From 39524a26a97c1c91d71c9d78e22c9da933d365bf Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 20 Feb 2025 13:59:41 +0100 Subject: [PATCH 01/26] feat: license expression text attachment - tests: examples for licenses with text - tests: draft for expressiosn with text Signed-off-by: Jan Kowalleck --- ...alid-license-expression-with-text-1.7.json | 56 +++++++++++++++++++ ...license-expression-with-text-1.7.textproto | 49 ++++++++++++++++ ...valid-license-expression-with-text-1.7.xml | 41 ++++++++++++++ .../1.7/valid-license-id-with-text-1.7.json | 49 ++++++++++++++++ .../valid-license-id-with-text-1.7.textproto | 47 ++++++++++++++++ .../1.7/valid-license-id-with-text-1.7.xml | 31 ++++++++++ .../1.7/valid-license-name-with-text-1.7.json | 49 ++++++++++++++++ ...valid-license-name-with-text-1.7.textproto | 42 ++++++++++++++ .../1.7/valid-license-name-with-text-1.7.xml | 26 +++++++++ 9 files changed, 390 insertions(+) create mode 100644 tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json create mode 100644 tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto create mode 100644 tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml create mode 100644 tools/src/test/resources/1.7/valid-license-id-with-text-1.7.json create mode 100644 tools/src/test/resources/1.7/valid-license-id-with-text-1.7.textproto create mode 100644 tools/src/test/resources/1.7/valid-license-id-with-text-1.7.xml create mode 100644 tools/src/test/resources/1.7/valid-license-name-with-text-1.7.json create mode 100644 tools/src/test/resources/1.7/valid-license-name-with-text-1.7.textproto create mode 100644 tools/src/test/resources/1.7/valid-license-name-with-text-1.7.xml diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json new file mode 100644 index 00000000..5079d33b --- /dev/null +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json @@ -0,0 +1,56 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "application", + "publisher": "Acme Inc", + "group": "com.acme", + "name": "tomcat-catalina", + "version": "9.0.14", + "description": "Modified version of Apache Catalina", + "scope": "required", + "hashes": [ + { + "alg": "MD5", + "content": "3942447fac867ae5cdb3229b658f4d48" + }, + { + "alg": "SHA-1", + "content": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a" + }, + { + "alg": "SHA-256", + "content": "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b" + }, + { + "alg": "SHA-512", + "content": "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282" + } + ], + "licenses": [ + { + "bom-ref": "my-license", + "acknowledgement": "declared", + "expression": "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0", + "expression-texts": [ + "license-identifier": "EPL-2.0", + "text": { + "content": "Eclipse Public License - v 2.0\n\n THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE\n PUBLIC LICENSE (\"AGREEMENT\"). ANY USE, REPRODUCTION OR DISTRIBUTION\n OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT..." + }, + { + "license-identifier": "GPL-2.0 WITH Classpath-exception-2.0", + "text": { + "content": " GNU GENERAL PUBLIC LICENSE\n Version 2, June 1991\n\n Copyright (C) 1989, 1991 Free Software Foundation, Inc.,\n \n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed...\n\n...\n\nLinking this library statically or dynamically with other modules is making a combined work based on this library..." + } + } + ] + } + ], + "purl": "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar" + } + ] +} diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto new file mode 100644 index 00000000..f77ec82a --- /dev/null +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto @@ -0,0 +1,49 @@ +# proto-file: schema/bom-1.7.proto +# proto-message: Bom + +spec_version: "1.7" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components { + type: CLASSIFICATION_APPLICATION + publisher: "Acme Inc" + group: "com.acme" + name: "tomcat-catalina" + version: "9.0.14" + description: "Modified version of Apache Catalina" + scope: SCOPE_REQUIRED + hashes { + alg: HASH_ALG_MD_5 + value: "3942447fac867ae5cdb3229b658f4d48" + } + hashes { + alg: HASH_ALG_SHA_1 + value: "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a" + } + hashes { + alg: HASH_ALG_SHA_256 + value: "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b" + } + hashes { + alg: HASH_ALG_SHA_512 + value: "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282" + } + licenses { + bom_ref: "my-license" + acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED + expression: "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0" + expression_texts { + license_identifier: "EPL-2.0" + text { + content: "Eclipse Public License - v 2.0\n\n THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE\n PUBLIC LICENSE (\"AGREEMENT\"). ANY USE, REPRODUCTION OR DISTRIBUTION\n OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT..." + } + } + expression_texts { + license_identifier: "GPL-2.0 WITH Classpath-exception-2.0", + text: { + content: " GNU GENERAL PUBLIC LICENSE\n Version 2, June 1991\n\n Copyright (C) 1989, 1991 Free Software Foundation, Inc.,\n \n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed...\n\n...\n\nLinking this library statically or dynamically with other modules is making a combined work based on this library..." + } + } + } + purl: "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar" +} diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml new file mode 100644 index 00000000..f4319e3c --- /dev/null +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml @@ -0,0 +1,41 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + + + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed... + +... + +Linking this library statically or dynamically with other modules is making a combined work based on this library...]]> + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + diff --git a/tools/src/test/resources/1.7/valid-license-id-with-text-1.7.json b/tools/src/test/resources/1.7/valid-license-id-with-text-1.7.json new file mode 100644 index 00000000..b8de60eb --- /dev/null +++ b/tools/src/test/resources/1.7/valid-license-id-with-text-1.7.json @@ -0,0 +1,49 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "application", + "publisher": "Acme Inc", + "group": "com.acme", + "name": "tomcat-catalina", + "version": "9.0.14", + "description": "Modified version of Apache Catalina", + "scope": "required", + "hashes": [ + { + "alg": "MD5", + "content": "3942447fac867ae5cdb3229b658f4d48" + }, + { + "alg": "SHA-1", + "content": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a" + }, + { + "alg": "SHA-256", + "content": "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b" + }, + { + "alg": "SHA-512", + "content": "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282" + } + ], + "licenses": [ + { + "license": { + "id": "Apache-2.0", + "acknowledgement": "declared", + "bom-ref": "my-license", + "text": { + "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION..." + } + } + } + ], + "purl": "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar" + } + ] +} diff --git a/tools/src/test/resources/1.7/valid-license-id-with-text-1.7.textproto b/tools/src/test/resources/1.7/valid-license-id-with-text-1.7.textproto new file mode 100644 index 00000000..243953f9 --- /dev/null +++ b/tools/src/test/resources/1.7/valid-license-id-with-text-1.7.textproto @@ -0,0 +1,47 @@ +# proto-file: schema/bom-1.7.proto +# proto-message: Bom + +spec_version: "1.7" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components { + type: CLASSIFICATION_APPLICATION + publisher: "Acme Inc" + group: "com.acme" + name: "tomcat-catalina" + version: "9.0.14" + description: "Modified version of Apache Catalina" + scope: SCOPE_REQUIRED + hashes { + alg: HASH_ALG_MD_5 + value: "3942447fac867ae5cdb3229b658f4d48" + } + hashes { + alg: HASH_ALG_SHA_1 + value: "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a" + } + hashes { + alg: HASH_ALG_SHA_256 + value: "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b" + } + hashes { + alg: HASH_ALG_SHA_512 + value: "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282" + } + licenses { + license { + id: "Apache-2.0" + acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED + bom_ref: "my-license" + text { + value: """ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION...""" + } + } + } + purl: "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar" +} diff --git a/tools/src/test/resources/1.7/valid-license-id-with-text-1.7.xml b/tools/src/test/resources/1.7/valid-license-id-with-text-1.7.xml new file mode 100644 index 00000000..dce0f998 --- /dev/null +++ b/tools/src/test/resources/1.7/valid-license-id-with-text-1.7.xml @@ -0,0 +1,31 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + Apache-2.0 + + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + diff --git a/tools/src/test/resources/1.7/valid-license-name-with-text-1.7.json b/tools/src/test/resources/1.7/valid-license-name-with-text-1.7.json new file mode 100644 index 00000000..132bd2cd --- /dev/null +++ b/tools/src/test/resources/1.7/valid-license-name-with-text-1.7.json @@ -0,0 +1,49 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "application", + "publisher": "Acme Inc", + "group": "com.acme", + "name": "tomcat-catalina", + "version": "9.0.14", + "description": "Modified version of Apache Catalina", + "scope": "required", + "hashes": [ + { + "alg": "MD5", + "content": "3942447fac867ae5cdb3229b658f4d48" + }, + { + "alg": "SHA-1", + "content": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a" + }, + { + "alg": "SHA-256", + "content": "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b" + }, + { + "alg": "SHA-512", + "content": "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282" + } + ], + "licenses": [ + { + "license": { + "name": "My License", + "bom-ref": "my-license", + "acknowledgement": "declared", + "text": { + "content": "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vivamus nec turpis efficitur, ullamcorper lorem ac, fermentum nulla. Mauris a enim nunc. Aliquam diam tellus, porttitor venenatis leo in, mollis ultricies lacus. Sed sagittis hendrerit nulla, eget pulvinar diam..." + } + } + } + ], + "purl": "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar" + } + ] +} diff --git a/tools/src/test/resources/1.7/valid-license-name-with-text-1.7.textproto b/tools/src/test/resources/1.7/valid-license-name-with-text-1.7.textproto new file mode 100644 index 00000000..e08f682f --- /dev/null +++ b/tools/src/test/resources/1.7/valid-license-name-with-text-1.7.textproto @@ -0,0 +1,42 @@ +# proto-file: schema/bom-1.7.proto +# proto-message: Bom + +spec_version: "1.7" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components { + type: CLASSIFICATION_APPLICATION + publisher: "Acme Inc" + group: "com.acme" + name: "tomcat-catalina" + version: "9.0.14" + description: "Modified version of Apache Catalina" + scope: SCOPE_REQUIRED + hashes { + alg: HASH_ALG_MD_5 + value: "3942447fac867ae5cdb3229b658f4d48" + } + hashes { + alg: HASH_ALG_SHA_1 + value: "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a" + } + hashes { + alg: HASH_ALG_SHA_256 + value: "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b" + } + hashes { + alg: HASH_ALG_SHA_512 + value: "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282" + } + licenses { + license { + name: "My License" + bom_ref: "my-license" + acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED + text { + value: "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vivamus nec turpis efficitur, ullamcorper lorem ac, fermentum nulla. Mauris a enim nunc. Aliquam diam tellus, porttitor venenatis leo in, mollis ultricies lacus. Sed sagittis hendrerit nulla, eget pulvinar diam..." + } + } + } + purl: "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar" +} diff --git a/tools/src/test/resources/1.7/valid-license-name-with-text-1.7.xml b/tools/src/test/resources/1.7/valid-license-name-with-text-1.7.xml new file mode 100644 index 00000000..4c7789d4 --- /dev/null +++ b/tools/src/test/resources/1.7/valid-license-name-with-text-1.7.xml @@ -0,0 +1,26 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + My License + + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + From 0ddab2896186ccf73a1d095e475b7db2d7cb4ac1 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 20 Feb 2025 14:20:25 +0100 Subject: [PATCH 02/26] examples: use alternative XML style see https://github.com/CycloneDX/specification/pull/599#discussion_r1963541467 Signed-off-by: Jan Kowalleck --- .../resources/1.7/valid-license-expression-with-text-1.7.xml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml index f4319e3c..52cf1c8a 100644 --- a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml @@ -15,8 +15,9 @@ e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 - - EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + Date: Fri, 21 Feb 2025 15:38:36 +0100 Subject: [PATCH 03/26] tests: fix json example Signed-off-by: Jan Kowalleck --- .../1.7/valid-license-expression-with-text-1.7.json | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json index 5079d33b..9f17a158 100644 --- a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json @@ -37,9 +37,11 @@ "acknowledgement": "declared", "expression": "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0", "expression-texts": [ - "license-identifier": "EPL-2.0", - "text": { - "content": "Eclipse Public License - v 2.0\n\n THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE\n PUBLIC LICENSE (\"AGREEMENT\"). ANY USE, REPRODUCTION OR DISTRIBUTION\n OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT..." + { + "license-identifier": "EPL-2.0", + "text": { + "content": "Eclipse Public License - v 2.0\n\n THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE\n PUBLIC LICENSE (\"AGREEMENT\"). ANY USE, REPRODUCTION OR DISTRIBUTION\n OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT..." + } }, { "license-identifier": "GPL-2.0 WITH Classpath-exception-2.0", From e97c3d3f056cbb48d36391730296abf4c4fb8b49 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 21 Feb 2025 15:47:22 +0100 Subject: [PATCH 04/26] tests: examples for license expression details as suggested in https://github.com/CycloneDX/specification/pull/599/files#r1965445439 Signed-off-by: Jan Kowalleck --- ...alid-license-expression-with-text-1.7.json | 20 +++++++++---------- ...license-expression-with-text-1.7.textproto | 13 ++++++------ 2 files changed, 15 insertions(+), 18 deletions(-) diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json index 9f17a158..9726a315 100644 --- a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json @@ -36,20 +36,18 @@ "bom-ref": "my-license", "acknowledgement": "declared", "expression": "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0", - "expression-texts": [ - { - "license-identifier": "EPL-2.0", - "text": { + "expression-details": { + "texts": [ + { + "license-identifier": "EPL-2.0", "content": "Eclipse Public License - v 2.0\n\n THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE\n PUBLIC LICENSE (\"AGREEMENT\"). ANY USE, REPRODUCTION OR DISTRIBUTION\n OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT..." - } - }, - { - "license-identifier": "GPL-2.0 WITH Classpath-exception-2.0", - "text": { + }, + { + "license-identifier": "GPL-2.0 WITH Classpath-exception-2.0", "content": " GNU GENERAL PUBLIC LICENSE\n Version 2, June 1991\n\n Copyright (C) 1989, 1991 Free Software Foundation, Inc.,\n \n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed...\n\n...\n\nLinking this library statically or dynamically with other modules is making a combined work based on this library..." } - } - ] + ] + } } ], "purl": "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar" diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto index f77ec82a..2d060773 100644 --- a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto @@ -32,15 +32,14 @@ components { bom_ref: "my-license" acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED expression: "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0" - expression_texts { - license_identifier: "EPL-2.0" - text { + expression_details { + texts { + license_identifier: "EPL-2.0" + content: "Eclipse Public License - v 2.0\n\n THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE\n PUBLIC LICENSE (\"AGREEMENT\"). ANY USE, REPRODUCTION OR DISTRIBUTION\n OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT..." } - } - expression_texts { - license_identifier: "GPL-2.0 WITH Classpath-exception-2.0", - text: { + texts { + license_identifier: "GPL-2.0 WITH Classpath-exception-2.0", content: " GNU GENERAL PUBLIC LICENSE\n Version 2, June 1991\n\n Copyright (C) 1989, 1991 Free Software Foundation, Inc.,\n \n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed...\n\n...\n\nLinking this library statically or dynamically with other modules is making a combined work based on this library..." } } From cebcf7dcd209bc00b58e9a36d1ce83bb1700c833 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 21 Feb 2025 15:58:57 +0100 Subject: [PATCH 05/26] tests: extend/revisit example for expression-details Signed-off-by: Jan Kowalleck --- .../1.7/valid-license-expression-with-text-1.7.json | 7 ++++--- .../1.7/valid-license-expression-with-text-1.7.textproto | 2 +- .../1.7/valid-license-expression-with-text-1.7.xml | 4 +++- .../resources/1.7/valid-license-id-with-text-1.7.json | 1 + .../1.7/valid-license-id-with-text-1.7.textproto | 8 ++------ .../test/resources/1.7/valid-license-id-with-text-1.7.xml | 2 +- .../resources/1.7/valid-license-name-with-text-1.7.json | 1 + .../1.7/valid-license-name-with-text-1.7.textproto | 1 + .../resources/1.7/valid-license-name-with-text-1.7.xml | 2 +- 9 files changed, 15 insertions(+), 13 deletions(-) diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json index 9726a315..aabbc3b0 100644 --- a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json @@ -36,14 +36,15 @@ "bom-ref": "my-license", "acknowledgement": "declared", "expression": "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0", - "expression-details": { + "expressionDetails": { "texts": [ { - "license-identifier": "EPL-2.0", + "licenseIdentifier": "EPL-2.0", "content": "Eclipse Public License - v 2.0\n\n THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE\n PUBLIC LICENSE (\"AGREEMENT\"). ANY USE, REPRODUCTION OR DISTRIBUTION\n OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT..." }, { - "license-identifier": "GPL-2.0 WITH Classpath-exception-2.0", + "licenseIdentifier": "GPL-2.0 WITH Classpath-exception-2.0", + "contentType": "text/plain", "content": " GNU GENERAL PUBLIC LICENSE\n Version 2, June 1991\n\n Copyright (C) 1989, 1991 Free Software Foundation, Inc.,\n \n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed...\n\n...\n\nLinking this library statically or dynamically with other modules is making a combined work based on this library..." } ] diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto index 2d060773..edf22fbb 100644 --- a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto @@ -35,11 +35,11 @@ components { expression_details { texts { license_identifier: "EPL-2.0" - content: "Eclipse Public License - v 2.0\n\n THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE\n PUBLIC LICENSE (\"AGREEMENT\"). ANY USE, REPRODUCTION OR DISTRIBUTION\n OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT..." } texts { license_identifier: "GPL-2.0 WITH Classpath-exception-2.0", + content_type: "text/plain", content: " GNU GENERAL PUBLIC LICENSE\n Version 2, June 1991\n\n Copyright (C) 1989, 1991 Free Software Foundation, Inc.,\n \n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed...\n\n...\n\nLinking this library statically or dynamically with other modules is making a combined work based on this library..." } } diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml index 52cf1c8a..557bd2cb 100644 --- a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml @@ -23,7 +23,9 @@ THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE PUBLIC LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT...]]]> - Apache-2.0 - My License - + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar From 903cb437e92131da0b58e56bcfa93ffc9e0c9e9d Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 24 Feb 2025 18:17:45 +0100 Subject: [PATCH 06/26] rework license expression lext attachments and add shema Signed-off-by: Jan Kowalleck --- schema/bom-1.7.proto | 10 ++ schema/bom-1.7.schema.json | 27 +++ schema/bom-1.7.xsd | 167 +++++++++++------- ...alid-license-expression-with-text-1.7.json | 38 ++-- ...license-expression-with-text-1.7.textproto | 30 +--- ...valid-license-expression-with-text-1.7.xml | 16 +- 6 files changed, 162 insertions(+), 126 deletions(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 2f1aaf0d..a6e7fa36 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -391,6 +391,8 @@ message LicenseChoice { optional LicenseAcknowledgementEnumeration acknowledgement = 3; // This field must only be used when "expression" is chosen as the License object has its own bom_ref. optional string bom_ref = 4; + // This field must only be used when "expression" is chosen ... TODO. + repeated ExpressionDetails expression_details = 5; } // Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license. @@ -415,6 +417,14 @@ message License { optional LicenseAcknowledgementEnumeration acknowledgement = 8; } +// TODO +message ExpressionDetails { + // TODO + string license_identifier = 1; + // Specifies the optional full text of the attachment + optional AttachedText text = 3; +} + // Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license. enum LicenseAcknowledgementEnumeration { // The license acknowledgement is not specified. diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index e1dd5b1d..5e13978e 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -1492,6 +1492,33 @@ "GPL-3.0-only WITH Classpath-exception-2.0" ] }, + "expressionDetails": { + "title": "expression details", + "type": "array", + "items": { + "type": "object", + "required": [ + "licenseIdentifier" + ], + "properties": { + "licenseIdentifier": { + "title": "License Identifier", + "description": "TODO", + "type": "string", + "examples": [ + "Apache-2.0", + "GPL-3.0-only WITH Classpath-exception-2.0" + ] + }, + "text": { + "title": "License texts", + "description": "An optional way to include the textual content of licenses.", + "$ref": "#/definitions/attachment" + } + }, + "additionalProperties": false + } + }, "acknowledgement": { "$ref": "#/definitions/licenseAcknowledgementEnumeration" }, diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd index ae468665..a1037090 100644 --- a/schema/bom-1.7.xsd +++ b/schema/bom-1.7.xsd @@ -761,6 +761,34 @@ limitations under the License. + + + + + An optional identifier which can be used to reference the license elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + Declared licenses and concluded licenses represent two different stages in the + licensing process within software development. Declared licenses refer to the + initial intention of the software authors regarding the licensing terms under + which their code is released. On the other hand, concluded licenses are the + result of a comprehensive analysis of the project's codebase to identify and + confirm the actual licenses of the components used, which may differ from the + initially declared licenses. While declared licenses provide an upfront indication + of the licensing intentions, concluded licenses offer a more thorough understanding + of the actual licensing within a project, facilitating proper compliance and risk + management. Observed licenses are defined in `evidence.licenses`. Observed licenses + form the evidence necessary to substantiate a concluded license. + + + + + Specifies the details and attributes related to a software license. @@ -935,31 +963,77 @@ limitations under the License. - - - - An optional identifier which can be used to reference the license elsewhere in the BOM. - Uniqueness is enforced within all elements and children of the root-level bom element. - - - - - - - Declared licenses and concluded licenses represent two different stages in the - licensing process within software development. Declared licenses refer to the - initial intention of the software authors regarding the licensing terms under - which their code is released. On the other hand, concluded licenses are the - result of a comprehensive analysis of the project's codebase to identify and - confirm the actual licenses of the components used, which may differ from the - initially declared licenses. While declared licenses provide an upfront indication - of the licensing intentions, concluded licenses offer a more thorough understanding - of the actual licensing within a project, facilitating proper compliance and risk - management. Observed licenses are defined in `evidence.licenses`. Observed licenses - form the evidence necessary to substantiate a concluded license. - - - + + + + + + + + + A valid SPDX license expression. + Refer to https://spdx.org/specifications for syntax requirements + + Example values: + - Apache-2.0 AND (MIT OR GPL-2.0-only) + - GPL-3.0-only WITH Classpath-exception-2.0 + + + + + + + + + + + + Specifies the optional full text of the attachment + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + TODO + + Examples: + - Apache-2.0 + - GPL-3.0-only WITH Classpath-exception-2.0 + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + A valid SPDX license expression. + Refer to https://spdx.org/specifications for syntax requirements + + Example values: + - Apache-2.0 AND (MIT OR GPL-2.0-only) + - GPL-3.0-only WITH Classpath-exception-2.0 + + + + + + @@ -2299,48 +2373,7 @@ limitations under the License. - - - A valid SPDX license expression. - Refer to https://spdx.org/specifications for syntax requirements - - Example values: - - Apache-2.0 AND (MIT OR GPL-2.0-only) - - GPL-3.0-only WITH Classpath-exception-2.0 - - - - - - - - - An optional identifier which can be used to reference the license elsewhere in the BOM. - Uniqueness is enforced within all elements and children of the root-level bom element. - - - - - - - Declared licenses and concluded licenses represent two different stages in the - licensing process within software development. Declared licenses refer to the - initial intention of the software authors regarding the licensing terms under - which their code is released. On the other hand, concluded licenses are the - result of a comprehensive analysis of the project's codebase to identify and - confirm the actual licenses of the components used, which may differ from the - initially declared licenses. While declared licenses provide an upfront indication - of the licensing intentions, concluded licenses offer a more thorough understanding - of the actual licensing within a project, facilitating proper compliance and risk - management. Observed licenses are defined in `evidence.licenses`. Observed licenses - form the evidence necessary to substantiate a concluded license. - - - - - - - + diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json index aabbc3b0..fa4a8b92 100644 --- a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json @@ -13,42 +13,26 @@ "version": "9.0.14", "description": "Modified version of Apache Catalina", "scope": "required", - "hashes": [ - { - "alg": "MD5", - "content": "3942447fac867ae5cdb3229b658f4d48" - }, - { - "alg": "SHA-1", - "content": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a" - }, - { - "alg": "SHA-256", - "content": "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b" - }, - { - "alg": "SHA-512", - "content": "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282" - } - ], "licenses": [ { "bom-ref": "my-license", "acknowledgement": "declared", "expression": "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0", - "expressionDetails": { - "texts": [ - { - "licenseIdentifier": "EPL-2.0", + "expressionDetails": [ + { + "licenseIdentifier": "EPL-2.0", + "text": { "content": "Eclipse Public License - v 2.0\n\n THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE\n PUBLIC LICENSE (\"AGREEMENT\"). ANY USE, REPRODUCTION OR DISTRIBUTION\n OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT..." - }, - { - "licenseIdentifier": "GPL-2.0 WITH Classpath-exception-2.0", + } + }, + { + "licenseIdentifier": "GPL-2.0 WITH Classpath-exception-2.0", + "text": { "contentType": "text/plain", "content": " GNU GENERAL PUBLIC LICENSE\n Version 2, June 1991\n\n Copyright (C) 1989, 1991 Free Software Foundation, Inc.,\n \n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed...\n\n...\n\nLinking this library statically or dynamically with other modules is making a combined work based on this library..." } - ] - } + } + ] } ], "purl": "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar" diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto index edf22fbb..e6b14573 100644 --- a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto @@ -12,35 +12,21 @@ components { version: "9.0.14" description: "Modified version of Apache Catalina" scope: SCOPE_REQUIRED - hashes { - alg: HASH_ALG_MD_5 - value: "3942447fac867ae5cdb3229b658f4d48" - } - hashes { - alg: HASH_ALG_SHA_1 - value: "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a" - } - hashes { - alg: HASH_ALG_SHA_256 - value: "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b" - } - hashes { - alg: HASH_ALG_SHA_512 - value: "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282" - } licenses { bom_ref: "my-license" acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED expression: "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0" expression_details { - texts { - license_identifier: "EPL-2.0" - content: "Eclipse Public License - v 2.0\n\n THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE\n PUBLIC LICENSE (\"AGREEMENT\"). ANY USE, REPRODUCTION OR DISTRIBUTION\n OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT..." + license_identifier: "EPL-2.0" + text { + value: "Eclipse Public License - v 2.0\n\n THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE\n PUBLIC LICENSE (\"AGREEMENT\"). ANY USE, REPRODUCTION OR DISTRIBUTION\n OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT..." } - texts { - license_identifier: "GPL-2.0 WITH Classpath-exception-2.0", + } + expression_details { + license_identifier: "GPL-2.0 WITH Classpath-exception-2.0", + text { content_type: "text/plain", - content: " GNU GENERAL PUBLIC LICENSE\n Version 2, June 1991\n\n Copyright (C) 1989, 1991 Free Software Foundation, Inc.,\n \n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed...\n\n...\n\nLinking this library statically or dynamically with other modules is making a combined work based on this library..." + value: " GNU GENERAL PUBLIC LICENSE\n Version 2, June 1991\n\n Copyright (C) 1989, 1991 Free Software Foundation, Inc.,\n \n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed...\n\n...\n\nLinking this library statically or dynamically with other modules is making a combined work based on this library..." } } } diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml index 557bd2cb..05efba46 100644 --- a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml @@ -8,24 +8,19 @@ 9.0.14 Modified version of Apache Catalina required - - 3942447fac867ae5cdb3229b658f4d48 - e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a - f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b - e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 - - + - +
+ +
pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar From 59c9a1f74d67e39ce39f84f441a580de1c4b8cf7 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 24 Feb 2025 21:38:03 +0100 Subject: [PATCH 07/26] ework license expression lext attachments and add shema Signed-off-by: Jan Kowalleck --- schema/bom-1.7.proto | 16 ++- schema/bom-1.7.xsd | 119 +++++++++--------- ...license-expression-with-text-1.7.textproto | 28 +++-- ...valid-license-expression-with-text-1.7.xml | 6 +- 4 files changed, 91 insertions(+), 78 deletions(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index a6e7fa36..92249282 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -386,13 +386,13 @@ message LicenseChoice { License license = 1; // A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements string expression = 2; + // TODO + ExpressionDetailed expression_detailed = 5; } // This field must only be used when "expression" is chosen as the License object has its own acknowledgement. optional LicenseAcknowledgementEnumeration acknowledgement = 3; // This field must only be used when "expression" is chosen as the License object has its own bom_ref. optional string bom_ref = 4; - // This field must only be used when "expression" is chosen ... TODO. - repeated ExpressionDetails expression_details = 5; } // Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license. @@ -417,12 +417,22 @@ message License { optional LicenseAcknowledgementEnumeration acknowledgement = 8; } +message ExpressionDetailed { + // A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements + string expression = 1; + optional string bom_ref = 2; + // Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license. + optional LicenseAcknowledgementEnumeration acknowledgement = 3; + // TODO + repeated ExpressionDetails details = 4; +} + // TODO message ExpressionDetails { // TODO string license_identifier = 1; // Specifies the optional full text of the attachment - optional AttachedText text = 3; + optional AttachedText text = 2; } // Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license. diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd index a1037090..6a6c7427 100644 --- a/schema/bom-1.7.xsd +++ b/schema/bom-1.7.xsd @@ -966,74 +966,74 @@ limitations under the License. - - - - - - A valid SPDX license expression. - Refer to https://spdx.org/specifications for syntax requirements + + + + + A valid SPDX license expression. + Refer to https://spdx.org/specifications for syntax requirements - Example values: - - Apache-2.0 AND (MIT OR GPL-2.0-only) - - GPL-3.0-only WITH Classpath-exception-2.0 - - - - - - - - - - - - Specifies the optional full text of the attachment - - - - - - Allows any undeclared elements as long as the elements are placed in a different namespace. - - - - - - - - TODO + Example values: + - Apache-2.0 AND (MIT OR GPL-2.0-only) + - GPL-3.0-only WITH Classpath-exception-2.0 + + + + + + - Examples: - - Apache-2.0 - - GPL-3.0-only WITH Classpath-exception-2.0 - - - - - - + + + + + + + + Specifies the optional full text of the attachment + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + - Allows any undeclared elements as long as the elements are placed in a different namespace. + TODO + + Examples: + - Apache-2.0 + - GPL-3.0-only WITH Classpath-exception-2.0 - - - + + + + - A valid SPDX license expression. - Refer to https://spdx.org/specifications for syntax requirements - - Example values: - - Apache-2.0 AND (MIT OR GPL-2.0-only) - - GPL-3.0-only WITH Classpath-exception-2.0 + + Allows any undeclared elements as long as the elements are placed in a different namespace. - - - + + + + + A valid SPDX license expression. + Refer to https://spdx.org/specifications for syntax requirements + + Example values: + - Apache-2.0 AND (MIT OR GPL-2.0-only) + - GPL-3.0-only WITH Classpath-exception-2.0 + + + @@ -2373,7 +2373,8 @@ limitations under the License. - + + diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto index e6b14573..17476ea1 100644 --- a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto @@ -13,20 +13,22 @@ components { description: "Modified version of Apache Catalina" scope: SCOPE_REQUIRED licenses { - bom_ref: "my-license" - acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED - expression: "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0" - expression_details { - license_identifier: "EPL-2.0" - text { - value: "Eclipse Public License - v 2.0\n\n THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE\n PUBLIC LICENSE (\"AGREEMENT\"). ANY USE, REPRODUCTION OR DISTRIBUTION\n OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT..." + expression_detailed { + bom_ref: "my-license" + acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED + expression: "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0" + details { + license_identifier: "EPL-2.0" + text { + value: "Eclipse Public License - v 2.0\n\n THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE\n PUBLIC LICENSE (\"AGREEMENT\"). ANY USE, REPRODUCTION OR DISTRIBUTION\n OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT..." + } } - } - expression_details { - license_identifier: "GPL-2.0 WITH Classpath-exception-2.0", - text { - content_type: "text/plain", - value: " GNU GENERAL PUBLIC LICENSE\n Version 2, June 1991\n\n Copyright (C) 1989, 1991 Free Software Foundation, Inc.,\n \n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed...\n\n...\n\nLinking this library statically or dynamically with other modules is making a combined work based on this library..." + details { + license_identifier: "GPL-2.0 WITH Classpath-exception-2.0", + text { + content_type: "text/plain", + value: " GNU GENERAL PUBLIC LICENSE\n Version 2, June 1991\n\n Copyright (C) 1989, 1991 Free Software Foundation, Inc.,\n \n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed...\n\n...\n\nLinking this library statically or dynamically with other modules is making a combined work based on this library..." + } } } } diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml index 05efba46..89f6a1f2 100644 --- a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml @@ -9,8 +9,8 @@ Modified version of Apache Catalina required -
- + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar From ee671a87f915ed0e2c4ba4048a748c1928397f1e Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 25 Feb 2025 11:30:09 +0100 Subject: [PATCH 08/26] rename xml Signed-off-by: Jan Kowalleck --- schema/bom-1.7.xsd | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd index 6a6c7427..b0b04daf 100644 --- a/schema/bom-1.7.xsd +++ b/schema/bom-1.7.xsd @@ -966,7 +966,7 @@ limitations under the License. - + @@ -983,7 +983,7 @@ limitations under the License. - + @@ -2373,8 +2373,8 @@ limitations under the License. - - + + From 5995a6d11234f6bee4278ea750924d8febea81cf Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 25 Feb 2025 11:32:28 +0100 Subject: [PATCH 09/26] docs: proto Signed-off-by: Jan Kowalleck --- schema/bom-1.7.proto | 1 + 1 file changed, 1 insertion(+) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 92249282..f570870d 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -420,6 +420,7 @@ message License { message ExpressionDetailed { // A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements string expression = 1; + // An optional identifier which can be used to reference the license elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. optional string bom_ref = 2; // Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license. optional LicenseAcknowledgementEnumeration acknowledgement = 3; From 7701a10d98e34e69195071051c148c158bc26311 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 25 Feb 2025 11:35:53 +0100 Subject: [PATCH 10/26] struct proto Signed-off-by: Jan Kowalleck --- schema/bom-1.7.proto | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index f570870d..5d914786 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -418,6 +418,14 @@ message License { } message ExpressionDetailed { + // TODO + message ExpressionDetails { + // TODO + string license_identifier = 1; + // Specifies the optional full text of the attachment + optional AttachedText text = 2; + } + // A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements string expression = 1; // An optional identifier which can be used to reference the license elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. @@ -428,14 +436,6 @@ message ExpressionDetailed { repeated ExpressionDetails details = 4; } -// TODO -message ExpressionDetails { - // TODO - string license_identifier = 1; - // Specifies the optional full text of the attachment - optional AttachedText text = 2; -} - // Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license. enum LicenseAcknowledgementEnumeration { // The license acknowledgement is not specified. From 561c8dd4a494f98cbc7abde8035759cc88f070bf Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 25 Feb 2025 12:02:08 +0100 Subject: [PATCH 11/26] docs Signed-off-by: Jan Kowalleck --- schema/bom-1.7.proto | 23 ++++++++++++++++------- schema/bom-1.7.schema.json | 8 +++++--- schema/bom-1.7.xsd | 22 +++++++++++++++++----- 3 files changed, 38 insertions(+), 15 deletions(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 5d914786..b2785ea4 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -384,14 +384,14 @@ message LicenseChoice { oneof choice { // A license License license = 1; - // A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements + // A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements. string expression = 2; // TODO ExpressionDetailed expression_detailed = 5; } - // This field must only be used when "expression" is chosen as the License object has its own acknowledgement. + // This field must only be used when `expression` is chosen as the other options have their own acknowledgement. optional LicenseAcknowledgementEnumeration acknowledgement = 3; - // This field must only be used when "expression" is chosen as the License object has its own bom_ref. + // This field must only be used when `expression` is chosen as the other options have their own bom_ref. optional string bom_ref = 4; } @@ -417,22 +417,31 @@ message License { optional LicenseAcknowledgementEnumeration acknowledgement = 8; } +// Specifies the details and attributes related to a software license. It must be a valid SPDX license expression, along with additional properties such as license acknowledgment. message ExpressionDetailed { - // TODO + + // Specifies the details and attributes related to a software license identifier. + // (An SPDX expression may be a compound of license identifiers.) message ExpressionDetails { - // TODO + // A valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements. + // Example values: + // - "Apache-2.0", + // - "GPL-3.0-only WITH Classpath-exception-2.0" string license_identifier = 1; // Specifies the optional full text of the attachment optional AttachedText text = 2; } - // A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements + // A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements. + // Example values: + // - "Apache-2.0 AND (MIT OR GPL-2.0-only)", + // - "GPL-3.0-only WITH Classpath-exception-2.0" string expression = 1; // An optional identifier which can be used to reference the license elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. optional string bom_ref = 2; // Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license. optional LicenseAcknowledgementEnumeration acknowledgement = 3; - // TODO + // Details for parts of the `expression`. repeated ExpressionDetails details = 4; } diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index 5e13978e..c1cef868 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -1486,24 +1486,26 @@ "expression": { "type": "string", "title": "SPDX License Expression", - "description": "A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements", + "description": "A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.", "examples": [ "Apache-2.0 AND (MIT OR GPL-2.0-only)", "GPL-3.0-only WITH Classpath-exception-2.0" ] }, "expressionDetails": { - "title": "expression details", + "title": "Expression Details", + "description": "Details for parts of the `expression`.", "type": "array", "items": { "type": "object", + "description": "Specifies the details and attributes related to a software license identifier.\n(An SPDX expression may be a compound of license identifiers.)", "required": [ "licenseIdentifier" ], "properties": { "licenseIdentifier": { "title": "License Identifier", - "description": "TODO", + "description": "A valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.", "type": "string", "examples": [ "Apache-2.0", diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd index b0b04daf..0710bb96 100644 --- a/schema/bom-1.7.xsd +++ b/schema/bom-1.7.xsd @@ -971,7 +971,7 @@ limitations under the License. A valid SPDX license expression. - Refer to https://spdx.org/specifications for syntax requirements + Refer to https://spdx.org/specifications for syntax requirements. Example values: - Apache-2.0 AND (MIT OR GPL-2.0-only) @@ -984,9 +984,21 @@ limitations under the License. + + Specifies the details and attributes related to a software license. It must be a valid SPDX license expression, along with additional properties such as license acknowledgment. + + + Details for parts of the `expression`. + + + + Specifies the details and attributes related to a software license identifier. + (An SPDX expression may be a compound of license identifiers.) + + @@ -1004,10 +1016,10 @@ limitations under the License. - TODO + A valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements. - Examples: - - Apache-2.0 + Example values: + - Apache-2.0" - GPL-3.0-only WITH Classpath-exception-2.0 @@ -1026,7 +1038,7 @@ limitations under the License. A valid SPDX license expression. - Refer to https://spdx.org/specifications for syntax requirements + Refer to https://spdx.org/specifications for syntax requirements. Example values: - Apache-2.0 AND (MIT OR GPL-2.0-only) From 0dc34e0eac4e6e089005911a8df4cdbdbb0eb059 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 25 Feb 2025 12:06:46 +0100 Subject: [PATCH 12/26] docs Signed-off-by: Jan Kowalleck --- schema/bom-1.7.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index b2785ea4..04150f1f 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -386,7 +386,7 @@ message LicenseChoice { License license = 1; // A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements. string expression = 2; - // TODO + // A SPDX license expression and its details ExpressionDetailed expression_detailed = 5; } // This field must only be used when `expression` is chosen as the other options have their own acknowledgement. From c16b24a6be3a02ab830291471c46c68dadeef7a7 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 26 Feb 2025 08:03:06 +0100 Subject: [PATCH 13/26] docs: SPDX expression examplefor `LicenseRef-` Signed-off-by: Jan Kowalleck --- schema/bom-1.7.proto | 1 + schema/bom-1.7.schema.json | 3 ++- schema/bom-1.7.xsd | 3 ++- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 04150f1f..9e832033 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -427,6 +427,7 @@ message ExpressionDetailed { // Example values: // - "Apache-2.0", // - "GPL-3.0-only WITH Classpath-exception-2.0" + // - "LicenseRef-my-custom-license" string license_identifier = 1; // Specifies the optional full text of the attachment optional AttachedText text = 2; diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index c1cef868..252817c8 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -1509,7 +1509,8 @@ "type": "string", "examples": [ "Apache-2.0", - "GPL-3.0-only WITH Classpath-exception-2.0" + "GPL-3.0-only WITH Classpath-exception-2.0", + "LicenseRef-my-custom-license" ] }, "text": { diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd index 0710bb96..6830ecfb 100644 --- a/schema/bom-1.7.xsd +++ b/schema/bom-1.7.xsd @@ -1019,8 +1019,9 @@ limitations under the License. A valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements. Example values: - - Apache-2.0" + - Apache-2.0 - GPL-3.0-only WITH Classpath-exception-2.0 + - LicenseRef-my-custom-license From 7c491251636beb2adabdb00dfb8ff22ef26a22b3 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 26 Feb 2025 08:12:59 +0100 Subject: [PATCH 14/26] docs Signed-off-by: Jan Kowalleck --- schema/bom-1.7.proto | 2 +- schema/bom-1.7.schema.json | 2 +- schema/bom-1.7.xsd | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 9e832033..7cf6876a 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -429,7 +429,7 @@ message ExpressionDetailed { // - "GPL-3.0-only WITH Classpath-exception-2.0" // - "LicenseRef-my-custom-license" string license_identifier = 1; - // Specifies the optional full text of the attachment + // An optional way to include the textual content of the license. optional AttachedText text = 2; } diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index 252817c8..34cb454e 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -1515,7 +1515,7 @@ }, "text": { "title": "License texts", - "description": "An optional way to include the textual content of licenses.", + "description": "An optional way to include the textual content of the license.", "$ref": "#/definitions/attachment" } }, diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd index 6830ecfb..0025f05e 100644 --- a/schema/bom-1.7.xsd +++ b/schema/bom-1.7.xsd @@ -1002,7 +1002,7 @@ limitations under the License. - Specifies the optional full text of the attachment + An optional way to include the textual content of the license. From 267ef6d5267892429d8a8f6193be556b878b542e Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 26 Feb 2025 08:29:21 +0100 Subject: [PATCH 15/26] style Signed-off-by: Jan Kowalleck --- schema/bom-1.7.proto | 3 ++- schema/bom-1.7.schema.json | 2 +- schema/bom-1.7.xsd | 13 +++++++------ 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 7cf6876a..74f53d71 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -424,6 +424,7 @@ message ExpressionDetailed { // (An SPDX expression may be a compound of license identifiers.) message ExpressionDetails { // A valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements. + // This field serves as the primary key, which uniquely identifies each record. // Example values: // - "Apache-2.0", // - "GPL-3.0-only WITH Classpath-exception-2.0" @@ -442,7 +443,7 @@ message ExpressionDetailed { optional string bom_ref = 2; // Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license. optional LicenseAcknowledgementEnumeration acknowledgement = 3; - // Details for parts of the `expression`. + // Details for parts of the `expression`. The field `details.license_identifier` serves as the primary key, which uniquely identifies each record. repeated ExpressionDetails details = 4; } diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index 34cb454e..c44c037b 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -1505,7 +1505,7 @@ "properties": { "licenseIdentifier": { "title": "License Identifier", - "description": "A valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.", + "description": "The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.", "type": "string", "examples": [ "Apache-2.0", diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd index 0025f05e..2b1415c0 100644 --- a/schema/bom-1.7.xsd +++ b/schema/bom-1.7.xsd @@ -1017,6 +1017,7 @@ limitations under the License. A valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements. + This attribute serves as the primary key, which uniquely identifies each record. Example values: - Apache-2.0 @@ -1028,12 +1029,12 @@ limitations under the License. - - - Allows any undeclared elements as long as the elements are placed in a different namespace. - - - + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + From 85e903d2f9b0cce525101ad18899a251d73f5370 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 27 Feb 2025 12:18:51 +0100 Subject: [PATCH 16/26] refactor: rename and docs Signed-off-by: Jan Kowalleck --- schema/bom-1.7.proto | 7 ++++--- schema/bom-1.7.schema.json | 2 ++ schema/bom-1.7.xsd | 13 ++++++++----- 3 files changed, 14 insertions(+), 8 deletions(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 74f53d71..1f781dec 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -387,7 +387,7 @@ message LicenseChoice { // A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements. string expression = 2; // A SPDX license expression and its details - ExpressionDetailed expression_detailed = 5; + LicenseExpressionDetailed expression_detailed = 5; } // This field must only be used when `expression` is chosen as the other options have their own acknowledgement. optional LicenseAcknowledgementEnumeration acknowledgement = 3; @@ -417,8 +417,9 @@ message License { optional LicenseAcknowledgementEnumeration acknowledgement = 8; } -// Specifies the details and attributes related to a software license. It must be a valid SPDX license expression, along with additional properties such as license acknowledgment. -message ExpressionDetailed { +// Specifies the details and attributes related to a software license. +// It must be a valid SPDX license expression, along with additional properties such as license acknowledgment. +message LicenseExpressionDetailed { // Specifies the details and attributes related to a software license identifier. // (An SPDX expression may be a compound of license identifiers.) diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index c44c037b..8f7f7e65 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -1479,6 +1479,8 @@ "minItems": 1, "maxItems": 1, "items": [{ + "title": "License Expression", + "description": "Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.", "type": "object", "additionalProperties": false, "required": ["expression"], diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd index 2b1415c0..61c65109 100644 --- a/schema/bom-1.7.xsd +++ b/schema/bom-1.7.xsd @@ -966,7 +966,7 @@ limitations under the License. - + @@ -983,9 +983,12 @@ limitations under the License. - + - Specifies the details and attributes related to a software license. It must be a valid SPDX license expression, along with additional properties such as license acknowledgment. + + Specifies the details and attributes related to a software license. + It must be a valid SPDX license expression, along with additional properties such as license acknowledgment. + @@ -2387,8 +2390,8 @@ limitations under the License. - - + + From 714813cb4205588bd1578e84047dd208a9b3e456 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 27 Feb 2025 12:22:41 +0100 Subject: [PATCH 17/26] licenseexpression details bom-ref Signed-off-by: Jan Kowalleck --- schema/bom-1.7.proto | 4 +++- schema/bom-1.7.schema.json | 5 +++++ schema/bom-1.7.xsd | 8 ++++++++ 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 1f781dec..7bf18ab6 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -431,8 +431,10 @@ message LicenseExpressionDetailed { // - "GPL-3.0-only WITH Classpath-exception-2.0" // - "LicenseRef-my-custom-license" string license_identifier = 1; + // An optional identifier which can be used to reference the license elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 2; // An optional way to include the textual content of the license. - optional AttachedText text = 2; + optional AttachedText text = 3; } // A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements. diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index 8f7f7e65..44bd1bc2 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -1515,6 +1515,11 @@ "LicenseRef-my-custom-license" ] }, + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, "text": { "title": "License texts", "description": "An optional way to include the textual content of the license.", diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd index 61c65109..891f84fc 100644 --- a/schema/bom-1.7.xsd +++ b/schema/bom-1.7.xsd @@ -1029,6 +1029,14 @@ limitations under the License. + + + + An optional identifier which can be used to reference the license elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + From 6aa6fba5c540d1650770b0ace2d0a9ef91a56ea9 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 27 Feb 2025 12:42:03 +0100 Subject: [PATCH 18/26] tests: examples Signed-off-by: Jan Kowalleck --- ...alid-license-expression-with-text-1.7.json | 34 +++++++++++----- ...license-expression-with-text-1.7.textproto | 32 ++++++++++----- ...valid-license-expression-with-text-1.7.xml | 39 ++++++++++++++----- 3 files changed, 77 insertions(+), 28 deletions(-) diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json index fa4a8b92..772269e5 100644 --- a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json @@ -2,23 +2,26 @@ "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.7", - "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "serialNumber": "urn:uuid:8ad91ceb-1741-4d58-8d22-4488a0f68dbe", "version": 1, "components": [ { "type": "application", - "publisher": "Acme Inc", - "group": "com.acme", - "name": "tomcat-catalina", - "version": "9.0.14", - "description": "Modified version of Apache Catalina", - "scope": "required", + "name": "my-application", + "version": "1.33.7", + "description": "This application is composed of multiple things, and therefore has multiple licenses applied:\n* custom code - custom license\n* component A - EPL or GPL\n* component B - MIT\n* component C - MIT", "licenses": [ { "bom-ref": "my-license", "acknowledgement": "declared", - "expression": "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0", + "expression": "LicenseRef-my-custom-license AND (EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0) AND MIT", "expressionDetails": [ + { + "licenseIdentifier": "LicenseRef-my-custom-license", + "text": { + "content": "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua." + } + }, { "licenseIdentifier": "EPL-2.0", "text": { @@ -31,11 +34,22 @@ "contentType": "text/plain", "content": " GNU GENERAL PUBLIC LICENSE\n Version 2, June 1991\n\n Copyright (C) 1989, 1991 Free Software Foundation, Inc.,\n \n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed...\n\n...\n\nLinking this library statically or dynamically with other modules is making a combined work based on this library..." } + }, + { + "licenseIdentifier": "MIT", + "text": { + "content": "MIT License\n\nCopyright (c) 1996 Component-B-Creators Inc.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"),..." + } + }, + { + "licenseIdentifier": "MIT", + "text": { + "content": "MIT License\n\nCopyright (c) 2001 Component-C-Creators Org\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"),..." + } } ] } - ], - "purl": "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar" + ] } ] } diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto index 17476ea1..e6adc990 100644 --- a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto @@ -3,20 +3,23 @@ spec_version: "1.7" version: 1 -serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +serial_number: "urn:uuid:8ad91ceb-1741-4d58-8d22-4488a0f68dbe" components { type: CLASSIFICATION_APPLICATION - publisher: "Acme Inc" - group: "com.acme" - name: "tomcat-catalina" - version: "9.0.14" - description: "Modified version of Apache Catalina" - scope: SCOPE_REQUIRED + name: "my-application" + version: "1.33.7" + description: "This application is composed of multiple things, and therefore has multiple licenses applied:\n* custom code - custom license\n* component A - EPL or GPL\n* component B - MIT\n* component C - MIT" licenses { expression_detailed { bom_ref: "my-license" acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED - expression: "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0" + expression: "LicenseRef-my-custom-license AND (EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0) AND MIT" + details { + license_identifier: "LicenseRef-my-custom-license" + text { + value: "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua." + } + } details { license_identifier: "EPL-2.0" text { @@ -30,7 +33,18 @@ components { value: " GNU GENERAL PUBLIC LICENSE\n Version 2, June 1991\n\n Copyright (C) 1989, 1991 Free Software Foundation, Inc.,\n \n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed...\n\n...\n\nLinking this library statically or dynamically with other modules is making a combined work based on this library..." } } + details { + license_identifier: "MIT" + text { + value: "MIT License\n\nCopyright (c) 1996 Component-B-Creators Inc.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"),..." + } + } + details { + license_identifier: "MIT" + text { + value: "MIT License\n\nCopyright (c) 2001 Component-C-Creators Org\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"),..." + } + } } } - purl: "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar" } diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml index 89f6a1f2..d6346c03 100644 --- a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml @@ -1,17 +1,23 @@ - + - Acme Inc - com.acme - tomcat-catalina - 9.0.14 - Modified version of Apache Catalina - required + my-application + 1.33.7 + + This application is composed of multiple things, and therefore has multiple licenses applied: + * custom code - custom license + * component A - EPL or GPL + * component B - MIT + * component C - MIT + +
+ Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. +
+
+ +
+
+ +
- pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar From d1f83ff1a04cfab363fef887b7278fcb2099fb04 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 27 Feb 2025 12:45:13 +0100 Subject: [PATCH 19/26] tests: examples Signed-off-by: Jan Kowalleck --- .../1.7/valid-license-expression-with-text-1.7.json | 4 ++-- .../valid-license-expression-with-text-1.7.textproto | 4 ++-- .../1.7/valid-license-expression-with-text-1.7.xml | 11 +++++++++-- 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json index 772269e5..73511fd2 100644 --- a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json @@ -38,13 +38,13 @@ { "licenseIdentifier": "MIT", "text": { - "content": "MIT License\n\nCopyright (c) 1996 Component-B-Creators Inc.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"),..." + "content": "MIT License\n\nCopyright (c) 1996 Component-B-Creators Inc.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"),...\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software..." } }, { "licenseIdentifier": "MIT", "text": { - "content": "MIT License\n\nCopyright (c) 2001 Component-C-Creators Org\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"),..." + "content": "MIT License\n\nCopyright (c) 2001 Component-C-Creators Org\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"),...\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software..." } } ] diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto index e6adc990..da30df57 100644 --- a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto @@ -36,13 +36,13 @@ components { details { license_identifier: "MIT" text { - value: "MIT License\n\nCopyright (c) 1996 Component-B-Creators Inc.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"),..." + value: "MIT License\n\nCopyright (c) 1996 Component-B-Creators Inc.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"),...\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software..." } } details { license_identifier: "MIT" text { - value: "MIT License\n\nCopyright (c) 2001 Component-C-Creators Org\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"),..." + value: "MIT License\n\nCopyright (c) 2001 Component-C-Creators Org\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"),...\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software..." } } } diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml index d6346c03..f41c18c6 100644 --- a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml @@ -44,7 +44,10 @@ Linking this library statically or dynamically with other modules is making a co Copyright (c) 1996 Component-B-Creators Inc. Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"),...]]> +of this software and associated documentation files (the "Software"),... + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software...]]>
+of this software and associated documentation files (the "Software"),... + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software... +]]>
From add2dc14dc19290deab45ddff922399ff17f8bc2 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 27 Feb 2025 12:47:50 +0100 Subject: [PATCH 20/26] tests: examples Signed-off-by: Jan Kowalleck --- .../resources/1.7/valid-license-expression-with-text-1.7.json | 2 ++ .../1.7/valid-license-expression-with-text-1.7.textproto | 2 ++ .../resources/1.7/valid-license-expression-with-text-1.7.xml | 4 ++-- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json index 73511fd2..6fe1b5f9 100644 --- a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json @@ -37,12 +37,14 @@ }, { "licenseIdentifier": "MIT", + "bom-ref": "LicenseDetails-component-C", "text": { "content": "MIT License\n\nCopyright (c) 1996 Component-B-Creators Inc.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"),...\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software..." } }, { "licenseIdentifier": "MIT", + "bom-ref": "LicenseDetails-component-C", "text": { "content": "MIT License\n\nCopyright (c) 2001 Component-C-Creators Org\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"),...\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software..." } diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto index da30df57..93846413 100644 --- a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto @@ -35,12 +35,14 @@ components { } details { license_identifier: "MIT" + bom_ref: "LicenseDetails-component-B" text { value: "MIT License\n\nCopyright (c) 1996 Component-B-Creators Inc.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"),...\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software..." } } details { license_identifier: "MIT" + bom_ref: "LicenseDetails-component-C" text { value: "MIT License\n\nCopyright (c) 2001 Component-C-Creators Org\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"),...\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software..." } diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml index f41c18c6..635352ba 100644 --- a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml @@ -38,7 +38,7 @@ Linking this library statically or dynamically with other modules is making a combined work based on this library...]]> -
+
-
+
Date: Thu, 27 Feb 2025 12:48:53 +0100 Subject: [PATCH 21/26] tests: examples Signed-off-by: Jan Kowalleck --- .../resources/1.7/valid-license-expression-with-text-1.7.json | 2 +- .../1.7/valid-license-expression-with-text-1.7.textproto | 2 +- .../resources/1.7/valid-license-expression-with-text-1.7.xml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json index 6fe1b5f9..706a0ab1 100644 --- a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json @@ -12,7 +12,7 @@ "description": "This application is composed of multiple things, and therefore has multiple licenses applied:\n* custom code - custom license\n* component A - EPL or GPL\n* component B - MIT\n* component C - MIT", "licenses": [ { - "bom-ref": "my-license", + "bom-ref": "my-application-license", "acknowledgement": "declared", "expression": "LicenseRef-my-custom-license AND (EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0) AND MIT", "expressionDetails": [ diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto index 93846413..2519c938 100644 --- a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto @@ -11,7 +11,7 @@ components { description: "This application is composed of multiple things, and therefore has multiple licenses applied:\n* custom code - custom license\n* component A - EPL or GPL\n* component B - MIT\n* component C - MIT" licenses { expression_detailed { - bom_ref: "my-license" + bom_ref: "my-application-license" acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED expression: "LicenseRef-my-custom-license AND (EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0) AND MIT" details { diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml index 635352ba..e4275a16 100644 --- a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml @@ -12,7 +12,7 @@ * component C - MIT -
From b2c5ca52e1d53fd40c1b043b3ee10b4e83d4bf2a Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 27 Feb 2025 16:04:47 +0100 Subject: [PATCH 22/26] docs Signed-off-by: Jan Kowalleck --- schema/bom-1.7.proto | 3 ++- schema/bom-1.7.schema.json | 2 +- schema/bom-1.7.xsd | 1 + 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 7bf18ab6..e59d58fa 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -423,6 +423,7 @@ message LicenseExpressionDetailed { // Specifies the details and attributes related to a software license identifier. // (An SPDX expression may be a compound of license identifiers.) + // The field `license_identifier` serves as the key which identifies each record. The key is not meant to be unique, as one and the same license identifier could apply to multiple, different but similar license details, texts, etc. message ExpressionDetails { // A valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements. // This field serves as the primary key, which uniquely identifies each record. @@ -446,7 +447,7 @@ message LicenseExpressionDetailed { optional string bom_ref = 2; // Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license. optional LicenseAcknowledgementEnumeration acknowledgement = 3; - // Details for parts of the `expression`. The field `details.license_identifier` serves as the primary key, which uniquely identifies each record. + // Details for parts of the `expression`. repeated ExpressionDetails details = 4; } diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index 44bd1bc2..bf0fdfd1 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -1500,7 +1500,7 @@ "type": "array", "items": { "type": "object", - "description": "Specifies the details and attributes related to a software license identifier.\n(An SPDX expression may be a compound of license identifiers.)", + "description": "Specifies the details and attributes related to a software license identifier.\n(An SPDX expression may be a compound of license identifiers.)\nThe property `licenseIdentifier` serves as the key which identifies each record. The key is not meant to be unique, as one and the same license identifier could apply to multiple, different but similar license details, texts, etc.", "required": [ "licenseIdentifier" ], diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd index 891f84fc..88694b01 100644 --- a/schema/bom-1.7.xsd +++ b/schema/bom-1.7.xsd @@ -1000,6 +1000,7 @@ limitations under the License. Specifies the details and attributes related to a software license identifier. (An SPDX expression may be a compound of license identifiers.) + The attribute `license-identifier` serves as the key which identifies each record. The key is not meant to be unique, as one and the same license identifier could apply to multiple, different but similar license details, texts, etc. From 41fc9b234cae71fcf627429a89e143e6296ac134 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 27 Feb 2025 16:09:24 +0100 Subject: [PATCH 23/26] docs Signed-off-by: Jan Kowalleck --- schema/bom-1.7.proto | 5 ++--- schema/bom-1.7.schema.json | 2 +- schema/bom-1.7.xsd | 5 ++--- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index e59d58fa..d069aa89 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -421,9 +421,8 @@ message License { // It must be a valid SPDX license expression, along with additional properties such as license acknowledgment. message LicenseExpressionDetailed { - // Specifies the details and attributes related to a software license identifier. - // (An SPDX expression may be a compound of license identifiers.) - // The field `license_identifier` serves as the key which identifies each record. The key is not meant to be unique, as one and the same license identifier could apply to multiple, different but similar license details, texts, etc. + // This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers. + // The `license_identifier` field serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc. message ExpressionDetails { // A valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements. // This field serves as the primary key, which uniquely identifies each record. diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index bf0fdfd1..31cbbc44 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -1500,7 +1500,7 @@ "type": "array", "items": { "type": "object", - "description": "Specifies the details and attributes related to a software license identifier.\n(An SPDX expression may be a compound of license identifiers.)\nThe property `licenseIdentifier` serves as the key which identifies each record. The key is not meant to be unique, as one and the same license identifier could apply to multiple, different but similar license details, texts, etc.", + "description": "This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.", "required": [ "licenseIdentifier" ], diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd index 88694b01..31a410c0 100644 --- a/schema/bom-1.7.xsd +++ b/schema/bom-1.7.xsd @@ -998,9 +998,8 @@ limitations under the License. - Specifies the details and attributes related to a software license identifier. - (An SPDX expression may be a compound of license identifiers.) - The attribute `license-identifier` serves as the key which identifies each record. The key is not meant to be unique, as one and the same license identifier could apply to multiple, different but similar license details, texts, etc. + This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers. + The `license-identifier` attribute serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc. From c974a3c1393739ddee9c7dc26c14b989f66b7bd4 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 27 Feb 2025 16:58:24 +0100 Subject: [PATCH 24/26] feat: license url Signed-off-by: Jan Kowalleck --- schema/bom-1.7.proto | 2 ++ schema/bom-1.7.schema.json | 7 +++++++ schema/bom-1.7.xsd | 6 ++++++ .../1.7/valid-license-expression-with-text-1.7.json | 3 ++- .../1.7/valid-license-expression-with-text-1.7.textproto | 1 + .../1.7/valid-license-expression-with-text-1.7.xml | 1 + 6 files changed, 19 insertions(+), 1 deletion(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index d069aa89..16dcf397 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -435,6 +435,8 @@ message LicenseExpressionDetailed { optional string bom_ref = 2; // An optional way to include the textual content of the license. optional AttachedText text = 3; + // The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness + optional string url = 4; } // A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements. diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index 31cbbc44..6ed6de90 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -1524,6 +1524,13 @@ "title": "License texts", "description": "An optional way to include the textual content of the license.", "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "License URL", + "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", + "examples": ["https://www.apache.org/licenses/LICENSE-2.0.txt"], + "format": "iri-reference" } }, "additionalProperties": false diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd index 31a410c0..31d90a9b 100644 --- a/schema/bom-1.7.xsd +++ b/schema/bom-1.7.xsd @@ -1008,6 +1008,12 @@ limitations under the License. An optional way to include the textual content of the license. + + + The URL to the attachment file. If the attachment is a license or BOM, + an externalReference should also be specified for completeness. + + diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json index 706a0ab1..4250fbb8 100644 --- a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json @@ -20,7 +20,8 @@ "licenseIdentifier": "LicenseRef-my-custom-license", "text": { "content": "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua." - } + }, + "url": "https://my-application.example.com/license.txt" }, { "licenseIdentifier": "EPL-2.0", diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto index 2519c938..4b18aec3 100644 --- a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto @@ -19,6 +19,7 @@ components { text { value: "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua." } + url: "https://my-application.example.com/license.txt" } details { license_identifier: "EPL-2.0" diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml index e4275a16..74ea7dac 100644 --- a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml +++ b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml @@ -17,6 +17,7 @@ >
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. + https://my-application.example.com/license.txt
Date: Thu, 27 Feb 2025 17:14:11 +0100 Subject: [PATCH 25/26] feat: license expression licensing and properties Signed-off-by: Jan Kowalleck --- schema/bom-1.7.proto | 13 +- schema/bom-1.7.schema.json | 318 +++++++++++++++++++------------------ schema/bom-1.7.xsd | 257 ++++++++++++++++-------------- 3 files changed, 309 insertions(+), 279 deletions(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 16dcf397..d75ce987 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -444,12 +444,17 @@ message LicenseExpressionDetailed { // - "Apache-2.0 AND (MIT OR GPL-2.0-only)", // - "GPL-3.0-only WITH Classpath-exception-2.0" string expression = 1; + // Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata + // Details for parts of the `expression`. + repeated ExpressionDetails details = 2; // An optional identifier which can be used to reference the license elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. - optional string bom_ref = 2; + optional string bom_ref = 3; // Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license. - optional LicenseAcknowledgementEnumeration acknowledgement = 3; - // Details for parts of the `expression`. - repeated ExpressionDetails details = 4; + optional LicenseAcknowledgementEnumeration acknowledgement = 4; + // Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata + optional Licensing licensing = 5; + // Specifies optional, custom, properties + repeated Property properties = 6; } // Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license. diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index 6ed6de90..e526c90c 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -1230,6 +1230,161 @@ "examples": ["3942447fac867ae5cdb3229b658f4d48"], "pattern": "^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$" }, + "licensing": { + "type": "object", + "title": "Licensing information", + "description": "Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata", + "additionalProperties": false, + "properties": { + "altIds": { + "type": "array", + "title": "Alternate License Identifiers", + "description": "License identifiers that may be used to manage licenses and their lifecycle", + "items": { + "type": "string" + } + }, + "licensor": { + "title": "Licensor", + "description": "The individual or organization that grants a license to another individual or organization", + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Licensor (Organization)", + "description": "The organization that granted the license", + "$ref": "#/definitions/organizationalEntity" + }, + "individual": { + "title": "Licensor (Individual)", + "description": "The individual, not associated with an organization, that granted the license", + "$ref": "#/definitions/organizationalContact" + } + }, + "oneOf":[ + { + "required": ["organization"] + }, + { + "required": ["individual"] + } + ] + }, + "licensee": { + "title": "Licensee", + "description": "The individual or organization for which a license was granted to", + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Licensee (Organization)", + "description": "The organization that was granted the license", + "$ref": "#/definitions/organizationalEntity" + }, + "individual": { + "title": "Licensee (Individual)", + "description": "The individual, not associated with an organization, that was granted the license", + "$ref": "#/definitions/organizationalContact" + } + }, + "oneOf":[ + { + "required": ["organization"] + }, + { + "required": ["individual"] + } + ] + }, + "purchaser": { + "title": "Purchaser", + "description": "The individual or organization that purchased the license", + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Purchaser (Organization)", + "description": "The organization that purchased the license", + "$ref": "#/definitions/organizationalEntity" + }, + "individual": { + "title": "Purchaser (Individual)", + "description": "The individual, not associated with an organization, that purchased the license", + "$ref": "#/definitions/organizationalContact" + } + }, + "oneOf":[ + { + "required": ["organization"] + }, + { + "required": ["individual"] + } + ] + }, + "purchaseOrder": { + "type": "string", + "title": "Purchase Order", + "description": "The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase" + }, + "licenseTypes": { + "type": "array", + "title": "License Type", + "description": "The type of license(s) that was granted to the licensee.", + "items": { + "type": "string", + "enum": [ + "academic", + "appliance", + "client-access", + "concurrent-user", + "core-points", + "custom-metric", + "device", + "evaluation", + "named-user", + "node-locked", + "oem", + "perpetual", + "processor-points", + "subscription", + "user", + "other" + ], + "meta:enum": { + "academic": "A license that grants use of software solely for the purpose of education or research.", + "appliance": "A license covering use of software embedded in a specific piece of hardware.", + "client-access": "A Client Access License (CAL) allows client computers to access services provided by server software.", + "concurrent-user": "A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.", + "core-points": "A license where the core of a computer's processor is assigned a specific number of points.", + "custom-metric": "A license for which consumption is measured by non-standard metrics.", + "device": "A license that covers a defined number of installations on computers and other types of devices.", + "evaluation": "A license that grants permission to install and use software for trial purposes.", + "named-user": "A license that grants access to the software to one or more pre-defined users.", + "node-locked": "A license that grants access to the software on one or more pre-defined computers or devices.", + "oem": "An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.", + "perpetual": "A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.", + "processor-points": "A license where each installation consumes points per processor.", + "subscription": "A license where the licensee pays a fee to use the software or service.", + "user": "A license that grants access to the software or service by a specified number of users.", + "other": "Another license type." + } + } + }, + "lastRenewal": { + "type": "string", + "format": "date-time", + "title": "Last Renewal", + "description": "The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed." + }, + "expiration": { + "type": "string", + "format": "date-time", + "title": "Expiration", + "description": "The timestamp indicating when the current license expires (if applicable)." + } + } + }, "license": { "type": "object", "title": "License", @@ -1276,161 +1431,7 @@ "examples": ["https://www.apache.org/licenses/LICENSE-2.0.txt"], "format": "iri-reference" }, - "licensing": { - "type": "object", - "title": "Licensing information", - "description": "Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata", - "additionalProperties": false, - "properties": { - "altIds": { - "type": "array", - "title": "Alternate License Identifiers", - "description": "License identifiers that may be used to manage licenses and their lifecycle", - "items": { - "type": "string" - } - }, - "licensor": { - "title": "Licensor", - "description": "The individual or organization that grants a license to another individual or organization", - "type": "object", - "additionalProperties": false, - "properties": { - "organization": { - "title": "Licensor (Organization)", - "description": "The organization that granted the license", - "$ref": "#/definitions/organizationalEntity" - }, - "individual": { - "title": "Licensor (Individual)", - "description": "The individual, not associated with an organization, that granted the license", - "$ref": "#/definitions/organizationalContact" - } - }, - "oneOf":[ - { - "required": ["organization"] - }, - { - "required": ["individual"] - } - ] - }, - "licensee": { - "title": "Licensee", - "description": "The individual or organization for which a license was granted to", - "type": "object", - "additionalProperties": false, - "properties": { - "organization": { - "title": "Licensee (Organization)", - "description": "The organization that was granted the license", - "$ref": "#/definitions/organizationalEntity" - }, - "individual": { - "title": "Licensee (Individual)", - "description": "The individual, not associated with an organization, that was granted the license", - "$ref": "#/definitions/organizationalContact" - } - }, - "oneOf":[ - { - "required": ["organization"] - }, - { - "required": ["individual"] - } - ] - }, - "purchaser": { - "title": "Purchaser", - "description": "The individual or organization that purchased the license", - "type": "object", - "additionalProperties": false, - "properties": { - "organization": { - "title": "Purchaser (Organization)", - "description": "The organization that purchased the license", - "$ref": "#/definitions/organizationalEntity" - }, - "individual": { - "title": "Purchaser (Individual)", - "description": "The individual, not associated with an organization, that purchased the license", - "$ref": "#/definitions/organizationalContact" - } - }, - "oneOf":[ - { - "required": ["organization"] - }, - { - "required": ["individual"] - } - ] - }, - "purchaseOrder": { - "type": "string", - "title": "Purchase Order", - "description": "The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase" - }, - "licenseTypes": { - "type": "array", - "title": "License Type", - "description": "The type of license(s) that was granted to the licensee.", - "items": { - "type": "string", - "enum": [ - "academic", - "appliance", - "client-access", - "concurrent-user", - "core-points", - "custom-metric", - "device", - "evaluation", - "named-user", - "node-locked", - "oem", - "perpetual", - "processor-points", - "subscription", - "user", - "other" - ], - "meta:enum": { - "academic": "A license that grants use of software solely for the purpose of education or research.", - "appliance": "A license covering use of software embedded in a specific piece of hardware.", - "client-access": "A Client Access License (CAL) allows client computers to access services provided by server software.", - "concurrent-user": "A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.", - "core-points": "A license where the core of a computer's processor is assigned a specific number of points.", - "custom-metric": "A license for which consumption is measured by non-standard metrics.", - "device": "A license that covers a defined number of installations on computers and other types of devices.", - "evaluation": "A license that grants permission to install and use software for trial purposes.", - "named-user": "A license that grants access to the software to one or more pre-defined users.", - "node-locked": "A license that grants access to the software on one or more pre-defined computers or devices.", - "oem": "An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.", - "perpetual": "A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.", - "processor-points": "A license where each installation consumes points per processor.", - "subscription": "A license where the licensee pays a fee to use the software or service.", - "user": "A license that grants access to the software or service by a specified number of users.", - "other": "Another license type." - } - } - }, - "lastRenewal": { - "type": "string", - "format": "date-time", - "title": "Last Renewal", - "description": "The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed." - }, - "expiration": { - "type": "string", - "format": "date-time", - "title": "Expiration", - "description": "The timestamp indicating when the current license expires (if applicable)." - } - } - }, + "licensing": {"$ref": "#/definitions/licensing"}, "properties": { "type": "array", "title": "Properties", @@ -1543,6 +1544,13 @@ "$ref": "#/definitions/refType", "title": "BOM Reference", "description": "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "licensing": {"$ref": "#/definitions/licensing"}, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": {"$ref": "#/definitions/property"} } } }] diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd index 31d90a9b..87e72888 100644 --- a/schema/bom-1.7.xsd +++ b/schema/bom-1.7.xsd @@ -789,6 +789,126 @@ limitations under the License. + + + + + License identifiers that may be used to manage licenses and + their lifecycle + + + + + + + + + + The individual or organization that grants a license to another + individual or organization + + + + + + + The organization that granted the license + + + + + The individual, not associated with an organization, + that granted the license + + + + + + + + + The individual or organization for which a license was granted to + + + + + + + The organization that was granted the license + + + + + The individual, not associated with an organization, + that was granted the license + + + + + + + + + The individual or organization that purchased the license + + + + + + + The organization that purchased the license + + + + + The individual, not associated with an organization, + that purchased the license + + + + + + + + + The purchase order identifier the purchaser sent to a supplier or + vendor to authorize a purchase + + + + + The type of license(s) that was granted to the licensee + + + + + + + + + + The timestamp indicating when the license was last + renewed. For new purchases, this is often the purchase or acquisition date. + For non-perpetual licenses or subscriptions, this is the timestamp of when the + license was last renewed. + + + + + The timestamp indicating when the current license + expires (if applicable). + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + Specifies the details and attributes related to a software license. @@ -820,130 +940,11 @@ limitations under the License. an externalReference should also be specified for completeness. - + Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata - - - - - License identifiers that may be used to manage licenses and - their lifecycle - - - - - - - - - - The individual or organization that grants a license to another - individual or organization - - - - - - - The organization that granted the license - - - - - The individual, not associated with an organization, - that granted the license - - - - - - - - - The individual or organization for which a license was granted to - - - - - - - The organization that was granted the license - - - - - The individual, not associated with an organization, - that was granted the license - - - - - - - - - The individual or organization that purchased the license - - - - - - - The organization that purchased the license - - - - - The individual, not associated with an organization, - that purchased the license - - - - - - - - - The purchase order identifier the purchaser sent to a supplier or - vendor to authorize a purchase - - - - - The type of license(s) that was granted to the licensee - - - - - - - - - - The timestamp indicating when the license was last - renewed. For new purchases, this is often the purchase or acquisition date. - For non-perpetual licenses or subscriptions, this is the timestamp of when the - license was last renewed. - - - - - The timestamp indicating when the current license - expires (if applicable). - - - - - - Allows any undeclared elements as long as the elements are placed in a different namespace. - - - - - @@ -1045,6 +1046,22 @@ limitations under the License. + + + Licensing details describing the licensor/licensee, license type, renewal and + expiration dates, and other important metadata + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + From 5b12e67cd3ebcb0f51f403785402e4c9a1efcdd6 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 27 Feb 2025 17:35:49 +0100 Subject: [PATCH 26/26] tests Signed-off-by: Jan Kowalleck --- ...license-expression-with-licensing-1.7.json | 57 +++++++++++++++++++ ...se-expression-with-licensing-1.7.textproto | 54 ++++++++++++++++++ ...-license-expression-with-licensing-1.7.xml | 49 ++++++++++++++++ ...alid-license-name-with-licensing-1.7.json} | 0 ...license-name-with-licensing-1.7.textproto} | 0 ...valid-license-name-with-licensing-1.7.xml} | 0 6 files changed, 160 insertions(+) create mode 100644 tools/src/test/resources/1.7/valid-license-expression-with-licensing-1.7.json create mode 100644 tools/src/test/resources/1.7/valid-license-expression-with-licensing-1.7.textproto create mode 100644 tools/src/test/resources/1.7/valid-license-expression-with-licensing-1.7.xml rename tools/src/test/resources/1.7/{valid-license-licensing-1.7.json => valid-license-name-with-licensing-1.7.json} (100%) rename tools/src/test/resources/1.7/{valid-license-licensing-1.7.textproto => valid-license-name-with-licensing-1.7.textproto} (100%) rename tools/src/test/resources/1.7/{valid-license-licensing-1.7.xml => valid-license-name-with-licensing-1.7.xml} (100%) diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-licensing-1.7.json b/tools/src/test/resources/1.7/valid-license-expression-with-licensing-1.7.json new file mode 100644 index 00000000..97f3f773 --- /dev/null +++ b/tools/src/test/resources/1.7/valid-license-expression-with-licensing-1.7.json @@ -0,0 +1,57 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:78a32681-a31f-4097-b151-7b771cc58157", + "version": 1, + "components": [ + { + "type": "library", + "publisher": "Acme Inc", + "group": "com.acme", + "name": "cryptographic-provider", + "version": "2.2.0", + "licenses": [ + { + "bom-ref": "acme-license-1", + "expression": "LicenseRef-AcmeCommercialLicense", + "licensing": { + "altIds": [ + "acme", + "acme-license" + ], + "licensor": { + "organization": { + "name": "Acme Inc", + "contact": [ + { + "name": "Acme Licensing Fulfillment", + "email": "licensing@example.com" + } + ] + } + }, + "licensee": { + "organization": { + "name": "Example Co." + } + }, + "purchaser": { + "individual": { + "name": "Samantha Wright", + "email": "samantha.wright@gmail.com", + "phone": "800-555-1212" + } + }, + "purchaseOrder": "PO-12345", + "licenseTypes": [ + "appliance" + ], + "lastRenewal": "2022-04-13T20:20:39+00:00", + "expiration": "2023-04-13T20:20:39+00:00" + } + } + ] + } + ] +} diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-licensing-1.7.textproto b/tools/src/test/resources/1.7/valid-license-expression-with-licensing-1.7.textproto new file mode 100644 index 00000000..eb6aaca5 --- /dev/null +++ b/tools/src/test/resources/1.7/valid-license-expression-with-licensing-1.7.textproto @@ -0,0 +1,54 @@ +# proto-file: schema/bom-1.7.proto +# proto-message: Bom + +spec_version: "1.7" +version: 1 +serial_number: "urn:uuid:78a32681-a31f-4097-b151-7b771cc58157" +components { + type: CLASSIFICATION_LIBRARY + publisher: "Acme Inc" + group: "com.acme" + name: "cryptographic-provider" + version: "2.2.0" + licenses { + expression_detailed { + bom_ref: "acme-license-1" + expression: "LicenseRef-AcmeCommercialLicense" + licensing { + altIds: "acme" + altIds: "acme-license" + licensor { + organization { + name: "Acme Inc" + contact { + name: "Acme Licensing Fulfillment" + email: "licensing@example.com" + } + } + } + licensee { + organization { + name: "Example Co." + } + } + purchaser { + individual { + name: "Samantha Wright" + email: "samantha.wright@gmail.com" + phone: "800-555-1212" + } + } + purchaseOrder: "PO-12345" + licenseTypes: LICENSING_TYPE_APPLIANCE + lastRenewal { + seconds: 1649881239 + nanos: 3 + } + expiration { + seconds: 1681417239 + nanos: 3 + } + } + } + } +} diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-licensing-1.7.xml b/tools/src/test/resources/1.7/valid-license-expression-with-licensing-1.7.xml new file mode 100644 index 00000000..319f33b4 --- /dev/null +++ b/tools/src/test/resources/1.7/valid-license-expression-with-licensing-1.7.xml @@ -0,0 +1,49 @@ + + + + + Acme Inc + com.acme + cryptographic-provider + 2.2.0 + + + + + acme + acme-license + + + + Acme Inc + + Acme Licensing Fulfillment + licensing@example.com + + + + + + Example Co. + + + + + Samantha Wright + samantha.wright@gmail.com + 800-555-1212 + + + PO-12345 + + appliance + + 2022-04-13T20:20:39+00:00 + 2023-04-13T20:20:39+00:00 + + + + + + diff --git a/tools/src/test/resources/1.7/valid-license-licensing-1.7.json b/tools/src/test/resources/1.7/valid-license-name-with-licensing-1.7.json similarity index 100% rename from tools/src/test/resources/1.7/valid-license-licensing-1.7.json rename to tools/src/test/resources/1.7/valid-license-name-with-licensing-1.7.json diff --git a/tools/src/test/resources/1.7/valid-license-licensing-1.7.textproto b/tools/src/test/resources/1.7/valid-license-name-with-licensing-1.7.textproto similarity index 100% rename from tools/src/test/resources/1.7/valid-license-licensing-1.7.textproto rename to tools/src/test/resources/1.7/valid-license-name-with-licensing-1.7.textproto diff --git a/tools/src/test/resources/1.7/valid-license-licensing-1.7.xml b/tools/src/test/resources/1.7/valid-license-name-with-licensing-1.7.xml similarity index 100% rename from tools/src/test/resources/1.7/valid-license-licensing-1.7.xml rename to tools/src/test/resources/1.7/valid-license-name-with-licensing-1.7.xml