feat: licenses allow mix of multiple SPDX expressions AND/OR multiple named/spdx licenses

Signed-off-by: Jan Kowalleck <[email protected]>

Author: jkowalleck

schema/bom-1.7.proto

@@ -114,7 +114,7 @@ message Component {
   optional Scope scope = 11;
   // The hashes of the component.
   repeated Hash hashes = 12;
-  // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)
+  // A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
   repeated LicenseChoice licenses = 13;
   // An optional copyright notice informing users of the underlying claims to copyright ownership in a published work.
   optional string copyright = 14;
@@ -506,7 +506,7 @@ message Metadata {
   // The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager.
   optional OrganizationalEntity supplier = 6;
   // The license information for the BOM document. This may be different from the license(s) of the component(s) that the BOM describes.
-  // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)
+  // A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
   repeated LicenseChoice licenses = 7;
   // Specifies optional, custom, properties
   repeated Property properties = 8;
@@ -641,7 +641,7 @@ message Service {
   optional bool x_trust_boundary = 9;
   // Specifies information about the data including the directional flow of data and the data classification.
   repeated DataFlow data = 10;
-  // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)
+  // A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
   repeated LicenseChoice licenses = 11;
   // Provides the ability to document external references related to the service.
   repeated ExternalReference external_references = 12;
@@ -745,7 +745,7 @@ message EvidenceCopyright {
 
 // Provides the ability to document evidence collected through various forms of extraction or analysis.
 message Evidence {
-  // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)
+  // A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
   repeated LicenseChoice licenses = 1;
   // Copyright evidence captures intellectual property assertions, providing evidence of possible ownership and legal protection.
   repeated EvidenceCopyright copyright = 2;

schema/bom-1.7.schema.json

@@ -1454,32 +1454,22 @@
     },
     "licenseChoice": {
       "title": "License Choice",
-      "description": "EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)",
+      "description": "A list of SPDX licenses and/or named licenses and/or SPDX License Expression.",
       "type": "array",
-      "oneOf": [
-        {
-          "title": "Multiple licenses",
-          "description": "A list of SPDX licenses and/or named licenses.",
-          "type": "array",
-          "items": {
+      "items": {
+        "oneOf": [
+          {
             "type": "object",
             "title": "License",
             "required": ["license"],
             "additionalProperties": false,
             "properties": {
               "license": {"$ref": "#/definitions/license"}
             }
-          }
-        },
-        {
-          "title": "SPDX License Expression",
-          "description": "A tuple of exactly one SPDX License Expression.",
-          "type": "array",
-          "additionalItems": false,
-          "minItems": 1,
-          "maxItems": 1,
-          "items": [{
+          },
+          {
             "type": "object",
+            "title": "SPDX License Expression",
             "additionalProperties": false,
             "required": ["expression"],
             "properties": {
@@ -1501,9 +1491,9 @@
                 "description": "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."
               }
             }
-          }]
-        }
-      ]
+          }
+        ]
+      }
     },
     "commit": {
       "type": "object",

schema/bom-1.7.xsd

@@ -2297,9 +2297,12 @@ limitations under the License.
     </xs:simpleType>
 
     <xs:complexType name="licenseChoiceType">
-        <xs:choice>
-            <xs:element name="license" type="bom:licenseType" minOccurs="0" maxOccurs="unbounded"/>
-            <xs:element name="expression" minOccurs="0" maxOccurs="1">
+        <xs:annotation>
+            <xs:documentation>A list of SPDX licenses and/or named licenses and/or SPDX License Expression.</xs:documentation>
+        </xs:annotation>
+        <xs:choice minOccurs="0" maxOccurs="unbounded">
+            <xs:element name="license" type="bom:licenseType"/>
+            <xs:element name="expression">
                 <xs:annotation>
                     <xs:documentation>A valid SPDX license expression.
                         Refer to https://spdx.org/specifications for syntax requirements

tools/src/test/resources/1.6/invalid-license-declared-concluded-mix-1.6.json

@@ -0,0 +1,79 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "serialNumber": "urn:uuid:df628836-6b9b-41c9-a724-b44743c54d42",
+  "version": 1,
+  "metadata": {
+    "lifecycles": [{"phase": "design"}]
+  },
+  "components": [
+    {
+      "type": "library",
+      "group": "com.example",
+      "name": "situation-A",
+      "version": "1",
+      "description": "Multiple licenses: declared ids/names, and a concluded expression",
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT",
+            "acknowledgement": "declared"
+          }
+        },
+        {
+          "license": {
+            "id": "PostgreSQL",
+            "acknowledgement": "declared"
+          }
+        },
+        {
+          "license": {
+            "name": "Apache Software License",
+            "acknowledgement": "declared"
+          }
+        },
+        {
+          "expression": "(MIT OR PostgreSQL OR Apache-2.0)",
+          "acknowledgement": "concluded"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "group": "com.example",
+      "name": "situation-B",
+      "version": "1",
+      "description": "Multiple license expressions: one declared, one concluded",
+      "licenses": [
+        {
+          "expression": "MIT OR (GPL-3.0 OR GPL-2.0)",
+          "acknowledgement": "declared"
+        },
+        {
+          "expression": "(GPL-3.0-only AND LGPL-2.0-only)",
+          "acknowledgement": "concluded"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "group": "com.example",
+      "name": "situation-C",
+      "version": "1",
+      "description": "Multiple license: one declared expression, one concluded id",
+      "licenses": [
+        {
+          "expression": "GPL-3.0-or-later OR GPL-2.0",
+          "acknowledgement": "declared"
+        },
+        {
+          "license": {
+            "id": "GPL-3.0-only",
+            "acknowledgement": "concluded"
+          }
+        }
+      ]
+    }
+  ]
+}

tools/src/test/resources/1.6/invalid-license-declared-concluded-mix-1.6.xml

@@ -0,0 +1,46 @@
+<?xml version="1.0"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.6"
+     serialNumber="urn:uuid:df628836-6b9b-41c9-a724-b44743c54d42"
+>
+    <!--
+    All license posture in here is for show-case ony.
+    This is not a real law-case!
+    -->
+    <metadata>
+        <lifecycles><lifecycle><phase>design</phase></lifecycle></lifecycles>
+    </metadata>
+    <components>
+        <component type="library">
+            <group>com.example</group>
+            <name>situation-A</name>
+            <version>1</version>
+            <description>Multiple licenses: declared ids/names, and a concluded expression</description>
+            <licenses>
+                <license acknowledgement="declared"><id>MIT</id></license>
+                <license acknowledgement="declared"><id>PostgreSQL</id></license>
+                <license acknowledgement="declared"><name>Apache Software License</name></license>
+                <expression acknowledgement="concluded">(MIT OR PostgreSQL OR Apache-2.0)</expression>
+            </licenses>
+        </component>
+        <component type="library">
+            <group>com.example</group>
+            <name>situation-B</name>
+            <version>1</version>
+            <description>Multiple license expressions: one declared, one concluded</description>
+            <licenses>
+                <expression acknowledgement="declared">MIT OR (GPL-3.0 OR GPL-2.0)</expression>
+                <expression acknowledgement="concluded">(GPL-3.0-only AND LGPL-2.0-only)</expression>
+            </licenses>
+        </component>
+        <component type="library">
+            <group>com.example</group>
+            <name>situation-C</name>
+            <version>1</version>
+            <description>Multiple license: one declared expression, one concluded id</description>
+            <licenses>
+                <expression acknowledgement="declared">GPL-3.0-or-later OR GPL-2.0</expression>
+                <license acknowledgement="concluded"><id>GPL-3.0-only</id></license>
+            </licenses>
+        </component>
+    </components>
+</bom>

tools/src/test/resources/1.7/valid-license-declared-concluded-mix-1.7.json

@@ -0,0 +1,79 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.7",
+  "serialNumber": "urn:uuid:df628836-6b9b-41c9-a724-b44743c54d42",
+  "version": 1,
+  "metadata": {
+    "lifecycles": [{"phase": "design"}]
+  },
+  "components": [
+    {
+      "type": "library",
+      "group": "com.example",
+      "name": "situation-A",
+      "version": "1",
+      "description": "Multiple licenses: declared ids/names, and a concluded expression",
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT",
+            "acknowledgement": "declared"
+          }
+        },
+        {
+          "license": {
+            "id": "PostgreSQL",
+            "acknowledgement": "declared"
+          }
+        },
+        {
+          "license": {
+            "name": "Apache Software License",
+            "acknowledgement": "declared"
+          }
+        },
+        {
+          "expression": "(MIT OR PostgreSQL OR Apache-2.0)",
+          "acknowledgement": "concluded"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "group": "com.example",
+      "name": "situation-B",
+      "version": "1",
+      "description": "Multiple license expressions: one declared, one concluded",
+      "licenses": [
+        {
+          "expression": "MIT OR (GPL-3.0 OR GPL-2.0)",
+          "acknowledgement": "declared"
+        },
+        {
+          "expression": "(GPL-3.0-only AND LGPL-2.0-only)",
+          "acknowledgement": "concluded"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "group": "com.example",
+      "name": "situation-C",
+      "version": "1",
+      "description": "Multiple license: one declared expression, one concluded id",
+      "licenses": [
+        {
+          "expression": "GPL-3.0-or-later OR GPL-2.0",
+          "acknowledgement": "declared"
+        },
+        {
+          "license": {
+            "id": "GPL-3.0-only",
+            "acknowledgement": "concluded"
+          }
+        }
+      ]
+    }
+  ]
+}

tools/src/test/resources/1.7/valid-license-declared-concluded-mix-1.7.textproto

@@ -0,0 +1,73 @@
+# proto-file: schema/bom-1.7.proto
+# proto-message: Bom
+
+# All license posture in here is for show-case ony.
+# This is not a real law-case!
+
+spec_version: "1.7"
+version: 1
+serial_number: "urn:uuid:df628836-6b9b-41c9-a724-b44743c54d42"
+metadata: {
+  lifecycles { phase: LIFECYCLE_PHASE_DESIGN }
+}
+components {
+  type: CLASSIFICATION_LIBRARY
+  group: "com.example"
+  name: "situation-A"
+  version: "1"
+  description: "Multiple licenses: declared ids/names, and a concluded expression"
+  licenses {
+    license {
+      id: "MIT"
+      acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED
+    }
+  }
+  licenses {
+    license {
+      id: "PostgreSQL"
+      acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED
+    }
+  }
+  licenses {
+    license {
+      name: "Apache Software License"
+      acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED
+    }
+  }
+  licenses {
+    expression: "(MIT OR PostgreSQL OR Apache-2.0)"
+    acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_CONCLUDED
+  }
+}
+components {
+  type: CLASSIFICATION_LIBRARY
+  group: "com.example"
+  name: "situation-B"
+  version: "1"
+  description: "Multiple license expressions: one declared, one concluded"
+  licenses {
+    expression: "MIT OR (GPL-3.0 OR GPL-2.0)"
+    acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED
+  }
+  licenses {
+    expression: "(GPL-3.0-only AND LGPL-2.0-only)"
+    acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_CONCLUDED
+  }
+}
+components {
+  type: CLASSIFICATION_LIBRARY
+  group: "com.example"
+  name: "situation-C"
+  version: "1"
+  description: "Multiple license: one declared expression, one concluded id"
+  licenses {
+    expression: "GPL-3.0-or-later OR GPL-2.0"
+    acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED
+  }
+  licenses {
+    license {
+      id: "GPL-3.0-only"
+      acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_CONCLUDED
+    }
+  }
+}