BUG: Fix SBOM JSON escaping, Python3 guard, and SPDX metadata issues

hjmjohnson · hjmjohnson · commit 6d31421fb1fa · 2026-04-15T14:54:55.000-05:00
Address all findings from greptile code review:

P1: Escape all user-supplied fields (version, download location,
license, copyright) through _itk_sbom_json_escape() before JSON
interpolation — both in itk_generate_sbom() and
itk_sbom_register_package(). Previously only description was escaped.

P1: Add Python3_EXECUTABLE guard in ITKSBOMValidation.cmake to skip
SBOM validation tests when Python3 is not available.

P2: Use foreach(... IN LISTS ...) instead of unquoted variable
expansion to prevent re-splitting on embedded semicolons.

P2: Fix PNG SPDX license identifier from "Libpng-2.0" to "Libpng"
(the valid SPDX license list entry for libpng 1.6.x).

P2: Expose licenseListVersion as ITK_SBOM_SPDX_LICENSE_LIST_VERSION
cache variable (default "3.25") instead of hardcoding "3.22".
diff --git a/CMake/ITKSBOMGeneration.cmake b/CMake/ITKSBOMGeneration.cmake
@@ -26,6 +26,13 @@ if(NOT ITK_GENERATE_SBOM)
   return()
 endif()
 
+set(
+  ITK_SBOM_SPDX_LICENSE_LIST_VERSION
+  "3.25"
+  CACHE STRING
+  "SPDX license list version recorded in the generated SBOM"
+)
+
 #-----------------------------------------------------------------------------
 # Allow remote modules to register SBOM package metadata.
 #
@@ -90,24 +97,40 @@ function(itk_sbom_register_package)
   # Sanitize the name for use as SPDX ID (only alphanumeric and -)
   string(REGEX REPLACE "[^A-Za-z0-9-]" "-" _spdx_id "${_pkg_NAME}")
 
+  # Escape all user-supplied fields for JSON safety
+  _itk_sbom_json_escape("${_pkg_NAME}" _pkg_NAME_escaped)
+  _itk_sbom_json_escape("${_pkg_VERSION}" _pkg_VERSION_escaped)
+  _itk_sbom_json_escape("${_pkg_DOWNLOAD_LOCATION}" _pkg_DOWNLOAD_escaped)
+  _itk_sbom_json_escape("${_pkg_SUPPLIER}" _pkg_SUPPLIER_escaped)
+  _itk_sbom_json_escape("${_pkg_SPDX_LICENSE}" _pkg_LICENSE_escaped)
+  _itk_sbom_json_escape("${_pkg_COPYRIGHT}" _pkg_COPYRIGHT_escaped)
+
   set(_entry "")
   string(APPEND _entry "    {\n")
   string(APPEND _entry "      \"SPDXID\": \"SPDXRef-${_spdx_id}\",\n")
-  string(APPEND _entry "      \"name\": \"${_pkg_NAME}\",\n")
-  string(APPEND _entry "      \"versionInfo\": \"${_pkg_VERSION}\",\n")
+  string(APPEND _entry "      \"name\": \"${_pkg_NAME_escaped}\",\n")
+  string(APPEND _entry "      \"versionInfo\": \"${_pkg_VERSION_escaped}\",\n")
+  string(
+    APPEND
+    _entry
+    "      \"downloadLocation\": \"${_pkg_DOWNLOAD_escaped}\",\n"
+  )
+  string(APPEND _entry "      \"supplier\": \"${_pkg_SUPPLIER_escaped}\",\n")
+  string(
+    APPEND
+    _entry
+    "      \"licenseConcluded\": \"${_pkg_LICENSE_escaped}\",\n"
+  )
   string(
     APPEND
     _entry
-    "      \"downloadLocation\": \"${_pkg_DOWNLOAD_LOCATION}\",\n"
+    "      \"licenseDeclared\": \"${_pkg_LICENSE_escaped}\",\n"
   )
-  string(APPEND _entry "      \"supplier\": \"${_pkg_SUPPLIER}\",\n")
   string(
     APPEND
     _entry
-    "      \"licenseConcluded\": \"${_pkg_SPDX_LICENSE}\",\n"
+    "      \"copyrightText\": \"${_pkg_COPYRIGHT_escaped}\",\n"
   )
-  string(APPEND _entry "      \"licenseDeclared\": \"${_pkg_SPDX_LICENSE}\",\n")
-  string(APPEND _entry "      \"copyrightText\": \"${_pkg_COPYRIGHT}\",\n")
   string(APPEND _entry "      \"filesAnalyzed\": false\n")
   string(APPEND _entry "    }")
 
@@ -174,7 +197,11 @@ function(itk_generate_sbom)
   string(APPEND _json "      \"Tool: CMake-${CMAKE_VERSION}\",\n")
   string(APPEND _json "      \"Organization: NumFOCUS\"\n")
   string(APPEND _json "    ],\n")
-  string(APPEND _json "    \"licenseListVersion\": \"3.22\"\n")
+  string(
+    APPEND
+    _json
+    "    \"licenseListVersion\": \"${ITK_SBOM_SPDX_LICENSE_LIST_VERSION}\"\n"
+  )
   string(APPEND _json "  },\n")
 
   # --- packages array ---
@@ -238,7 +265,12 @@ function(itk_generate_sbom)
       set(_pkg_copyright "NOASSERTION")
     endif()
 
-    # Get description from module declaration and escape for JSON
+    # Escape all user-supplied fields for JSON safety
+    _itk_sbom_json_escape("${_pkg_version}" _pkg_version)
+    _itk_sbom_json_escape("${_pkg_download}" _pkg_download)
+    _itk_sbom_json_escape("${_pkg_license}" _pkg_license)
+    _itk_sbom_json_escape("${_pkg_copyright}" _pkg_copyright)
+
     set(_pkg_description "${ITK_MODULE_${_mod}_DESCRIPTION}")
     if(_pkg_description)
       _itk_sbom_json_escape("${_pkg_description}" _pkg_description)
@@ -314,7 +346,7 @@ function(itk_generate_sbom)
 
   # Append extra packages registered by remote modules
   get_property(_extra_packages GLOBAL PROPERTY ITK_SBOM_EXTRA_PACKAGES)
-  foreach(_extra_pkg ${_extra_packages})
+  foreach(_extra_pkg IN LISTS _extra_packages)
     string(APPEND _json ",\n${_extra_pkg}")
   endforeach()
 
@@ -342,7 +374,7 @@ function(itk_generate_sbom)
 
   # Extra packages registered by remote modules
   get_property(_extra_spdx_ids GLOBAL PROPERTY ITK_SBOM_EXTRA_SPDX_IDS)
-  foreach(_spdx_id ${_extra_spdx_ids})
+  foreach(_spdx_id IN LISTS _extra_spdx_ids)
     string(APPEND _json ",\n")
     string(APPEND _json "    {\n")
     string(APPEND _json "      \"spdxElementId\": \"SPDXRef-ITK\",\n")
diff --git a/CMake/ITKSBOMValidation.cmake b/CMake/ITKSBOMValidation.cmake
@@ -18,6 +18,11 @@ if(NOT EXISTS "${_sbom_file}")
   return()
 endif()
 
+if(NOT Python3_EXECUTABLE)
+  message(WARNING "Python3 not found; skipping SBOM validation tests.")
+  return()
+endif()
+
 add_test(
   NAME ITKSBOMValidation
   COMMAND
diff --git a/Modules/ThirdParty/PNG/itk-module.cmake b/Modules/ThirdParty/PNG/itk-module.cmake
@@ -11,7 +11,7 @@ itk_module(
     ITKZLIB
   DESCRIPTION "${DOCUMENTATION}"
   SPDX_LICENSE
-  "Libpng-2.0"
+  "Libpng"
   SPDX_VERSION
   "1.6.54"
   SPDX_DOWNLOAD_LOCATION
