[FEATURE]: ProtoBuf - make `license.id` an (external) enum #574

jkowalleck · 2025-01-13T20:48:20Z

currently(CDX 1.6), we have the following situation:

for JSON, the known SPDX licence IDs are in an own schema store: https://github.com/CycloneDX/specification/blob/master/schema/spdx.schema.json
for XML, the known SPDX licence IDs are in an own schema store: https://github.com/CycloneDX/specification/blob/master/schema/spdx.xsd

for ProtoBuf, the known SPDX licence IDs are not an enum at all, they are just a free text(string):

specification/schema/bom-1.6.proto

Lines 397 to 400 in b50ff0d

    
           message License { 
        
             oneof license { 
        
               // A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list. 
        
               string id = 1;

problem

Using arbitrary strings for license.id means, that there is just no baked-in safety.
To improve this, I propose to use a dedicated ProtoBuf package that can be maintained and released outside the regular CDX release cycle, just like the enum for JSON and XML.

possible solution

have a file spdx.proto
- use an own package cyclonedx.spdx
- declare the like
```
enum LicenseId {
  LICENSEID_UNSPECIFIED = 0
  // 0BSD
  LICENSEID_0BSD = 1
  // ...
  // Apache-1.0
  LICENSEID_Apache_1_0
  // ...
}
```
- have this file checked against breaking changes
  - see https://github.com/CycloneDX/specification/blob/master/tools/src/test/proto/buf_breaking-remote.yaml
  - see https://github.com/CycloneDX/specification/blob/master/tools/src/test/proto/buf_breaking-version.yaml
  - have the license file updated with the other spdx.* schema files

in the bom-1.x.proto file, use that enum (pseudocode)

import "cyclonedx.spdx";
message License {
  oneof license {
    // A known SPDX license identifier.
    cyclonedx.spdx.LicenseId = 1;
    // ...
  }
  // ...
}

consideration & research

❗ this might be a breaking change - need to investigate
❕ need to investigate how/where to publish the schema file, so that has the intended effect

The text was updated successfully, but these errors were encountered:

jkowalleck · 2025-01-13T20:48:57Z

this is currently in RFC phase.
If you have any opinion on that, please let us know.

jkowalleck added format: ProtoBuf proposed core enhancement labels Jan 13, 2025

jkowalleck changed the title ~~[FEATURE]: ProtoBuf - move SPDX licenses ID enum to own package~~ [FEATURE]: ProtoBuf - make license.id an (external) enum Jan 13, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[FEATURE]: ProtoBuf - make `license.id` an (external) enum #574

[FEATURE]: ProtoBuf - make `license.id` an (external) enum #574

jkowalleck commented Jan 13, 2025 •

edited

Loading

jkowalleck commented Jan 13, 2025

[FEATURE]: ProtoBuf - make license.id an (external) enum #574

[FEATURE]: ProtoBuf - make license.id an (external) enum #574

Comments

jkowalleck commented Jan 13, 2025 • edited Loading

problem

possible solution

consideration & research

jkowalleck commented Jan 13, 2025

[FEATURE]: ProtoBuf - make `license.id` an (external) enum #574

[FEATURE]: ProtoBuf - make `license.id` an (external) enum #574

jkowalleck commented Jan 13, 2025 •

edited

Loading