Correct way to specify custom licenses in SPDX license expressions?

[Jasper-Ben]

Hi,

I maintain a repository for generating CycloneDX SBOMs for Yocto/OpenEmbedded builds.

For including license information for the individual components, I want to translate the OE-specific license expression to a SPDX license expression as defined in https://spdx.github.io/spdx-spec/v2.3/SPDX-license-expressions/.

Some of the licenses mentioned in the license expression might not be valid SPDX license IDs. As per the SPDX license expressions spec, I would add a LicenseRef- prefix to those licenses.

However, what is unclear to me is whether these custom licenses should be defined within the CycloneDX SBOM, e.g. at metadata.licenses?

[stevespringett]

The licenses should be applied to the component that declared the license or for which the license has been concluded.

Refer to https://cyclonedx.org/use-cases/open-source-licensing/

In the example, "library b" uses an SPDX expression. Using that property, you can safely use a custom license that starts with LicenseRef-

[Jasper-Ben]

Hi @stevespringett, thanks for your quick response. I am not 100% sure whether I understood your response correctly. So just to clearify:

{
  "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.7",
  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
  "version": 1,
  "components": [
    {
      "type": "library",
      "name": "Library B",
      "version": "1.0.2",
      "licenses": [
        {
          "expression": "EPL-2.0 OR LicenseRef-Foo",
          "acknowledgement": "declared"
        }
      ]
    }
  ]
}

would be a valid SBOM? No need to specify anywhere else within the SBOM what LicenseRef-Foo actually is?

Or would something like this be more appropriate?

{
  "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.7",
  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
  "version": 1,
  "components": [
    {
      "type": "library",
      "name": "Library B",
      "version": "1.0.2",
      "licenses": [
        {
          "expression": "EPL-2.0 OR LicenseRef-Foo",
          "acknowledgement": "declared"
        },
        {
          "license": {
            "name": "LicenseRef-Foo"
            "acknowledgement": "declared"
            "text": ...  <--- if available: license text of the custom license
          }
        }
      ]
    }
  ]
}

If we could include an example for a license expression with custom licenses in https://cyclonedx.org/use-cases/open-source-licensing/, that would be great for others that might run into the same question 🙂

[jkowalleck]

re: #713 (reply in thread)

You are right, for some parts of SPDX expressions, the actual license texts are necessary.
This is especially true for licenses that are not recognized by SPDX - which leads to using LicenseRef in the first place.

Since CycloneDX 1.7, we provide the ability to specify the texts for each SPDX expression part.
see an example here: https://github.com/CycloneDX/specification/blob/master/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json

[Jasper-Ben]

On a side-note: Is it a deliberate choice that the last example (Library "C") does not specify an acknowledgement?

[Jasper-Ben]

@jkowalleck Thanks for the explanation! Currently, we support cyclonedx 1.4 and 1.6. So for those spec releases I would go with this?

{
  "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.7",
  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
  "version": 1,
  "components": [
    {
      "type": "library",
      "name": "Library B",
      "version": "1.0.2",
      "licenses": [
        {
          "expression": "EPL-2.0 OR LicenseRef-Foo",
          "acknowledgement": "declared"
        }
      ]
    }
  ]
}

[jkowalleck]

re: #713 (reply in thread)

Sure, LicenseRef-Foo is clearly valid.
Does the LicenseRef have any value without the text? I mean, according to SPDX, these LicenseRef exist for the reason that they are references to texts embedded in the SPDX.
To have the same behavior in CycloneDX, you MUST embed the text in CycloneDX somehow, too.

I don't see how this would be possible with CycloneDX 1.6 and before.

A "hack" I used was to add these license texts as evidences.
SO i had component.licenses set to that SPDX expression, and component.evidence.licenses set to a list of "IDd"/"named" licenses.
pseudo example:

{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.7",
  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
  "version": 1,
  "components": [
    {
      "type": "library",
      "name": "Library B",
      "version": "1.0.2",
      "licenses": [
        {
          "expression": "EPL-2.0 OR LicenseRef-Foo",
          "acknowledgement": "declared"
        }
      ],
      "evidence": {
        "licenses": [
          {"license": {
            "id": "EPL-2.0",
            "text": ...
          }},
          {"license": {
            "bom-ref": "LicenseRef-Foo",
            "name": "Foo",
            "text": ...
          }}
        ]
      }
    }
  ]
}