Skip to content

Commit

Permalink
feat: licenses allow mix of multiple SPDX expressions AND/OR multiple…
Browse files Browse the repository at this point in the history 
… named/spdx licenses

Signed-off-by: Jan Kowalleck <[email protected]>
  • Loading branch information
@jkowalleck
jkowalleck committed Jan 22, 2025
1 parent 544db94 commit 9f5b308
Show file tree
Hide file tree
Showing 8 changed files with 343 additions and 27 deletions.
8 changes: 4 additions & 4 deletions schema/bom-1.7.proto
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@ message Component {
optional Scope scope = 11;
// The hashes of the component.
repeated Hash hashes = 12;
// EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)
// A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
repeated LicenseChoice licenses = 13;
// An optional copyright notice informing users of the underlying claims to copyright ownership in a published work.
optional string copyright = 14;
Expand Down Expand Up @@ -506,7 +506,7 @@ message Metadata {
// The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager.
optional OrganizationalEntity supplier = 6;
// The license information for the BOM document. This may be different from the license(s) of the component(s) that the BOM describes.
// EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)
// A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
repeated LicenseChoice licenses = 7;
// Specifies optional, custom, properties
repeated Property properties = 8;
Expand Down Expand Up @@ -641,7 +641,7 @@ message Service {
optional bool x_trust_boundary = 9;
// Specifies information about the data including the directional flow of data and the data classification.
repeated DataFlow data = 10;
// EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)
// A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
repeated LicenseChoice licenses = 11;
// Provides the ability to document external references related to the service.
repeated ExternalReference external_references = 12;
Expand Down Expand Up @@ -745,7 +745,7 @@ message EvidenceCopyright {

// Provides the ability to document evidence collected through various forms of extraction or analysis.
message Evidence {
// EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)
// A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
repeated LicenseChoice licenses = 1;
// Copyright evidence captures intellectual property assertions, providing evidence of possible ownership and legal protection.
repeated EvidenceCopyright copyright = 2;
Expand Down
30 changes: 10 additions & 20 deletions schema/bom-1.7.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1454,32 +1454,22 @@
},
"licenseChoice": {
"title": "License Choice",
"description": "EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)",
"description": "A list of SPDX licenses and/or named licenses and/or SPDX License Expression.",
"type": "array",
"oneOf": [
{
"title": "Multiple licenses",
"description": "A list of SPDX licenses and/or named licenses.",
"type": "array",
"items": {
"items": {
"oneOf": [
{
"type": "object",
"title": "License",
"required": ["license"],
"additionalProperties": false,
"properties": {
"license": {"$ref": "#/definitions/license"}
}
}
},
{
"title": "SPDX License Expression",
"description": "A tuple of exactly one SPDX License Expression.",
"type": "array",
"additionalItems": false,
"minItems": 1,
"maxItems": 1,
"items": [{
},
{
"type": "object",
"title": "SPDX License Expression",
"additionalProperties": false,
"required": ["expression"],
"properties": {
Expand All @@ -1501,9 +1491,9 @@
"description": "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."
}
}
}]
}
]
}
]
}
},
"commit": {
"type": "object",
Expand Down
9 changes: 6 additions & 3 deletions schema/bom-1.7.xsd
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2297,9 +2297,12 @@ limitations under the License.
</xs:simpleType>

<xs:complexType name="licenseChoiceType">
<xs:choice>
<xs:element name="license" type="bom:licenseType" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="expression" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>A list of SPDX licenses and/or named licenses and/or SPDX License Expression.</xs:documentation>
</xs:annotation>
<xs:choice minOccurs="0" maxOccurs="unbounded">
<xs:element name="license" type="bom:licenseType"/>
<xs:element name="expression">
<xs:annotation>
<xs:documentation>A valid SPDX license expression.
Refer to https://spdx.org/specifications for syntax requirements
Expand Down
79 changes: 79 additions & 0 deletions tools/src/test/resources/1.6/invalid-license-declared-concluded-mix-1.6.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
{
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:df628836-6b9b-41c9-a724-b44743c54d42",
"version": 1,
"metadata": {
"lifecycles": [{"phase": "design"}]
},
"components": [
{
"type": "library",
"group": "com.example",
"name": "situation-A",
"version": "1",
"description": "Multiple licenses: declared ids/names, and a concluded expression",
"licenses": [
{
"license": {
"id": "MIT",
"acknowledgement": "declared"
}
},
{
"license": {
"id": "PostgreSQL",
"acknowledgement": "declared"
}
},
{
"license": {
"name": "Apache Software License",
"acknowledgement": "declared"
}
},
{
"expression": "(MIT OR PostgreSQL OR Apache-2.0)",
"acknowledgement": "concluded"
}
]
},
{
"type": "library",
"group": "com.example",
"name": "situation-B",
"version": "1",
"description": "Multiple license expressions: one declared, one concluded",
"licenses": [
{
"expression": "MIT OR (GPL-3.0 OR GPL-2.0)",
"acknowledgement": "declared"
},
{
"expression": "(GPL-3.0-only AND LGPL-2.0-only)",
"acknowledgement": "concluded"
}
]
},
{
"type": "library",
"group": "com.example",
"name": "situation-C",
"version": "1",
"description": "Multiple license: one declared expression, one concluded id",
"licenses": [
{
"expression": "GPL-3.0-or-later OR GPL-2.0",
"acknowledgement": "declared"
},
{
"license": {
"id": "GPL-3.0-only",
"acknowledgement": "concluded"
}
}
]
}
]
}
46 changes: 46 additions & 0 deletions tools/src/test/resources/1.6/invalid-license-declared-concluded-mix-1.6.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
<?xml version="1.0"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.6"
serialNumber="urn:uuid:df628836-6b9b-41c9-a724-b44743c54d42"
>
<!--
All license posture in here is for show-case ony.
This is not a real law-case!
-->
<metadata>
<lifecycles><lifecycle><phase>design</phase></lifecycle></lifecycles>
</metadata>
<components>
<component type="library">
<group>com.example</group>
<name>situation-A</name>
<version>1</version>
<description>Multiple licenses: declared ids/names, and a concluded expression</description>
<licenses>
<license acknowledgement="declared"><id>MIT</id></license>
<license acknowledgement="declared"><id>PostgreSQL</id></license>
<license acknowledgement="declared"><name>Apache Software License</name></license>
<expression acknowledgement="concluded">(MIT OR PostgreSQL OR Apache-2.0)</expression>
</licenses>
</component>
<component type="library">
<group>com.example</group>
<name>situation-B</name>
<version>1</version>
<description>Multiple license expressions: one declared, one concluded</description>
<licenses>
<expression acknowledgement="declared">MIT OR (GPL-3.0 OR GPL-2.0)</expression>
<expression acknowledgement="concluded">(GPL-3.0-only AND LGPL-2.0-only)</expression>
</licenses>
</component>
<component type="library">
<group>com.example</group>
<name>situation-C</name>
<version>1</version>
<description>Multiple license: one declared expression, one concluded id</description>
<licenses>
<expression acknowledgement="declared">GPL-3.0-or-later OR GPL-2.0</expression>
<license acknowledgement="concluded"><id>GPL-3.0-only</id></license>
</licenses>
</component>
</components>
</bom>
79 changes: 79 additions & 0 deletions tools/src/test/resources/1.7/valid-license-declared-concluded-mix-1.7.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
{
"$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.7",
"serialNumber": "urn:uuid:df628836-6b9b-41c9-a724-b44743c54d42",
"version": 1,
"metadata": {
"lifecycles": [{"phase": "design"}]
},
"components": [
{
"type": "library",
"group": "com.example",
"name": "situation-A",
"version": "1",
"description": "Multiple licenses: declared ids/names, and a concluded expression",
"licenses": [
{
"license": {
"id": "MIT",
"acknowledgement": "declared"
}
},
{
"license": {
"id": "PostgreSQL",
"acknowledgement": "declared"
}
},
{
"license": {
"name": "Apache Software License",
"acknowledgement": "declared"
}
},
{
"expression": "(MIT OR PostgreSQL OR Apache-2.0)",
"acknowledgement": "concluded"
}
]
},
{
"type": "library",
"group": "com.example",
"name": "situation-B",
"version": "1",
"description": "Multiple license expressions: one declared, one concluded",
"licenses": [
{
"expression": "MIT OR (GPL-3.0 OR GPL-2.0)",
"acknowledgement": "declared"
},
{
"expression": "(GPL-3.0-only AND LGPL-2.0-only)",
"acknowledgement": "concluded"
}
]
},
{
"type": "library",
"group": "com.example",
"name": "situation-C",
"version": "1",
"description": "Multiple license: one declared expression, one concluded id",
"licenses": [
{
"expression": "GPL-3.0-or-later OR GPL-2.0",
"acknowledgement": "declared"
},
{
"license": {
"id": "GPL-3.0-only",
"acknowledgement": "concluded"
}
}
]
}
]
}
73 changes: 73 additions & 0 deletions tools/src/test/resources/1.7/valid-license-declared-concluded-mix-1.7.textproto
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
# proto-file: schema/bom-1.7.proto
# proto-message: Bom

# All license posture in here is for show-case ony.
# This is not a real law-case!

spec_version: "1.7"
version: 1
serial_number: "urn:uuid:df628836-6b9b-41c9-a724-b44743c54d42"
metadata: {
lifecycles { phase: LIFECYCLE_PHASE_DESIGN }
}
components {
type: CLASSIFICATION_LIBRARY
group: "com.example"
name: "situation-A"
version: "1"
description: "Multiple licenses: declared ids/names, and a concluded expression"
licenses {
license {
id: "MIT"
acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED
}
}
licenses {
license {
id: "PostgreSQL"
acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED
}
}
licenses {
license {
name: "Apache Software License"
acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED
}
}
licenses {
expression: "(MIT OR PostgreSQL OR Apache-2.0)"
acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_CONCLUDED
}
}
components {
type: CLASSIFICATION_LIBRARY
group: "com.example"
name: "situation-B"
version: "1"
description: "Multiple license expressions: one declared, one concluded"
licenses {
expression: "MIT OR (GPL-3.0 OR GPL-2.0)"
acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED
}
licenses {
expression: "(GPL-3.0-only AND LGPL-2.0-only)"
acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_CONCLUDED
}
}
components {
type: CLASSIFICATION_LIBRARY
group: "com.example"
name: "situation-C"
version: "1"
description: "Multiple license: one declared expression, one concluded id"
licenses {
expression: "GPL-3.0-or-later OR GPL-2.0"
acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED
}
licenses {
license {
id: "GPL-3.0-only"
acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_CONCLUDED
}
}
}
Loading

0 comments on commit 9f5b308

Please sign in to comment.