fix(cyclonedx): Sanitize copyrights for the CycloneDX XML report

Some characters in copyrights cannot be outputted to XML. Therefore,
sanitize the copyrights content for XML.
Please note that this is not optimal as this does the sanitization also for
JSON output which is not required. Originally, it was intended to do a fix
in the library upstream. Unfortunately, this is not trivial (see [1]).

[1]: CycloneDX/cyclonedx-core-java#538 (comment)

Signed-off-by: Nicolas Nobelis <[email protected]>

Author: nnobelis

plugins/reporters/cyclonedx/src/funTest/kotlin/CycloneDxReporterFunTest.kt

@@ -42,6 +42,7 @@ import org.ossreviewtoolkit.model.OrtResult
 import org.ossreviewtoolkit.plugins.api.PluginConfig
 import org.ossreviewtoolkit.plugins.reporters.cyclonedx.CycloneDxReporter.Companion.REPORT_BASE_FILENAME
 import org.ossreviewtoolkit.reporter.ORT_RESULT
+import org.ossreviewtoolkit.reporter.ORT_RESULT_WITH_ILLEGAL_COPYRIGHTS
 import org.ossreviewtoolkit.reporter.ORT_RESULT_WITH_VULNERABILITIES
 import org.ossreviewtoolkit.reporter.ReporterInput
 import org.ossreviewtoolkit.utils.common.Options
@@ -99,6 +100,19 @@ class CycloneDxReporterFunTest : WordSpec({
             }
         }
 
+        "the expected XML file even if some copyrights contain non printable characters" {
+            val xmlOptions = optionSingle + mapOf("output.file.formats" to "xml")
+
+            val bomFileResults = generateReport(ORT_RESULT_WITH_ILLEGAL_COPYRIGHTS, xmlOptions)
+
+            bomFileResults.shouldBeSingleton {
+                it shouldBeSuccess { bomFile ->
+                    bomFile shouldBe aFile()
+                    bomFile shouldNotBe emptyFile()
+                }
+            }
+        }
+
         "be valid JSON according to schema version $defaultSchemaVersion" {
             val jsonOptions = optionSingle + mapOf("output.file.formats" to "json")
 

plugins/reporters/cyclonedx/src/main/kotlin/CycloneDxReporter.kt

@@ -372,7 +372,11 @@ class CycloneDxReporter(
 
             // TODO: Find a way to associate copyrights to the license they belong to, see
             //       https://github.com/CycloneDX/cyclonedx-core-java/issues/58
-            copyright = resolvedLicenseInfo.getCopyrights().joinToString().takeUnless { it.isEmpty() }
+            copyright = resolvedLicenseInfo.getCopyrights().joinToString {
+                it.filterNot { character ->
+                    character.isIdentifierIgnorable()
+                }
+            }.takeUnless { it.isEmpty() }
 
             purl = pkg.purl + purlQualifier
             isModified = pkg.isModified

reporter/src/testFixtures/kotlin/TestData.kt

@@ -427,4 +427,31 @@ val ADVISOR_WITH_VULNERABILITIES = AdvisorRun(
     )
 )
 
+val SCANNER_WITH_ILLEGAL_COPYRIGHTS = scannerRunOf(
+    Identifier("NPM:@ort:no-license-file:1.0") to listOf(
+        ScanResult(
+            provenance = UnknownProvenance,
+            scanner = ScannerDetails(name = "scanner", version = "1.0", configuration = ""),
+            summary = ScanSummary.EMPTY.copy(
+                licenseFindings = setOf(
+                    LicenseFinding(
+                        license = "MIT",
+                        location = TextLocation("file", 1)
+                    )
+                ),
+                copyrightFindings = setOf(
+                    CopyrightFinding(
+                        statement = "Portions created by the Initial Developer are Copyright (c) 2002 the Initial " +
+                            "Developer, holder is Tim Hudson ([email protected]), Objc, (c) Objv, " +
+                            "\u0002 \u0002 \u0001A\u0002\u0002\u0001o\u0002\u0012 AB, Copyright (c)",
+                        location = TextLocation("file", 1)
+                    )
+                )
+            )
+        )
+    )
+)
+
 val ORT_RESULT_WITH_VULNERABILITIES = ORT_RESULT.copy(advisor = ADVISOR_WITH_VULNERABILITIES)
+
+val ORT_RESULT_WITH_ILLEGAL_COPYRIGHTS = ORT_RESULT.copy(scanner = SCANNER_WITH_ILLEGAL_COPYRIGHTS)