
FilesAnalyzed: false
PackageVersion: build_finger_print
PackageSupplier: Organization: Google
+PackageLicenseDeclared: LicenseRef-Android-License-1
PackageName: Source package1
SPDXID: SPDXRef-SOURCE-package1
@@ -53,6 +60,7 @@
FilesAnalyzed: false
PackageVersion: build_finger_print
PackageSupplier: Organization: Google
+PackageLicenseDeclared: LicenseRef-Android-License-2 OR LicenseRef-Android-License-3
ExternalRef: SECURITY cpe22Type cpe:/a:jsoncpp_project:jsoncpp:1.9.4
PackageName: Upstream package1
@@ -61,6 +69,7 @@
FilesAnalyzed: false
PackageVersion: 1.1
PackageSupplier: Organization: upstream
+PackageLicenseDeclared: LicenseRef-Android-License-2 OR LicenseRef-Android-License-3
Relationship: SPDXRef-SOURCE-package1 VARIANT_OF SPDXRef-UPSTREAM-package1
@@ -68,3 +77,19 @@
Relationship: SPDXRef-file2 GENERATED_FROM SPDXRef-PREBUILT-package1
Relationship: SPDXRef-file3 GENERATED_FROM SPDXRef-SOURCE-package1
Relationship: SPDXRef-file1 STATIC_LINK SPDXRef-file4
+
+LicenseID: LicenseRef-Android-Apache-2.0
+LicenseName: License-Apache
+ExtractedText: <text>LICENSE_APACHE</text>
+
+LicenseID: LicenseRef-Android-License-1
+LicenseName: License-1
+ExtractedText: <text>LICENSE 1</text>
+
+LicenseID: LicenseRef-Android-License-2
+LicenseName: License-2
+ExtractedText: <text>LICENSE 2</text>
+
+LicenseID: LicenseRef-Android-License-3
+LicenseName: License-3
+ExtractedText: <text>LICENSE 3</text>
diff --git a/tools/sbom/testdata/expected_tagvalue_sbom_unbundled.spdx b/tools/sbom/testdata/expected_tagvalue_sbom_unbundled.spdx
index a00c291..4b14a4b 100644
--- a/tools/sbom/testdata/expected_tagvalue_sbom_unbundled.spdx
+++ b/tools/sbom/testdata/expected_tagvalue_sbom_unbundled.spdx
@@ -1,6 +1,7 @@
FileName: /bin/file1.apk
SPDXID: SPDXRef-file1
FileChecksum: SHA1: 11111
+LicenseConcluded: NOASSERTION
PackageName: Unbundled apk package
SPDXID: SPDXRef-SOURCE-package1
@@ -8,5 +9,6 @@
FilesAnalyzed: false
PackageVersion: build_finger_print
PackageSupplier: Organization: Google
+PackageLicenseDeclared: NOASSERTION
Relationship: SPDXRef-file1 GENERATED_FROM SPDXRef-SOURCE-package1