Support for license expressionsΒ #12
Description
Hi,
We have an SBOM file with a license SPDX expression. Unfortunately, Sunshine does not support this variant.
The question is, how these shall be mapped to the list of licenses being rendered. The SBOM standard does not define exactly if the list of licenses is semantically equal to the OR SPDX operator or the AND operator. Looking how the list is used in practice indicates to me that the list is used as an OR, so the components are dual licensed and one can choose the license to apply.
I now see three ways to handle the expressions:
- Add the whole expression an entry of the list to display
- Parse the expression and try to find a way to represent these e.g.
a. Only list top level OR expression entries as the list of licenses is displayed right now, the and represent the rest (either root AND expressions or nested expressions) as strings
b. Represent all (even nested) expressions graphically, e.g. as a tree of nodes - Use a regular expression to parse a sub-set of possible expressions (e.g. only top level OR expressions)
I implemented Version 2.a. in a fork of mine using the spdx/tools-python package. It does pull in quite a bit of dependencies, so I am not sure if this is the solution you want to go for. However, it can be a reason to generate an SBOM for sunshine and create a report using Sunshine π. If you want to use minimal dependencies, option 3. might be a reasonable way to go.