ework license expression lext attachments and add shema

jkowalleck · jkowalleck · commit 59c9a1f74d67 · 2025-02-24T21:38:03.000+01:00
Signed-off-by: Jan Kowalleck &lt;jan.kowalleck@gmail.com&gt;
diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto
@@ -386,13 +386,13 @@ message LicenseChoice {
     License license = 1;
     // A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements
     string expression = 2;
+    // TODO
+    ExpressionDetailed expression_detailed = 5;
   }
   // This field must only be used when "expression" is chosen as the License object has its own acknowledgement.
   optional LicenseAcknowledgementEnumeration acknowledgement = 3;
   // This field must only be used when "expression" is chosen as the License object has its own bom_ref.
   optional string bom_ref = 4;
-  // This field must only be used when "expression" is chosen ... TODO.
-  repeated ExpressionDetails expression_details = 5;
 }
 
 // Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.
@@ -417,12 +417,22 @@ message License {
   optional LicenseAcknowledgementEnumeration acknowledgement = 8;
 }
 
+message ExpressionDetailed {
+  // A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements
+  string expression = 1;
+  optional string bom_ref = 2;
+  // Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.
+  optional LicenseAcknowledgementEnumeration acknowledgement = 3;
+  // TODO
+  repeated ExpressionDetails details = 4;
+}
+
 // TODO
 message ExpressionDetails {
   // TODO
   string license_identifier = 1;
   // Specifies the optional full text of the attachment
-  optional AttachedText text = 3;
+  optional AttachedText text = 2;
 }
 
 // Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.
diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd
@@ -966,74 +966,74 @@ limitations under the License.
         <xs:attributeGroup ref="bom:licenseAttributes"/>
     </xs:complexType>
 
-    <xs:complexType name="expressionType">
-        <xs:choice>
-            <xs:simpleContent>
-                <xs:extension base="xs:normalizedString">
-                    <xs:annotation>
-                        <xs:documentation>A valid SPDX license expression.
-                            Refer to https://spdx.org/specifications for syntax requirements
+    <xs:complexType name="expressionSimpleType">
+        <xs:simpleContent>
+            <xs:extension base="xs:normalizedString">
+                <xs:annotation>
+                    <xs:documentation>A valid SPDX license expression.
+                        Refer to https://spdx.org/specifications for syntax requirements
 
-                            Example values:
-                            - Apache-2.0 AND (MIT OR GPL-2.0-only)
-                            - GPL-3.0-only WITH Classpath-exception-2.0
-                        </xs:documentation>
-                    </xs:annotation>
-                </xs:extension>
-            </xs:simpleContent>
-            <xs:complexContent>
-                <xs:sequence>
-                    <xs:element name="details" minOccurs="0" maxOccurs="unbounded">
-                        <xs:complexType>
-                            <xs:sequence>
-                                <xs:element name="text" type="bom:attachedTextType" minOccurs="0" maxOccurs="1">
-                                    <xs:annotation>
-                                        <xs:documentation>Specifies the optional full text of the attachment</xs:documentation>
-                                    </xs:annotation>
-                                </xs:element>
-                                <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
-                                    <xs:annotation>
-                                        <xs:documentation>
-                                            Allows any undeclared elements as long as the elements are placed in a different namespace.
-                                        </xs:documentation>
-                                    </xs:annotation>
-                                </xs:any>
-                            </xs:sequence>
-                            <xs:attribute name="license-identifier" type="xs:normalizedString" use="required">
-                                <xs:annotation>
-                                    <xs:documentation>
-                                        TODO
+                        Example values:
+                        - Apache-2.0 AND (MIT OR GPL-2.0-only)
+                        - GPL-3.0-only WITH Classpath-exception-2.0
+                    </xs:documentation>
+                </xs:annotation>
+                <xs:attributeGroup ref="bom:licenseAttributes"/>
+            </xs:extension>
+        </xs:simpleContent>
+    </xs:complexType>
 
-                                        Examples:
-                                        - Apache-2.0
-                                        - GPL-3.0-only WITH Classpath-exception-2.0
-                                    </xs:documentation>
-                                </xs:annotation>
-                            </xs:attribute>
-                        </xs:complexType>
-                    </xs:element>
-                    <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
+    <xs:complexType name="expressionComplexType">
+        <xs:sequence>
+            <xs:element name="details" minOccurs="0" maxOccurs="unbounded">
+                <xs:complexType>
+                    <xs:sequence>
+                        <xs:element name="text" type="bom:attachedTextType" minOccurs="0" maxOccurs="1">
+                            <xs:annotation>
+                                <xs:documentation>Specifies the optional full text of the attachment</xs:documentation>
+                            </xs:annotation>
+                        </xs:element>
+                        <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
+                            <xs:annotation>
+                                <xs:documentation>
+                                    Allows any undeclared elements as long as the elements are placed in a different namespace.
+                                </xs:documentation>
+                            </xs:annotation>
+                        </xs:any>
+                    </xs:sequence>
+                    <xs:attribute name="license-identifier" type="xs:normalizedString" use="required">
                         <xs:annotation>
                             <xs:documentation>
-                                Allows any undeclared elements as long as the elements are placed in a different namespace.
+                                TODO
+
+                                Examples:
+                                - Apache-2.0
+                                - GPL-3.0-only WITH Classpath-exception-2.0
                             </xs:documentation>
                         </xs:annotation>
-                    </xs:any>
-                </xs:sequence>
-                <xs:attribute name="value" type="xs:normalizedString" use="required">
+                    </xs:attribute>
+                </xs:complexType>
+            </xs:element>
+            <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
                     <xs:annotation>
-                        <xs:documentation>A valid SPDX license expression.
-                            Refer to https://spdx.org/specifications for syntax requirements
-
-                            Example values:
-                            - Apache-2.0 AND (MIT OR GPL-2.0-only)
-                            - GPL-3.0-only WITH Classpath-exception-2.0
+                        <xs:documentation>
+                            Allows any undeclared elements as long as the elements are placed in a different namespace.
                         </xs:documentation>
                     </xs:annotation>
-                </xs:attribute>
-            </xs:complexContent>
-        </xs:choice>
+                </xs:any>
+        </xs:sequence>
         <xs:attributeGroup ref="bom:licenseAttributes"/>
+        <xs:attribute name="expression" type="xs:normalizedString" use="required">
+            <xs:annotation>
+                <xs:documentation>A valid SPDX license expression.
+                    Refer to https://spdx.org/specifications for syntax requirements
+
+                    Example values:
+                    - Apache-2.0 AND (MIT OR GPL-2.0-only)
+                    - GPL-3.0-only WITH Classpath-exception-2.0
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
     </xs:complexType>
 
     <xs:complexType name="attachedTextType">
@@ -2373,7 +2373,8 @@ limitations under the License.
     <xs:complexType name="licenseChoiceType">
         <xs:choice>
             <xs:element name="license" type="bom:licenseType" minOccurs="0" maxOccurs="unbounded"/>
-            <xs:element name="expression" type="bom:expressionType" minOccurs="0" maxOccurs="1" />
+            <xs:element name="expression" type="bom:expressionSimpleType" minOccurs="0" maxOccurs="1" />
+            <xs:element name="expression-detailed" type="bom:expressionComplexType" minOccurs="0" maxOccurs="1" />
         </xs:choice>
     </xs:complexType>
 
diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.textproto
@@ -13,20 +13,22 @@ components {
   description: "Modified version of Apache Catalina"
   scope: SCOPE_REQUIRED
   licenses {
-    bom_ref: "my-license"
-    acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED
-    expression: "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0"
-    expression_details {
-      license_identifier: "EPL-2.0"
-      text {
-        value: "Eclipse Public License - v 2.0\n\n    THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE\n    PUBLIC LICENSE (\"AGREEMENT\"). ANY USE, REPRODUCTION OR DISTRIBUTION\n    OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT..."
+    expression_detailed {
+      bom_ref: "my-license"
+      acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED
+      expression: "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0"
+      details {
+        license_identifier: "EPL-2.0"
+        text {
+          value: "Eclipse Public License - v 2.0\n\n    THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE\n    PUBLIC LICENSE (\"AGREEMENT\"). ANY USE, REPRODUCTION OR DISTRIBUTION\n    OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT..."
+        }
       }
-    }
-    expression_details {
-      license_identifier: "GPL-2.0 WITH Classpath-exception-2.0",
-      text {
-        content_type: "text/plain",
-        value: "                    GNU GENERAL PUBLIC LICENSE\n                       Version 2, June 1991\n\n Copyright (C) 1989, 1991 Free Software Foundation, Inc.,\n <https://fsf.org/>\n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed...\n\n...\n\nLinking this library statically or dynamically with other modules is making a combined work based on this library..."
+      details {
+        license_identifier: "GPL-2.0 WITH Classpath-exception-2.0",
+        text {
+          content_type: "text/plain",
+          value: "                    GNU GENERAL PUBLIC LICENSE\n                       Version 2, June 1991\n\n Copyright (C) 1989, 1991 Free Software Foundation, Inc.,\n <https://fsf.org/>\n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed...\n\n...\n\nLinking this library statically or dynamically with other modules is making a combined work based on this library..."
+        }
       }
     }
   }
diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.xml
@@ -9,8 +9,8 @@
             <description>Modified version of Apache Catalina</description>
             <scope>required</scope>
             <licenses>
-                <expression bom-ref="my-license" acknowledgement="declared"
-                            value="EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0"
+                <expression-detailed bom-ref="my-license" acknowledgement="declared"
+                                     expression="EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0"
                 >
                     <details license-identifier="EPL-2.0">
                         <text><![CDATA[Eclipse Public License - v 2.0
@@ -32,7 +32,7 @@
 
 Linking this library statically or dynamically with other modules is making a combined work based on this library...]]></text>
                     </details>
-                </expression>
+                </expression-detailed>
             </licenses>
             <purl>pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar</purl>
         </component>
