Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: support multi license mix #582

Open
wants to merge 3 commits into
base: 1.7-dev
Choose a base branch
from
Open

feat: support multi license mix #582

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9f5b308
feat: licenses allow mix of multiple SPDX expressions AND/OR multiple…
jkowalleck Jan 20, 2025
4abbe2f
tests
jkowalleck Jan 22, 2025
3f3873e
Merge branch '1.7-dev' into feat/licenses-multi-mix-all
jkowalleck Feb 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions schema/bom-1.7.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@ message Component {
optional Scope scope = 11;
// The hashes of the component.
repeated Hash hashes = 12;
// EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)
// A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
repeated LicenseChoice licenses = 13;
// An optional copyright notice informing users of the underlying claims to copyright ownership in a published work.
optional string copyright = 14;
Expand Down Expand Up @@ -506,7 +506,7 @@ message Metadata {
// The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager.
optional OrganizationalEntity supplier = 6;
// The license information for the BOM document. This may be different from the license(s) of the component(s) that the BOM describes.
// EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)
// A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
repeated LicenseChoice licenses = 7;
// Specifies optional, custom, properties
repeated Property properties = 8;
Expand Down Expand Up @@ -641,7 +641,7 @@ message Service {
optional bool x_trust_boundary = 9;
// Specifies information about the data including the directional flow of data and the data classification.
repeated DataFlow data = 10;
// EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)
// A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
repeated LicenseChoice licenses = 11;
// Provides the ability to document external references related to the service.
repeated ExternalReference external_references = 12;
Expand Down Expand Up @@ -745,7 +745,7 @@ message EvidenceCopyright {

// Provides the ability to document evidence collected through various forms of extraction or analysis.
message Evidence {
// EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)
// A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
repeated LicenseChoice licenses = 1;
// Copyright evidence captures intellectual property assertions, providing evidence of possible ownership and legal protection.
repeated EvidenceCopyright copyright = 2;
Expand Down
30 changes: 10 additions & 20 deletions schema/bom-1.7.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1454,32 +1454,22 @@
},
"licenseChoice": {
"title": "License Choice",
"description": "EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)",
"description": "A list of SPDX licenses and/or named licenses and/or SPDX License Expression.",
"type": "array",
"oneOf": [
{
"title": "Multiple licenses",
"description": "A list of SPDX licenses and/or named licenses.",
"type": "array",
"items": {
"items": {
"oneOf": [
{
"type": "object",
"title": "License",
"required": ["license"],
"additionalProperties": false,
"properties": {
"license": {"$ref": "#/definitions/license"}
}
}
},
{
"title": "SPDX License Expression",
"description": "A tuple of exactly one SPDX License Expression.",
"type": "array",
"additionalItems": false,
"minItems": 1,
"maxItems": 1,
"items": [{
},
{
"type": "object",
"title": "SPDX License Expression",
"additionalProperties": false,
"required": ["expression"],
"properties": {
Expand All @@ -1501,9 +1491,9 @@
"description": "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."
}
}
}]
}
]
}
]
}
},
"commit": {
"type": "object",
Expand Down
9 changes: 6 additions & 3 deletions schema/bom-1.7.xsd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2297,9 +2297,12 @@ limitations under the License.
</xs:simpleType>

<xs:complexType name="licenseChoiceType">
<xs:choice>
<xs:element name="license" type="bom:licenseType" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="expression" minOccurs="0" maxOccurs="1">
<xs:annotation>
<xs:documentation>A list of SPDX licenses and/or named licenses and/or SPDX License Expression.</xs:documentation>
</xs:annotation>
<xs:choice minOccurs="0" maxOccurs="unbounded">
<xs:element name="license" type="bom:licenseType"/>
<xs:element name="expression">
<xs:annotation>
<xs:documentation>A valid SPDX license expression.
Refer to https://spdx.org/specifications for syntax requirements
Expand Down
79 changes: 79 additions & 0 deletions tools/src/test/resources/1.6/invalid-license-declared-concluded-mix-1.6.json
View file
Open in desktop
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is a backport of a newly added valid example for CDX 1.7.
in CDX 1.6, it is invalid.

Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
{
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:df628836-6b9b-41c9-a724-b44743c54d42",
"version": 1,
"metadata": {
"lifecycles": [{"phase": "design"}]
},
"components": [
{
"type": "library",
"group": "com.example",
"name": "situation-A",
"version": "1",
"description": "Multiple licenses: declared ids/names, and a concluded expression",
"licenses": [
{
"license": {
"id": "MIT",
"acknowledgement": "declared"
}
},
{
"license": {
"id": "PostgreSQL",
"acknowledgement": "declared"
}
},
{
"license": {
"name": "Apache Software License",
"acknowledgement": "declared"
}
},
{
"expression": "(MIT OR PostgreSQL OR Apache-2.0)",
"acknowledgement": "concluded"
}
]
},
{
"type": "library",
"group": "com.example",
"name": "situation-B",
"version": "1",
"description": "Multiple license expressions: one declared, one concluded",
"licenses": [
{
"expression": "MIT OR (GPL-3.0 OR GPL-2.0)",
"acknowledgement": "declared"
},
{
"expression": "(GPL-3.0-only AND LGPL-2.0-only)",
"acknowledgement": "concluded"
}
]
},
{
"type": "library",
"group": "com.example",
"name": "situation-C",
"version": "1",
"description": "Multiple license: one declared expression, one concluded id",
"licenses": [
{
"expression": "GPL-3.0-or-later OR GPL-2.0",
"acknowledgement": "declared"
},
{
"license": {
"id": "GPL-3.0-only",
"acknowledgement": "concluded"
}
}
]
}
]
}
46 changes: 46 additions & 0 deletions tools/src/test/resources/1.6/invalid-license-declared-concluded-mix-1.6.xml
View file
Open in desktop
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is a backport of a newly added valid example for CDX 1.7.
in CDX 1.6, it is invalid.

Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
<?xml version="1.0"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.6"
serialNumber="urn:uuid:df628836-6b9b-41c9-a724-b44743c54d42"
>
<!--
All license posture in here is for show-case ony.
This is not a real law-case!
-->
<metadata>
<lifecycles><lifecycle><phase>design</phase></lifecycle></lifecycles>
</metadata>
<components>
<component type="library">
<group>com.example</group>
<name>situation-A</name>
<version>1</version>
<description>Multiple licenses: declared ids/names, and a concluded expression</description>
<licenses>
<license acknowledgement="declared"><id>MIT</id></license>
<license acknowledgement="declared"><id>PostgreSQL</id></license>
<license acknowledgement="declared"><name>Apache Software License</name></license>
<expression acknowledgement="concluded">(MIT OR PostgreSQL OR Apache-2.0)</expression>
</licenses>
</component>
<component type="library">
<group>com.example</group>
<name>situation-B</name>
<version>1</version>
<description>Multiple license expressions: one declared, one concluded</description>
<licenses>
<expression acknowledgement="declared">MIT OR (GPL-3.0 OR GPL-2.0)</expression>
<expression acknowledgement="concluded">(GPL-3.0-only AND LGPL-2.0-only)</expression>
</licenses>
</component>
<component type="library">
<group>com.example</group>
<name>situation-C</name>
<version>1</version>
<description>Multiple license: one declared expression, one concluded id</description>
<licenses>
<expression acknowledgement="declared">GPL-3.0-or-later OR GPL-2.0</expression>
<license acknowledgement="concluded"><id>GPL-3.0-only</id></license>
</licenses>
</component>
</components>
</bom>
36 changes: 36 additions & 0 deletions tools/src/test/resources/1.7/valid-license-choice-1.7.json
View file
Open in desktop
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this case is now passing - as expected

Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
{
"$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.7",
"serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
"version": 1,
"components": [
{
"type": "application",
"publisher": "Acme Inc",
"group": "com.acme",
"name": "tomcat-catalina",
"version": "9.0.14",
"description": "Modified version of Apache Catalina",
"scope": "required",
"licenses": [
{
"license": {
"id": "Apache-2.0"
}
},
{
"expression": "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0"
},
{
"license": {
"name": "My Own License",
"text": {
"content": "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua."
}
}
}
]
}
]
}
34 changes: 34 additions & 0 deletions tools/src/test/resources/1.7/valid-license-choice-1.7.textproto
View file
Open in desktop
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this case is now passing - as expected

Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# proto-file: schema/bom-1.7.proto
# proto-message: Bom

# All license posture in here is for show-case ony.
# This is not a real law-case!

spec_version: "1.7"
serial_number: "urn:uuid:b1ef52c6-7cd8-43d5-9e42-5e69044bbe9e"
version: 1
components {
type: CLASSIFICATION_APPLICATION
publisher: "Acme Inc"
group: "com.acme"
name: "tomcat-catalina"
version: "9.0.14"
description: "Modified version of Apache Catalina"
scope: SCOPE_REQUIRED
licenses {
license: {
id: "Apache-2.0"
}
}
licenses {
expression: "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0"
}
licenses {
license: {
name: "My Own License"
text: {
value: "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua."
}
}
}
}
15 changes: 8 additions & 7 deletions ...ources/1.7/invalid-license-choice-1.7.xml → ...esources/1.7/valid-license-choice-1.7.xml
View file
Open in desktop
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this case is now passing - as expected

Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
<?xml version="1.0"?>
<bom serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1" xmlns="http://cyclonedx.org/schema/bom/1.7">
<bom xmlns="http://cyclonedx.org/schema/bom/1.7"
serialNumber="urn:uuid:b1ef52c6-7cd8-43d5-9e42-5e69044bbe9e"
version="1"
>
<components>
<component type="application">
<publisher>Acme Inc</publisher>
Expand All @@ -8,17 +11,15 @@
<version>9.0.14</version>
<description>Modified version of Apache Catalina</description>
<scope>required</scope>
<hashes>
<hash alg="MD5">3942447fac867ae5cdb3229b658f4d48</hash>
<hash alg="SHA-1">e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a</hash>
<hash alg="SHA-256">f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b</hash>
<hash alg="SHA-512">e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282</hash>
</hashes>
<licenses>
<license>
<id>Apache-2.0</id>
</license>
<expression>EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0</expression>
<license>
<name>My Own License</name>
<text><![CDATA[Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.]]></text>
</license>
</licenses>
<purl>pkg:maven/com.acme/[email protected]?packaging=jar</purl>
</component>
Expand Down
Loading
Loading