Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: license expression details and properties - text attachment, licensing, etc #599

Open
wants to merge 26 commits into
base: 1.7-dev
Choose a base branch
from
Open

feat: license expression details and properties - text attachment, licensing, etc #599

Show file tree
Hide file tree
Changes from 23 commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
39524a2
feat: license expression text attachment
jkowalleck Feb 20, 2025
0ddab28
examples: use alternative XML style
jkowalleck Feb 20, 2025
c1a6b33
tests: fix json example
jkowalleck Feb 21, 2025
e97c3d3
tests: examples for license expression details
jkowalleck Feb 21, 2025
cebcf7d
tests: extend/revisit example for expression-details
jkowalleck Feb 21, 2025
903cb43
rework license expression lext attachments and add shema
jkowalleck Feb 24, 2025
59c9a1f
ework license expression lext attachments and add shema
jkowalleck Feb 24, 2025
ee671a8
rename xml
jkowalleck Feb 25, 2025
5995a6d
docs: proto
jkowalleck Feb 25, 2025
7701a10
struct proto
jkowalleck Feb 25, 2025
561c8dd
docs
jkowalleck Feb 25, 2025
0dc34e0
docs
jkowalleck Feb 25, 2025
c16b24a
docs: SPDX expression examplefor `LicenseRef-`
jkowalleck Feb 26, 2025
7c49125
docs
jkowalleck Feb 26, 2025
267ef6d
style
jkowalleck Feb 26, 2025
85e903d
refactor: rename and docs
jkowalleck Feb 27, 2025
714813c
licenseexpression details bom-ref
jkowalleck Feb 27, 2025
6aa6fba
tests: examples
jkowalleck Feb 27, 2025
d1f83ff
tests: examples
jkowalleck Feb 27, 2025
add2dc1
tests: examples
jkowalleck Feb 27, 2025
09a8717
tests: examples
jkowalleck Feb 27, 2025
b2c5ca5
docs
jkowalleck Feb 27, 2025
41fc9b2
docs
jkowalleck Feb 27, 2025
c974a3c
feat: license url
jkowalleck Feb 27, 2025
bfd9eb4
feat: license expression licensing and properties
jkowalleck Feb 27, 2025
5b12e67
tests
jkowalleck Feb 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 38 additions & 3 deletions schema/bom-1.7.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -384,12 +384,14 @@ message LicenseChoice {
oneof choice {
// A license
License license = 1;
// A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements
// A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements.
string expression = 2;
// A SPDX license expression and its details
LicenseExpressionDetailed expression_detailed = 5;
}
// This field must only be used when "expression" is chosen as the License object has its own acknowledgement.
// This field must only be used when `expression` is chosen as the other options have their own acknowledgement.
optional LicenseAcknowledgementEnumeration acknowledgement = 3;
// This field must only be used when "expression" is chosen as the License object has its own bom_ref.
// This field must only be used when `expression` is chosen as the other options have their own bom_ref.
optional string bom_ref = 4;
}

Expand All @@ -415,6 +417,39 @@ message License {
optional LicenseAcknowledgementEnumeration acknowledgement = 8;
}

// Specifies the details and attributes related to a software license.
// It must be a valid SPDX license expression, along with additional properties such as license acknowledgment.
message LicenseExpressionDetailed {

// This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.
// The `license_identifier` field serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.
message ExpressionDetails {
// A valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.
// This field serves as the primary key, which uniquely identifies each record.
// Example values:
// - "Apache-2.0",
// - "GPL-3.0-only WITH Classpath-exception-2.0"
// - "LicenseRef-my-custom-license"
string license_identifier = 1;
// An optional identifier which can be used to reference the license elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
optional string bom_ref = 2;
// An optional way to include the textual content of the license.
optional AttachedText text = 3;
}

// A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements.
// Example values:
// - "Apache-2.0 AND (MIT OR GPL-2.0-only)",
// - "GPL-3.0-only WITH Classpath-exception-2.0"
string expression = 1;
// An optional identifier which can be used to reference the license elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
optional string bom_ref = 2;
// Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.
optional LicenseAcknowledgementEnumeration acknowledgement = 3;
// Details for parts of the `expression`.
repeated ExpressionDetails details = 4;
}

// Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.
enum LicenseAcknowledgementEnumeration {
// The license acknowledgement is not specified.
Expand Down
39 changes: 38 additions & 1 deletion schema/bom-1.7.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1479,19 +1479,56 @@
"minItems": 1,
"maxItems": 1,
"items": [{
"title": "License Expression",
"description": "Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.",
"type": "object",
"additionalProperties": false,
"required": ["expression"],
"properties": {
"expression": {
"type": "string",
"title": "SPDX License Expression",
"description": "A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements",
"description": "A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.",
"examples": [
"Apache-2.0 AND (MIT OR GPL-2.0-only)",
"GPL-3.0-only WITH Classpath-exception-2.0"
]
},
"expressionDetails": {
"title": "Expression Details",
"description": "Details for parts of the `expression`.",
"type": "array",
"items": {
"type": "object",
"description": "This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.",
"required": [
"licenseIdentifier"
],
"properties": {
"licenseIdentifier": {
"title": "License Identifier",
"description": "The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.",
"type": "string",
"examples": [
"Apache-2.0",
"GPL-3.0-only WITH Classpath-exception-2.0",
"LicenseRef-my-custom-license"
]
},
"bom-ref": {
"$ref": "#/definitions/refType",
"title": "BOM Reference",
"description": "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."
},
"text": {
"title": "License texts",
"description": "An optional way to include the textual content of the license.",
"$ref": "#/definitions/attachment"
}
},
"additionalProperties": false
}
},
"acknowledgement": {
"$ref": "#/definitions/licenseAcknowledgementEnumeration"
},
Expand Down
Loading