Merge remote-tracking branch 'origin/1.7-dev' into feat/licenses/acknowledgement-should-be-unique

Author: jkowalleck

schema/bom-1.7.proto

@@ -66,7 +66,8 @@ enum Classification {
   CLASSIFICATION_FIRMWARE = 8;
   // A special type of software that operates or controls a particular type of device. Refer to https://en.wikipedia.org/wiki/Device_driver
   CLASSIFICATION_DEVICE_DRIVER = 9;
-  // A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms.
+  // A runtime environment that interprets or executes software.
+  // This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.
   CLASSIFICATION_PLATFORM = 10;
   // A model based on training data that can make predictions or decisions without being explicitly programmed to do so.
   CLASSIFICATION_MACHINE_LEARNING_MODEL = 11;
@@ -122,7 +123,7 @@ message Component {
   optional Scope scope = 11;
   // The hashes of the component.
   repeated Hash hashes = 12;
-  // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression).
+  // A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
   // There should be no more than one per license acknowledgement.
   repeated LicenseChoice licenses = 13;
   // An optional copyright notice informing users of the underlying claims to copyright ownership in a published work.
@@ -573,6 +574,7 @@ message Metadata {
   // The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager.
   optional OrganizationalEntity supplier = 6;
   // The license information for the BOM document. This may be different from the license(s) of the component(s) that the BOM describes.
+  // A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
   // There should be no more than one per license acknowledgement.
   repeated LicenseChoice licenses = 7;
   // Specifies optional, custom, properties
@@ -710,7 +712,7 @@ message Service {
   optional bool x_trust_boundary = 9;
   // Specifies information about the data including the directional flow of data and the data classification.
   repeated DataFlow data = 10;
-  // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression).
+  // A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
   // There should be no more than one per license acknowledgement.
   repeated LicenseChoice licenses = 11;
   // Provides the ability to document external references related to the service.
@@ -833,7 +835,7 @@ message EvidenceCopyright {
 
 // Provides the ability to document evidence collected through various forms of extraction or analysis.
 message Evidence {
-  // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression).
+  // A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
   // There should be no license acknowledgement assigned to any of these.
   repeated LicenseChoice licenses = 1;
   // Copyright evidence captures intellectual property assertions, providing evidence of possible ownership and legal protection.

schema/bom-1.7.schema.json

@@ -888,7 +888,7 @@
             "framework": "A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.",
             "library": "A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.",
             "container": "A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).",
-            "platform": "A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms.",
+            "platform": "A runtime environment that interprets or executes software. This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.",
             "operating-system": "A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).",
             "device": "A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).",
             "device-driver": "A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).",
@@ -1526,36 +1526,31 @@
     },
     "licenseChoice": {
       "title": "License Choice",
-      "description": "EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)",
+      "description": "A list of SPDX licenses and/or named licenses and/or SPDX License Expression.",
       "type": "array",
-      "oneOf": [
-        {
-          "title": "Multiple licenses",
-          "description": "A list of SPDX licenses and/or named licenses.",
-          "type": "array",
-          "items": {
+      "items": {
+        "oneOf": [
+          {
             "type": "object",
             "title": "License",
-            "required": ["license"],
+            "required": [
+              "license"
+            ],
             "additionalProperties": false,
             "properties": {
-              "license": {"$ref": "#/definitions/license"}
+              "license": {
+                "$ref": "#/definitions/license"
+              }
             }
-          }
-        },
-        {
-          "title": "SPDX License Expression",
-          "description": "A tuple of exactly one SPDX License Expression.",
-          "type": "array",
-          "additionalItems": false,
-          "minItems": 1,
-          "maxItems": 1,
-          "items": [{
+          },
+          {
             "title": "License Expression",
             "description": "Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.",
             "type": "object",
             "additionalProperties": false,
-            "required": ["expression"],
+            "required": [
+              "expression"
+            ],
             "properties": {
               "expression": {
                 "type": "string",
@@ -1601,7 +1596,9 @@
                       "type": "string",
                       "title": "License URL",
                       "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness",
-                      "examples": ["https://www.apache.org/licenses/LICENSE-2.0.txt"],
+                      "examples": [
+                        "https://www.apache.org/licenses/LICENSE-2.0.txt"
+                      ],
                       "format": "iri-reference"
                     }
                   },
@@ -1616,17 +1613,21 @@
                 "title": "BOM Reference",
                 "description": "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."
               },
-              "licensing": {"$ref": "#/definitions/licensing"},
+              "licensing": {
+                "$ref": "#/definitions/licensing"
+              },
               "properties": {
                 "type": "array",
                 "title": "Properties",
                 "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.",
-                "items": {"$ref": "#/definitions/property"}
+                "items": {
+                  "$ref": "#/definitions/property"
+                }
               }
             }
-          }]
-        }
-      ]
+          }
+        ]
+      }
     },
     "commit": {
       "type": "object",

schema/bom-1.7.xsd

@@ -1287,8 +1287,11 @@ limitations under the License.
             </xs:enumeration>
             <xs:enumeration value="platform">
                 <xs:annotation>
-                    <xs:documentation>A runtime environment which interprets or executes software. This may include
-                        runtimes such as those that execute bytecode or low-code/no-code application platforms.</xs:documentation>
+                    <xs:documentation>
+                        A runtime environment that interprets or executes software.
+                        This may include runtimes such as those that execute bytecode, just-in-time compilers,
+                        interpreters, or low-code/no-code application platforms.
+                    </xs:documentation>
                 </xs:annotation>
             </xs:enumeration>
             <xs:enumeration value="operating-system">
@@ -2568,10 +2571,13 @@ limitations under the License.
     </xs:simpleType>
 
     <xs:complexType name="licenseChoiceType">
-        <xs:choice>
-            <xs:element name="license" type="bom:licenseType" minOccurs="0" maxOccurs="unbounded"/>
-            <xs:element name="expression" type="bom:licenseExpressionType" minOccurs="0" maxOccurs="1" />
-            <xs:element name="expression-detailed" type="bom:licenseExpressionDetailedType" minOccurs="0" maxOccurs="1" />
+        <xs:annotation>
+            <xs:documentation>A list of SPDX licenses and/or named licenses and/or SPDX License Expression.</xs:documentation>
+        </xs:annotation>
+        <xs:choice minOccurs="0" maxOccurs="unbounded">
+            <xs:element name="license" type="bom:licenseType"/>
+            <xs:element name="expression" type="bom:licenseExpressionType"/>
+            <xs:element name="expression-detailed" type="bom:licenseExpressionDetailedType"/>
         </xs:choice>
     </xs:complexType>
 

tools/src/test/resources/1.6/invalid-license-declared-concluded-mix-1.6.json

@@ -0,0 +1,79 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "serialNumber": "urn:uuid:df628836-6b9b-41c9-a724-b44743c54d42",
+  "version": 1,
+  "metadata": {
+    "lifecycles": [{"phase": "design"}]
+  },
+  "components": [
+    {
+      "type": "library",
+      "group": "com.example",
+      "name": "situation-A",
+      "version": "1",
+      "description": "Multiple licenses: declared ids/names, and a concluded expression",
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT",
+            "acknowledgement": "declared"
+          }
+        },
+        {
+          "license": {
+            "id": "PostgreSQL",
+            "acknowledgement": "declared"
+          }
+        },
+        {
+          "license": {
+            "name": "Apache Software License",
+            "acknowledgement": "declared"
+          }
+        },
+        {
+          "expression": "(MIT OR PostgreSQL OR Apache-2.0)",
+          "acknowledgement": "concluded"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "group": "com.example",
+      "name": "situation-B",
+      "version": "1",
+      "description": "Multiple license expressions: one declared, one concluded",
+      "licenses": [
+        {
+          "expression": "MIT OR (GPL-3.0 OR GPL-2.0)",
+          "acknowledgement": "declared"
+        },
+        {
+          "expression": "(GPL-3.0-only AND LGPL-2.0-only)",
+          "acknowledgement": "concluded"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "group": "com.example",
+      "name": "situation-C",
+      "version": "1",
+      "description": "Multiple license: one declared expression, one concluded id",
+      "licenses": [
+        {
+          "expression": "GPL-3.0-or-later OR GPL-2.0",
+          "acknowledgement": "declared"
+        },
+        {
+          "license": {
+            "id": "GPL-3.0-only",
+            "acknowledgement": "concluded"
+          }
+        }
+      ]
+    }
+  ]
+}

tools/src/test/resources/1.6/invalid-license-declared-concluded-mix-1.6.xml

@@ -0,0 +1,46 @@
+<?xml version="1.0"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.6"
+     serialNumber="urn:uuid:df628836-6b9b-41c9-a724-b44743c54d42"
+>
+    <!--
+    All license posture in here is for show-case ony.
+    This is not a real law-case!
+    -->
+    <metadata>
+        <lifecycles><lifecycle><phase>design</phase></lifecycle></lifecycles>
+    </metadata>
+    <components>
+        <component type="library">
+            <group>com.example</group>
+            <name>situation-A</name>
+            <version>1</version>
+            <description>Multiple licenses: declared ids/names, and a concluded expression</description>
+            <licenses>
+                <license acknowledgement="declared"><id>MIT</id></license>
+                <license acknowledgement="declared"><id>PostgreSQL</id></license>
+                <license acknowledgement="declared"><name>Apache Software License</name></license>
+                <expression acknowledgement="concluded">(MIT OR PostgreSQL OR Apache-2.0)</expression>
+            </licenses>
+        </component>
+        <component type="library">
+            <group>com.example</group>
+            <name>situation-B</name>
+            <version>1</version>
+            <description>Multiple license expressions: one declared, one concluded</description>
+            <licenses>
+                <expression acknowledgement="declared">MIT OR (GPL-3.0 OR GPL-2.0)</expression>
+                <expression acknowledgement="concluded">(GPL-3.0-only AND LGPL-2.0-only)</expression>
+            </licenses>
+        </component>
+        <component type="library">
+            <group>com.example</group>
+            <name>situation-C</name>
+            <version>1</version>
+            <description>Multiple license: one declared expression, one concluded id</description>
+            <licenses>
+                <expression acknowledgement="declared">GPL-3.0-or-later OR GPL-2.0</expression>
+                <license acknowledgement="concluded"><id>GPL-3.0-only</id></license>
+            </licenses>
+        </component>
+    </components>
+</bom>

tools/src/test/resources/1.7/valid-license-choice-1.7.json

@@ -0,0 +1,45 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.7",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "components": [
+    {
+      "type": "application",
+      "publisher": "Acme Inc",
+      "group": "com.acme",
+      "name": "tomcat-catalina",
+      "version": "9.0.14",
+      "description": "Modified version of Apache Catalina",
+      "scope": "required",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0"
+          }
+        },
+        {
+          "expression": "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0"
+        },
+        {
+          "license": {
+            "name": "My Own License",
+            "text": {
+              "content": "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua."
+            }
+          }
+        },
+        {
+          "expression": "LicenseRef-MIT-Style-2",
+          "expressionDetails": [
+            {
+              "licenseIdentifier": "LicenseRef-MIT-Style-2",
+              "url": "https://example.com/license"
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}

tools/src/test/resources/1.7/valid-license-choice-1.7.textproto

@@ -0,0 +1,43 @@
+# proto-file: schema/bom-1.7.proto
+# proto-message: Bom
+
+# All license posture in here is for show-case ony.
+# This is not a real law-case!
+
+spec_version: "1.7"
+serial_number: "urn:uuid:b1ef52c6-7cd8-43d5-9e42-5e69044bbe9e"
+version: 1
+components {
+  type: CLASSIFICATION_APPLICATION
+  publisher: "Acme Inc"
+  group: "com.acme"
+  name: "tomcat-catalina"
+  version: "9.0.14"
+  description: "Modified version of Apache Catalina"
+  scope: SCOPE_REQUIRED
+  licenses {
+    license {
+      id: "Apache-2.0"
+    }
+  }
+  licenses {
+    expression: "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0"
+  }
+  licenses {
+    license {
+      name: "My Own License"
+      text {
+        value: "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua."
+      }
+    }
+  }
+  licenses {
+    expression_detailed {
+      expression: "LicenseRef-MIT-Style-2"
+      details {
+        license_identifier: "LicenseRef-MIT-Style-2"
+        url: "https://example.com/license"
+      }
+    }
+  }
+}