-
-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: multiple attachments for licenses of type "expression" #554
Comments
I will work on a solution, planned for milestone 1.7. |
Hi @jkowalleck, it's great to see this item for planning in the 1.7 milestone! To prevent confusion, the example should show "GPL-3.0-or-later" (which is the proper SPDX identifier) instead of "GPL3+" (an ID you find in Debian copyright files). I don't know what you (CycloneDX creators) had in mind with "SPDX expression" in CycloneDX spec context. My impression is that in contrast to to the license ID/name list you wanted to have a counterpart that supports a compound expression, which appears in declared licenses. The definition of "SPDX expression" by SPDX is broader and covers "simple" and "compound" expressions, e.g. user defined licenses with "LicenseRef-[idstring]" (also named as "license-ref" in contrast to "license-ids", the items in official license list)), see https://spdx.github.io/spdx-spec/v2.3/SPDX-license-expressions/ To make CycloneDX usable for license compliance (including OSS) I see the need to support SPDX expressions that fully support SPDX's definition. A further suggestion: To simplify attribution reports for humans that are generated from a CycloneDX SBOM I suggest to add also an optional "name" field like we have for the "named" license. The license identifiers we have in the SPDX License List don't require it. They already have a full name. But in case the full "SPDX expression" definition is considered including "license-refs", a name should be available in the specfication to be consistent with the SPDX ID/name list for reports. For compatiblity and readability I suggest to stick with the "license ID/name list" and "SPDX expression" approach, but - as said - without a usage restriction. BR, |
Thank you for pointing that out. I've edited my original feature request, fixed the |
great call! I've edited the original feature request example to reflect this. |
Hi, my example looks like this:
Another significant reference: My conclusion:
|
re: #554 (comment) your suggestion {
"id": "LicenseRef-.amazon.com.-AmznSL-1.0",
"name": "Amazon Software License",
"content": "..."
} The "id" is planned to be the usual CycloneDX enum, see https://cyclonedx.org/docs/1.6/json/#components_items_licenses_oneOf_i0_items_license_id Current spec allows either |
Based on SPDX and BSI documentation referenced above, please give a proof of how CycloneDX including this approach fulfills license declaration based on legal license compliance requirements. |
which aspects do you see as not feasible? |
currently , we do allow one text attachment per "named"-/"spdx"-license.
but we dont allow any test attachments for a SPDX license expression
Request
allow multiple license text attachments per SPDX license expression
Discussion
why thou?
short: not all SPDX licenses are templates.
Not all SPDX licenses are templates, some have qualified "placeholders" that need to be filled
by the ones applying them.
Therefore, it is important to carry the actual declared license texts of a component, even when using a SPDX license expression (like
MIT or GPL-3.0-or-later
)And even for template texts (like
Apache-2.0
), it might be required to carry license amendment texts (like aNOTICE
file for Apache2).This is why it is needed to have a license texts for SPDX expression.
why multiple tests, why not a single text?
short: expressions might consist of multiple different licenses, each having an own text
expected outcome: the specification
Have an option to carry the text for each SPDX-license-ID and SPD-license-ref in an SPDX license expression
intended implementation
use the existing structure of an attachment, but also have a field to tell which SPDX id or ref-name it applies to.
Spdx id MUST use the existing enum CycloneDX spec usesfor that matter. -- https://cyclonedx.org/docs/1.6/json/#components_items_licenses_oneOf_i0_items_license_id
Name is free text -- https://cyclonedx.org/docs/1.6/json/#components_items_licenses_oneOf_i0_items_license_name
Like with existing license spec -- EITHER
name
ORid
(XSD<xs:choice>
/ JSON-schemaoneOf
- one, not both)possible results
original story:
Originally posted by @Joerki in #349
The text was updated successfully, but these errors were encountered: