diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto
index 2f1aaf0d..d75ce987 100644
--- a/schema/bom-1.7.proto
+++ b/schema/bom-1.7.proto
@@ -384,12 +384,14 @@ message LicenseChoice {
oneof choice {
// A license
License license = 1;
- // A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements
+ // A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements.
string expression = 2;
+ // A SPDX license expression and its details
+ LicenseExpressionDetailed expression_detailed = 5;
}
- // This field must only be used when "expression" is chosen as the License object has its own acknowledgement.
+ // This field must only be used when `expression` is chosen as the other options have their own acknowledgement.
optional LicenseAcknowledgementEnumeration acknowledgement = 3;
- // This field must only be used when "expression" is chosen as the License object has its own bom_ref.
+ // This field must only be used when `expression` is chosen as the other options have their own bom_ref.
optional string bom_ref = 4;
}
@@ -415,6 +417,46 @@ message License {
optional LicenseAcknowledgementEnumeration acknowledgement = 8;
}
+// Specifies the details and attributes related to a software license.
+// It must be a valid SPDX license expression, along with additional properties such as license acknowledgment.
+message LicenseExpressionDetailed {
+
+ // This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.
+ // The `license_identifier` field serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.
+ message ExpressionDetails {
+ // A valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.
+ // This field serves as the primary key, which uniquely identifies each record.
+ // Example values:
+ // - "Apache-2.0",
+ // - "GPL-3.0-only WITH Classpath-exception-2.0"
+ // - "LicenseRef-my-custom-license"
+ string license_identifier = 1;
+ // An optional identifier which can be used to reference the license elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
+ optional string bom_ref = 2;
+ // An optional way to include the textual content of the license.
+ optional AttachedText text = 3;
+ // The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness
+ optional string url = 4;
+ }
+
+ // A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements.
+ // Example values:
+ // - "Apache-2.0 AND (MIT OR GPL-2.0-only)",
+ // - "GPL-3.0-only WITH Classpath-exception-2.0"
+ string expression = 1;
+ // Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata
+ // Details for parts of the `expression`.
+ repeated ExpressionDetails details = 2;
+ // An optional identifier which can be used to reference the license elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
+ optional string bom_ref = 3;
+ // Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.
+ optional LicenseAcknowledgementEnumeration acknowledgement = 4;
+ // Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata
+ optional Licensing licensing = 5;
+ // Specifies optional, custom, properties
+ repeated Property properties = 6;
+}
+
// Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.
enum LicenseAcknowledgementEnumeration {
// The license acknowledgement is not specified.
diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json
index e1dd5b1d..e526c90c 100644
--- a/schema/bom-1.7.schema.json
+++ b/schema/bom-1.7.schema.json
@@ -1230,6 +1230,161 @@
"examples": ["3942447fac867ae5cdb3229b658f4d48"],
"pattern": "^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$"
},
+ "licensing": {
+ "type": "object",
+ "title": "Licensing information",
+ "description": "Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata",
+ "additionalProperties": false,
+ "properties": {
+ "altIds": {
+ "type": "array",
+ "title": "Alternate License Identifiers",
+ "description": "License identifiers that may be used to manage licenses and their lifecycle",
+ "items": {
+ "type": "string"
+ }
+ },
+ "licensor": {
+ "title": "Licensor",
+ "description": "The individual or organization that grants a license to another individual or organization",
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "organization": {
+ "title": "Licensor (Organization)",
+ "description": "The organization that granted the license",
+ "$ref": "#/definitions/organizationalEntity"
+ },
+ "individual": {
+ "title": "Licensor (Individual)",
+ "description": "The individual, not associated with an organization, that granted the license",
+ "$ref": "#/definitions/organizationalContact"
+ }
+ },
+ "oneOf":[
+ {
+ "required": ["organization"]
+ },
+ {
+ "required": ["individual"]
+ }
+ ]
+ },
+ "licensee": {
+ "title": "Licensee",
+ "description": "The individual or organization for which a license was granted to",
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "organization": {
+ "title": "Licensee (Organization)",
+ "description": "The organization that was granted the license",
+ "$ref": "#/definitions/organizationalEntity"
+ },
+ "individual": {
+ "title": "Licensee (Individual)",
+ "description": "The individual, not associated with an organization, that was granted the license",
+ "$ref": "#/definitions/organizationalContact"
+ }
+ },
+ "oneOf":[
+ {
+ "required": ["organization"]
+ },
+ {
+ "required": ["individual"]
+ }
+ ]
+ },
+ "purchaser": {
+ "title": "Purchaser",
+ "description": "The individual or organization that purchased the license",
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "organization": {
+ "title": "Purchaser (Organization)",
+ "description": "The organization that purchased the license",
+ "$ref": "#/definitions/organizationalEntity"
+ },
+ "individual": {
+ "title": "Purchaser (Individual)",
+ "description": "The individual, not associated with an organization, that purchased the license",
+ "$ref": "#/definitions/organizationalContact"
+ }
+ },
+ "oneOf":[
+ {
+ "required": ["organization"]
+ },
+ {
+ "required": ["individual"]
+ }
+ ]
+ },
+ "purchaseOrder": {
+ "type": "string",
+ "title": "Purchase Order",
+ "description": "The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase"
+ },
+ "licenseTypes": {
+ "type": "array",
+ "title": "License Type",
+ "description": "The type of license(s) that was granted to the licensee.",
+ "items": {
+ "type": "string",
+ "enum": [
+ "academic",
+ "appliance",
+ "client-access",
+ "concurrent-user",
+ "core-points",
+ "custom-metric",
+ "device",
+ "evaluation",
+ "named-user",
+ "node-locked",
+ "oem",
+ "perpetual",
+ "processor-points",
+ "subscription",
+ "user",
+ "other"
+ ],
+ "meta:enum": {
+ "academic": "A license that grants use of software solely for the purpose of education or research.",
+ "appliance": "A license covering use of software embedded in a specific piece of hardware.",
+ "client-access": "A Client Access License (CAL) allows client computers to access services provided by server software.",
+ "concurrent-user": "A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.",
+ "core-points": "A license where the core of a computer's processor is assigned a specific number of points.",
+ "custom-metric": "A license for which consumption is measured by non-standard metrics.",
+ "device": "A license that covers a defined number of installations on computers and other types of devices.",
+ "evaluation": "A license that grants permission to install and use software for trial purposes.",
+ "named-user": "A license that grants access to the software to one or more pre-defined users.",
+ "node-locked": "A license that grants access to the software on one or more pre-defined computers or devices.",
+ "oem": "An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.",
+ "perpetual": "A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.",
+ "processor-points": "A license where each installation consumes points per processor.",
+ "subscription": "A license where the licensee pays a fee to use the software or service.",
+ "user": "A license that grants access to the software or service by a specified number of users.",
+ "other": "Another license type."
+ }
+ }
+ },
+ "lastRenewal": {
+ "type": "string",
+ "format": "date-time",
+ "title": "Last Renewal",
+ "description": "The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed."
+ },
+ "expiration": {
+ "type": "string",
+ "format": "date-time",
+ "title": "Expiration",
+ "description": "The timestamp indicating when the current license expires (if applicable)."
+ }
+ }
+ },
"license": {
"type": "object",
"title": "License",
@@ -1276,161 +1431,7 @@
"examples": ["https://www.apache.org/licenses/LICENSE-2.0.txt"],
"format": "iri-reference"
},
- "licensing": {
- "type": "object",
- "title": "Licensing information",
- "description": "Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata",
- "additionalProperties": false,
- "properties": {
- "altIds": {
- "type": "array",
- "title": "Alternate License Identifiers",
- "description": "License identifiers that may be used to manage licenses and their lifecycle",
- "items": {
- "type": "string"
- }
- },
- "licensor": {
- "title": "Licensor",
- "description": "The individual or organization that grants a license to another individual or organization",
- "type": "object",
- "additionalProperties": false,
- "properties": {
- "organization": {
- "title": "Licensor (Organization)",
- "description": "The organization that granted the license",
- "$ref": "#/definitions/organizationalEntity"
- },
- "individual": {
- "title": "Licensor (Individual)",
- "description": "The individual, not associated with an organization, that granted the license",
- "$ref": "#/definitions/organizationalContact"
- }
- },
- "oneOf":[
- {
- "required": ["organization"]
- },
- {
- "required": ["individual"]
- }
- ]
- },
- "licensee": {
- "title": "Licensee",
- "description": "The individual or organization for which a license was granted to",
- "type": "object",
- "additionalProperties": false,
- "properties": {
- "organization": {
- "title": "Licensee (Organization)",
- "description": "The organization that was granted the license",
- "$ref": "#/definitions/organizationalEntity"
- },
- "individual": {
- "title": "Licensee (Individual)",
- "description": "The individual, not associated with an organization, that was granted the license",
- "$ref": "#/definitions/organizationalContact"
- }
- },
- "oneOf":[
- {
- "required": ["organization"]
- },
- {
- "required": ["individual"]
- }
- ]
- },
- "purchaser": {
- "title": "Purchaser",
- "description": "The individual or organization that purchased the license",
- "type": "object",
- "additionalProperties": false,
- "properties": {
- "organization": {
- "title": "Purchaser (Organization)",
- "description": "The organization that purchased the license",
- "$ref": "#/definitions/organizationalEntity"
- },
- "individual": {
- "title": "Purchaser (Individual)",
- "description": "The individual, not associated with an organization, that purchased the license",
- "$ref": "#/definitions/organizationalContact"
- }
- },
- "oneOf":[
- {
- "required": ["organization"]
- },
- {
- "required": ["individual"]
- }
- ]
- },
- "purchaseOrder": {
- "type": "string",
- "title": "Purchase Order",
- "description": "The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase"
- },
- "licenseTypes": {
- "type": "array",
- "title": "License Type",
- "description": "The type of license(s) that was granted to the licensee.",
- "items": {
- "type": "string",
- "enum": [
- "academic",
- "appliance",
- "client-access",
- "concurrent-user",
- "core-points",
- "custom-metric",
- "device",
- "evaluation",
- "named-user",
- "node-locked",
- "oem",
- "perpetual",
- "processor-points",
- "subscription",
- "user",
- "other"
- ],
- "meta:enum": {
- "academic": "A license that grants use of software solely for the purpose of education or research.",
- "appliance": "A license covering use of software embedded in a specific piece of hardware.",
- "client-access": "A Client Access License (CAL) allows client computers to access services provided by server software.",
- "concurrent-user": "A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.",
- "core-points": "A license where the core of a computer's processor is assigned a specific number of points.",
- "custom-metric": "A license for which consumption is measured by non-standard metrics.",
- "device": "A license that covers a defined number of installations on computers and other types of devices.",
- "evaluation": "A license that grants permission to install and use software for trial purposes.",
- "named-user": "A license that grants access to the software to one or more pre-defined users.",
- "node-locked": "A license that grants access to the software on one or more pre-defined computers or devices.",
- "oem": "An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.",
- "perpetual": "A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.",
- "processor-points": "A license where each installation consumes points per processor.",
- "subscription": "A license where the licensee pays a fee to use the software or service.",
- "user": "A license that grants access to the software or service by a specified number of users.",
- "other": "Another license type."
- }
- }
- },
- "lastRenewal": {
- "type": "string",
- "format": "date-time",
- "title": "Last Renewal",
- "description": "The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed."
- },
- "expiration": {
- "type": "string",
- "format": "date-time",
- "title": "Expiration",
- "description": "The timestamp indicating when the current license expires (if applicable)."
- }
- }
- },
+ "licensing": {"$ref": "#/definitions/licensing"},
"properties": {
"type": "array",
"title": "Properties",
@@ -1479,6 +1480,8 @@
"minItems": 1,
"maxItems": 1,
"items": [{
+ "title": "License Expression",
+ "description": "Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.",
"type": "object",
"additionalProperties": false,
"required": ["expression"],
@@ -1486,12 +1489,54 @@
"expression": {
"type": "string",
"title": "SPDX License Expression",
- "description": "A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements",
+ "description": "A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.",
"examples": [
"Apache-2.0 AND (MIT OR GPL-2.0-only)",
"GPL-3.0-only WITH Classpath-exception-2.0"
]
},
+ "expressionDetails": {
+ "title": "Expression Details",
+ "description": "Details for parts of the `expression`.",
+ "type": "array",
+ "items": {
+ "type": "object",
+ "description": "This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.",
+ "required": [
+ "licenseIdentifier"
+ ],
+ "properties": {
+ "licenseIdentifier": {
+ "title": "License Identifier",
+ "description": "The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.",
+ "type": "string",
+ "examples": [
+ "Apache-2.0",
+ "GPL-3.0-only WITH Classpath-exception-2.0",
+ "LicenseRef-my-custom-license"
+ ]
+ },
+ "bom-ref": {
+ "$ref": "#/definitions/refType",
+ "title": "BOM Reference",
+ "description": "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."
+ },
+ "text": {
+ "title": "License texts",
+ "description": "An optional way to include the textual content of the license.",
+ "$ref": "#/definitions/attachment"
+ },
+ "url": {
+ "type": "string",
+ "title": "License URL",
+ "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness",
+ "examples": ["https://www.apache.org/licenses/LICENSE-2.0.txt"],
+ "format": "iri-reference"
+ }
+ },
+ "additionalProperties": false
+ }
+ },
"acknowledgement": {
"$ref": "#/definitions/licenseAcknowledgementEnumeration"
},
@@ -1499,6 +1544,13 @@
"$ref": "#/definitions/refType",
"title": "BOM Reference",
"description": "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."
+ },
+ "licensing": {"$ref": "#/definitions/licensing"},
+ "properties": {
+ "type": "array",
+ "title": "Properties",
+ "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.",
+ "items": {"$ref": "#/definitions/property"}
}
}
}]
diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd
index ae468665..87e72888 100644
--- a/schema/bom-1.7.xsd
+++ b/schema/bom-1.7.xsd
@@ -761,6 +761,154 @@ limitations under the License.
+
+
+
+
+ An optional identifier which can be used to reference the license elsewhere in the BOM.
+ Uniqueness is enforced within all elements and children of the root-level bom element.
+
+
+
+
+
+
+ Declared licenses and concluded licenses represent two different stages in the
+ licensing process within software development. Declared licenses refer to the
+ initial intention of the software authors regarding the licensing terms under
+ which their code is released. On the other hand, concluded licenses are the
+ result of a comprehensive analysis of the project's codebase to identify and
+ confirm the actual licenses of the components used, which may differ from the
+ initially declared licenses. While declared licenses provide an upfront indication
+ of the licensing intentions, concluded licenses offer a more thorough understanding
+ of the actual licensing within a project, facilitating proper compliance and risk
+ management. Observed licenses are defined in `evidence.licenses`. Observed licenses
+ form the evidence necessary to substantiate a concluded license.
+
+
+
+
+
+
+
+
+
+ License identifiers that may be used to manage licenses and
+ their lifecycle
+
+
+
+
+
+
+
+
+
+ The individual or organization that grants a license to another
+ individual or organization
+
+
+
+
+
+
+ The organization that granted the license
+
+
+
+
+ The individual, not associated with an organization,
+ that granted the license
+
+
+
+
+
+
+
+
+ The individual or organization for which a license was granted to
+
+
+
+
+
+
+ The organization that was granted the license
+
+
+
+
+ The individual, not associated with an organization,
+ that was granted the license
+
+
+
+
+
+
+
+
+ The individual or organization that purchased the license
+
+
+
+
+
+
+ The organization that purchased the license
+
+
+
+
+ The individual, not associated with an organization,
+ that purchased the license
+
+
+
+
+
+
+
+
+ The purchase order identifier the purchaser sent to a supplier or
+ vendor to authorize a purchase
+
+
+
+
+ The type of license(s) that was granted to the licensee
+
+
+
+
+
+
+
+
+
+ The timestamp indicating when the license was last
+ renewed. For new purchases, this is often the purchase or acquisition date.
+ For non-perpetual licenses or subscriptions, this is the timestamp of when the
+ license was last renewed.
+
+
+
+
+ The timestamp indicating when the current license
+ expires (if applicable).
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
Specifies the details and attributes related to a software license.
@@ -792,119 +940,79 @@ limitations under the License.
an externalReference should also be specified for completeness.
-
+
Licensing details describing the licensor/licensee, license type, renewal and
expiration dates, and other important metadata
+
+
+
+ Provides the ability to document properties in a name/value store.
+ This provides flexibility to include data not officially supported in the standard
+ without having to use additional namespaces or create extensions. Property names
+ of interest to the general public are encouraged to be registered in the
+ CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy.
+ Formal registration is optional.
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+
+
+
+
+ A valid SPDX license expression.
+ Refer to https://spdx.org/specifications for syntax requirements.
+
+ Example values:
+ - Apache-2.0 AND (MIT OR GPL-2.0-only)
+ - GPL-3.0-only WITH Classpath-exception-2.0
+
+
+
+
+
+
+
+
+
+
+ Specifies the details and attributes related to a software license.
+ It must be a valid SPDX license expression, along with additional properties such as license acknowledgment.
+
+
+
+
+
+ Details for parts of the `expression`.
+
+
+
+ This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.
+ The `license-identifier` attribute serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.
+
+
-
+
- License identifiers that may be used to manage licenses and
- their lifecycle
+ An optional way to include the textual content of the license.
-
-
-
-
-
-
-
- The individual or organization that grants a license to another
- individual or organization
-
-
-
-
-
-
- The organization that granted the license
-
-
-
-
- The individual, not associated with an organization,
- that granted the license
-
-
-
-
-
-
-
-
- The individual or organization for which a license was granted to
-
-
-
-
-
-
- The organization that was granted the license
-
-
-
-
- The individual, not associated with an organization,
- that was granted the license
-
-
-
-
-
-
-
-
- The individual or organization that purchased the license
-
-
-
-
-
-
- The organization that purchased the license
-
-
-
-
- The individual, not associated with an organization,
- that purchased the license
-
-
-
-
-
-
-
-
- The purchase order identifier the purchaser sent to a supplier or
- vendor to authorize a purchase
-
-
-
-
- The type of license(s) that was granted to the licensee
-
-
-
-
-
-
-
-
-
- The timestamp indicating when the license was last
- renewed. For new purchases, this is often the purchase or acquisition date.
- For non-perpetual licenses or subscriptions, this is the timestamp of when the
- license was last renewed.
-
-
-
+
- The timestamp indicating when the current license
- expires (if applicable).
+ The URL to the attachment file. If the attachment is a license or BOM,
+ an externalReference should also be specified for completeness.
@@ -915,8 +1023,35 @@ limitations under the License.
+
+
+
+ A valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.
+ This attribute serves as the primary key, which uniquely identifies each record.
+
+ Example values:
+ - Apache-2.0
+ - GPL-3.0-only WITH Classpath-exception-2.0
+ - LicenseRef-my-custom-license
+
+
+
+
+
+
+ An optional identifier which can be used to reference the license elsewhere in the BOM.
+ Uniqueness is enforced within all elements and children of the root-level bom element.
+
+
+
+
+
+ Licensing details describing the licensor/licensee, license type, renewal and
+ expiration dates, and other important metadata
+
+
Provides the ability to document properties in a name/value store.
@@ -935,28 +1070,15 @@ limitations under the License.
-
-
-
- An optional identifier which can be used to reference the license elsewhere in the BOM.
- Uniqueness is enforced within all elements and children of the root-level bom element.
-
-
-
-
+
+
-
- Declared licenses and concluded licenses represent two different stages in the
- licensing process within software development. Declared licenses refer to the
- initial intention of the software authors regarding the licensing terms under
- which their code is released. On the other hand, concluded licenses are the
- result of a comprehensive analysis of the project's codebase to identify and
- confirm the actual licenses of the components used, which may differ from the
- initially declared licenses. While declared licenses provide an upfront indication
- of the licensing intentions, concluded licenses offer a more thorough understanding
- of the actual licensing within a project, facilitating proper compliance and risk
- management. Observed licenses are defined in `evidence.licenses`. Observed licenses
- form the evidence necessary to substantiate a concluded license.
+ A valid SPDX license expression.
+ Refer to https://spdx.org/specifications for syntax requirements.
+
+ Example values:
+ - Apache-2.0 AND (MIT OR GPL-2.0-only)
+ - GPL-3.0-only WITH Classpath-exception-2.0
@@ -2299,48 +2421,8 @@ limitations under the License.
-
-
- A valid SPDX license expression.
- Refer to https://spdx.org/specifications for syntax requirements
-
- Example values:
- - Apache-2.0 AND (MIT OR GPL-2.0-only)
- - GPL-3.0-only WITH Classpath-exception-2.0
-
-
-
-
-
-
-
-
- An optional identifier which can be used to reference the license elsewhere in the BOM.
- Uniqueness is enforced within all elements and children of the root-level bom element.
-
-
-
-
-
-
- Declared licenses and concluded licenses represent two different stages in the
- licensing process within software development. Declared licenses refer to the
- initial intention of the software authors regarding the licensing terms under
- which their code is released. On the other hand, concluded licenses are the
- result of a comprehensive analysis of the project's codebase to identify and
- confirm the actual licenses of the components used, which may differ from the
- initially declared licenses. While declared licenses provide an upfront indication
- of the licensing intentions, concluded licenses offer a more thorough understanding
- of the actual licensing within a project, facilitating proper compliance and risk
- management. Observed licenses are defined in `evidence.licenses`. Observed licenses
- form the evidence necessary to substantiate a concluded license.
-
-
-
-
-
-
-
+
+
diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-licensing-1.7.json b/tools/src/test/resources/1.7/valid-license-expression-with-licensing-1.7.json
new file mode 100644
index 00000000..97f3f773
--- /dev/null
+++ b/tools/src/test/resources/1.7/valid-license-expression-with-licensing-1.7.json
@@ -0,0 +1,57 @@
+{
+ "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
+ "bomFormat": "CycloneDX",
+ "specVersion": "1.7",
+ "serialNumber": "urn:uuid:78a32681-a31f-4097-b151-7b771cc58157",
+ "version": 1,
+ "components": [
+ {
+ "type": "library",
+ "publisher": "Acme Inc",
+ "group": "com.acme",
+ "name": "cryptographic-provider",
+ "version": "2.2.0",
+ "licenses": [
+ {
+ "bom-ref": "acme-license-1",
+ "expression": "LicenseRef-AcmeCommercialLicense",
+ "licensing": {
+ "altIds": [
+ "acme",
+ "acme-license"
+ ],
+ "licensor": {
+ "organization": {
+ "name": "Acme Inc",
+ "contact": [
+ {
+ "name": "Acme Licensing Fulfillment",
+ "email": "licensing@example.com"
+ }
+ ]
+ }
+ },
+ "licensee": {
+ "organization": {
+ "name": "Example Co."
+ }
+ },
+ "purchaser": {
+ "individual": {
+ "name": "Samantha Wright",
+ "email": "samantha.wright@gmail.com",
+ "phone": "800-555-1212"
+ }
+ },
+ "purchaseOrder": "PO-12345",
+ "licenseTypes": [
+ "appliance"
+ ],
+ "lastRenewal": "2022-04-13T20:20:39+00:00",
+ "expiration": "2023-04-13T20:20:39+00:00"
+ }
+ }
+ ]
+ }
+ ]
+}
diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-licensing-1.7.textproto b/tools/src/test/resources/1.7/valid-license-expression-with-licensing-1.7.textproto
new file mode 100644
index 00000000..eb6aaca5
--- /dev/null
+++ b/tools/src/test/resources/1.7/valid-license-expression-with-licensing-1.7.textproto
@@ -0,0 +1,54 @@
+# proto-file: schema/bom-1.7.proto
+# proto-message: Bom
+
+spec_version: "1.7"
+version: 1
+serial_number: "urn:uuid:78a32681-a31f-4097-b151-7b771cc58157"
+components {
+ type: CLASSIFICATION_LIBRARY
+ publisher: "Acme Inc"
+ group: "com.acme"
+ name: "cryptographic-provider"
+ version: "2.2.0"
+ licenses {
+ expression_detailed {
+ bom_ref: "acme-license-1"
+ expression: "LicenseRef-AcmeCommercialLicense"
+ licensing {
+ altIds: "acme"
+ altIds: "acme-license"
+ licensor {
+ organization {
+ name: "Acme Inc"
+ contact {
+ name: "Acme Licensing Fulfillment"
+ email: "licensing@example.com"
+ }
+ }
+ }
+ licensee {
+ organization {
+ name: "Example Co."
+ }
+ }
+ purchaser {
+ individual {
+ name: "Samantha Wright"
+ email: "samantha.wright@gmail.com"
+ phone: "800-555-1212"
+ }
+ }
+ purchaseOrder: "PO-12345"
+ licenseTypes: LICENSING_TYPE_APPLIANCE
+ lastRenewal {
+ seconds: 1649881239
+ nanos: 3
+ }
+ expiration {
+ seconds: 1681417239
+ nanos: 3
+ }
+ }
+ }
+ }
+}
diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-licensing-1.7.xml b/tools/src/test/resources/1.7/valid-license-expression-with-licensing-1.7.xml
new file mode 100644
index 00000000..319f33b4
--- /dev/null
+++ b/tools/src/test/resources/1.7/valid-license-expression-with-licensing-1.7.xml
@@ -0,0 +1,49 @@
+
+
+
+
+ Acme Inc
+ com.acme
+ cryptographic-provider
+ 2.2.0
+
+
+
+
+ acme
+ acme-license
+
+
+
+ Acme Inc
+
+ Acme Licensing Fulfillment
+ licensing@example.com
+
+
+
+
+
+ Example Co.
+
+
+
+
+ Samantha Wright
+ samantha.wright@gmail.com
+ 800-555-1212
+
+
+ PO-12345
+
+ appliance
+
+ 2022-04-13T20:20:39+00:00
+ 2023-04-13T20:20:39+00:00
+
+
+
+
+
+
diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json
new file mode 100644
index 00000000..4250fbb8
--- /dev/null
+++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json
@@ -0,0 +1,58 @@
+{
+ "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
+ "bomFormat": "CycloneDX",
+ "specVersion": "1.7",
+ "serialNumber": "urn:uuid:8ad91ceb-1741-4d58-8d22-4488a0f68dbe",
+ "version": 1,
+ "components": [
+ {
+ "type": "application",
+ "name": "my-application",
+ "version": "1.33.7",
+ "description": "This application is composed of multiple things, and therefore has multiple licenses applied:\n* custom code - custom license\n* component A - EPL or GPL\n* component B - MIT\n* component C - MIT",
+ "licenses": [
+ {
+ "bom-ref": "my-application-license",
+ "acknowledgement": "declared",
+ "expression": "LicenseRef-my-custom-license AND (EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0) AND MIT",
+ "expressionDetails": [
+ {
+ "licenseIdentifier": "LicenseRef-my-custom-license",
+ "text": {
+ "content": "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua."
+ },
+ "url": "https://my-application.example.com/license.txt"
+ },
+ {
+ "licenseIdentifier": "EPL-2.0",
+ "text": {
+ "content": "Eclipse Public License - v 2.0\n\n THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE\n PUBLIC LICENSE (\"AGREEMENT\"). ANY USE, REPRODUCTION OR DISTRIBUTION\n OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT..."
+ }
+ },
+ {
+ "licenseIdentifier": "GPL-2.0 WITH Classpath-exception-2.0",
+ "text": {
+ "contentType": "text/plain",
+ "content": " GNU GENERAL PUBLIC LICENSE\n Version 2, June 1991\n\n Copyright (C) 1989, 1991 Free Software Foundation, Inc.,\n \n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed...\n\n...\n\nLinking this library statically or dynamically with other modules is making a combined work based on this library..."
+ }
+ },
+ {
+ "licenseIdentifier": "MIT",
+ "bom-ref": "LicenseDetails-component-C",
+ "text": {
+ "content": "MIT License\n\nCopyright (c) 1996 Component-B-Creators Inc.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"),...\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software..."
+ }
+ },
+ {
+ "licenseIdentifier": "MIT",
+ "bom-ref": "LicenseDetails-component-C",
+ "text": {
+ "content": "MIT License\n\nCopyright (c) 2001 Component-C-Creators Org\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"),...\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software..."
+ }
+ }
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto
new file mode 100644
index 00000000..4b18aec3
--- /dev/null
+++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto
@@ -0,0 +1,53 @@
+# proto-file: schema/bom-1.7.proto
+# proto-message: Bom
+
+spec_version: "1.7"
+version: 1
+serial_number: "urn:uuid:8ad91ceb-1741-4d58-8d22-4488a0f68dbe"
+components {
+ type: CLASSIFICATION_APPLICATION
+ name: "my-application"
+ version: "1.33.7"
+ description: "This application is composed of multiple things, and therefore has multiple licenses applied:\n* custom code - custom license\n* component A - EPL or GPL\n* component B - MIT\n* component C - MIT"
+ licenses {
+ expression_detailed {
+ bom_ref: "my-application-license"
+ acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED
+ expression: "LicenseRef-my-custom-license AND (EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0) AND MIT"
+ details {
+ license_identifier: "LicenseRef-my-custom-license"
+ text {
+ value: "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua."
+ }
+ url: "https://my-application.example.com/license.txt"
+ }
+ details {
+ license_identifier: "EPL-2.0"
+ text {
+ value: "Eclipse Public License - v 2.0\n\n THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE\n PUBLIC LICENSE (\"AGREEMENT\"). ANY USE, REPRODUCTION OR DISTRIBUTION\n OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT..."
+ }
+ }
+ details {
+ license_identifier: "GPL-2.0 WITH Classpath-exception-2.0",
+ text {
+ content_type: "text/plain",
+ value: " GNU GENERAL PUBLIC LICENSE\n Version 2, June 1991\n\n Copyright (C) 1989, 1991 Free Software Foundation, Inc.,\n \n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed...\n\n...\n\nLinking this library statically or dynamically with other modules is making a combined work based on this library..."
+ }
+ }
+ details {
+ license_identifier: "MIT"
+ bom_ref: "LicenseDetails-component-B"
+ text {
+ value: "MIT License\n\nCopyright (c) 1996 Component-B-Creators Inc.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"),...\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software..."
+ }
+ }
+ details {
+ license_identifier: "MIT"
+ bom_ref: "LicenseDetails-component-C"
+ text {
+ value: "MIT License\n\nCopyright (c) 2001 Component-C-Creators Org\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"),...\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software..."
+ }
+ }
+ }
+ }
+}
diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml
new file mode 100644
index 00000000..74ea7dac
--- /dev/null
+++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml
@@ -0,0 +1,69 @@
+
+
+
+
+ my-application
+ 1.33.7
+
+ This application is composed of multiple things, and therefore has multiple licenses applied:
+ * custom code - custom license
+ * component A - EPL or GPL
+ * component B - MIT
+ * component C - MIT
+
+
+
+
+ Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
+ https://my-application.example.com/license.txt
+
+
+
+
+
+
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed...
+
+...
+
+Linking this library statically or dynamically with other modules is making a combined work based on this library...]]>
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/tools/src/test/resources/1.7/valid-license-id-with-text-1.7.json b/tools/src/test/resources/1.7/valid-license-id-with-text-1.7.json
new file mode 100644
index 00000000..a35781c5
--- /dev/null
+++ b/tools/src/test/resources/1.7/valid-license-id-with-text-1.7.json
@@ -0,0 +1,50 @@
+{
+ "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
+ "bomFormat": "CycloneDX",
+ "specVersion": "1.7",
+ "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+ "version": 1,
+ "components": [
+ {
+ "type": "application",
+ "publisher": "Acme Inc",
+ "group": "com.acme",
+ "name": "tomcat-catalina",
+ "version": "9.0.14",
+ "description": "Modified version of Apache Catalina",
+ "scope": "required",
+ "hashes": [
+ {
+ "alg": "MD5",
+ "content": "3942447fac867ae5cdb3229b658f4d48"
+ },
+ {
+ "alg": "SHA-1",
+ "content": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a"
+ },
+ {
+ "alg": "SHA-256",
+ "content": "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b"
+ },
+ {
+ "alg": "SHA-512",
+ "content": "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282"
+ }
+ ],
+ "licenses": [
+ {
+ "license": {
+ "id": "Apache-2.0",
+ "acknowledgement": "declared",
+ "bom-ref": "my-license",
+ "text": {
+ "contentType": "text/plain",
+ "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION..."
+ }
+ }
+ }
+ ],
+ "purl": "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar"
+ }
+ ]
+}
diff --git a/tools/src/test/resources/1.7/valid-license-id-with-text-1.7.textproto b/tools/src/test/resources/1.7/valid-license-id-with-text-1.7.textproto
new file mode 100644
index 00000000..4adae88e
--- /dev/null
+++ b/tools/src/test/resources/1.7/valid-license-id-with-text-1.7.textproto
@@ -0,0 +1,43 @@
+# proto-file: schema/bom-1.7.proto
+# proto-message: Bom
+
+spec_version: "1.7"
+version: 1
+serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
+components {
+ type: CLASSIFICATION_APPLICATION
+ publisher: "Acme Inc"
+ group: "com.acme"
+ name: "tomcat-catalina"
+ version: "9.0.14"
+ description: "Modified version of Apache Catalina"
+ scope: SCOPE_REQUIRED
+ hashes {
+ alg: HASH_ALG_MD_5
+ value: "3942447fac867ae5cdb3229b658f4d48"
+ }
+ hashes {
+ alg: HASH_ALG_SHA_1
+ value: "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a"
+ }
+ hashes {
+ alg: HASH_ALG_SHA_256
+ value: "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b"
+ }
+ hashes {
+ alg: HASH_ALG_SHA_512
+ value: "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282"
+ }
+ licenses {
+ license {
+ id: "Apache-2.0"
+ acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED
+ bom_ref: "my-license"
+ text {
+ content_type: "text/plain",
+ value: "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION..."
+ }
+ }
+ }
+ purl: "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar"
+}
diff --git a/tools/src/test/resources/1.7/valid-license-id-with-text-1.7.xml b/tools/src/test/resources/1.7/valid-license-id-with-text-1.7.xml
new file mode 100644
index 00000000..09d4303c
--- /dev/null
+++ b/tools/src/test/resources/1.7/valid-license-id-with-text-1.7.xml
@@ -0,0 +1,31 @@
+
+
+
+
+ Acme Inc
+ com.acme
+ tomcat-catalina
+ 9.0.14
+ Modified version of Apache Catalina
+ required
+
+ 3942447fac867ae5cdb3229b658f4d48
+ e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a
+ f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b
+ e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282
+
+
+
+ Apache-2.0
+
+
+
+ pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar
+
+
+
diff --git a/tools/src/test/resources/1.7/valid-license-licensing-1.7.json b/tools/src/test/resources/1.7/valid-license-name-with-licensing-1.7.json
similarity index 100%
rename from tools/src/test/resources/1.7/valid-license-licensing-1.7.json
rename to tools/src/test/resources/1.7/valid-license-name-with-licensing-1.7.json
diff --git a/tools/src/test/resources/1.7/valid-license-licensing-1.7.textproto b/tools/src/test/resources/1.7/valid-license-name-with-licensing-1.7.textproto
similarity index 100%
rename from tools/src/test/resources/1.7/valid-license-licensing-1.7.textproto
rename to tools/src/test/resources/1.7/valid-license-name-with-licensing-1.7.textproto
diff --git a/tools/src/test/resources/1.7/valid-license-licensing-1.7.xml b/tools/src/test/resources/1.7/valid-license-name-with-licensing-1.7.xml
similarity index 100%
rename from tools/src/test/resources/1.7/valid-license-licensing-1.7.xml
rename to tools/src/test/resources/1.7/valid-license-name-with-licensing-1.7.xml
diff --git a/tools/src/test/resources/1.7/valid-license-name-with-text-1.7.json b/tools/src/test/resources/1.7/valid-license-name-with-text-1.7.json
new file mode 100644
index 00000000..b73c3c6d
--- /dev/null
+++ b/tools/src/test/resources/1.7/valid-license-name-with-text-1.7.json
@@ -0,0 +1,50 @@
+{
+ "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
+ "bomFormat": "CycloneDX",
+ "specVersion": "1.7",
+ "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+ "version": 1,
+ "components": [
+ {
+ "type": "application",
+ "publisher": "Acme Inc",
+ "group": "com.acme",
+ "name": "tomcat-catalina",
+ "version": "9.0.14",
+ "description": "Modified version of Apache Catalina",
+ "scope": "required",
+ "hashes": [
+ {
+ "alg": "MD5",
+ "content": "3942447fac867ae5cdb3229b658f4d48"
+ },
+ {
+ "alg": "SHA-1",
+ "content": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a"
+ },
+ {
+ "alg": "SHA-256",
+ "content": "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b"
+ },
+ {
+ "alg": "SHA-512",
+ "content": "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282"
+ }
+ ],
+ "licenses": [
+ {
+ "license": {
+ "name": "My License",
+ "bom-ref": "my-license",
+ "acknowledgement": "declared",
+ "text": {
+ "contentType": "text/plain",
+ "content": "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vivamus nec turpis efficitur, ullamcorper lorem ac, fermentum nulla. Mauris a enim nunc. Aliquam diam tellus, porttitor venenatis leo in, mollis ultricies lacus. Sed sagittis hendrerit nulla, eget pulvinar diam..."
+ }
+ }
+ }
+ ],
+ "purl": "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar"
+ }
+ ]
+}
diff --git a/tools/src/test/resources/1.7/valid-license-name-with-text-1.7.textproto b/tools/src/test/resources/1.7/valid-license-name-with-text-1.7.textproto
new file mode 100644
index 00000000..d736b0f8
--- /dev/null
+++ b/tools/src/test/resources/1.7/valid-license-name-with-text-1.7.textproto
@@ -0,0 +1,43 @@
+# proto-file: schema/bom-1.7.proto
+# proto-message: Bom
+
+spec_version: "1.7"
+version: 1
+serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
+components {
+ type: CLASSIFICATION_APPLICATION
+ publisher: "Acme Inc"
+ group: "com.acme"
+ name: "tomcat-catalina"
+ version: "9.0.14"
+ description: "Modified version of Apache Catalina"
+ scope: SCOPE_REQUIRED
+ hashes {
+ alg: HASH_ALG_MD_5
+ value: "3942447fac867ae5cdb3229b658f4d48"
+ }
+ hashes {
+ alg: HASH_ALG_SHA_1
+ value: "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a"
+ }
+ hashes {
+ alg: HASH_ALG_SHA_256
+ value: "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b"
+ }
+ hashes {
+ alg: HASH_ALG_SHA_512
+ value: "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282"
+ }
+ licenses {
+ license {
+ name: "My License"
+ bom_ref: "my-license"
+ acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED
+ text {
+ content_type: "text/plain",
+ value: "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vivamus nec turpis efficitur, ullamcorper lorem ac, fermentum nulla. Mauris a enim nunc. Aliquam diam tellus, porttitor venenatis leo in, mollis ultricies lacus. Sed sagittis hendrerit nulla, eget pulvinar diam..."
+ }
+ }
+ }
+ purl: "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar"
+}
diff --git a/tools/src/test/resources/1.7/valid-license-name-with-text-1.7.xml b/tools/src/test/resources/1.7/valid-license-name-with-text-1.7.xml
new file mode 100644
index 00000000..0256cb6d
--- /dev/null
+++ b/tools/src/test/resources/1.7/valid-license-name-with-text-1.7.xml
@@ -0,0 +1,26 @@
+
+
+
+
+ Acme Inc
+ com.acme
+ tomcat-catalina
+ 9.0.14
+ Modified version of Apache Catalina
+ required
+
+ 3942447fac867ae5cdb3229b658f4d48
+ e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a
+ f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b
+ e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282
+
+
+
+ My License
+
+
+
+ pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar
+
+
+