feat: support multi license mix (#582)

jkowalleck · web-flow · commit e95af171cd81 · 2025-07-24T17:18:51.000+02:00
As discussed in ticket #454, this PR adds the following abilities: - have multiple license expressions - have a mix of license expressions, SPDX license IDs, and named licenses Please read the original ticket and see the provided example data for use-cases. fixes #454
diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto
@@ -123,7 +123,7 @@ message Component {
   optional Scope scope = 11;
   // The hashes of the component.
   repeated Hash hashes = 12;
-  // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)
+  // A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
   repeated LicenseChoice licenses = 13;
   // An optional copyright notice informing users of the underlying claims to copyright ownership in a published work.
   optional string copyright = 14;
@@ -573,7 +573,7 @@ message Metadata {
   // The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager.
   optional OrganizationalEntity supplier = 6;
   // The license information for the BOM document. This may be different from the license(s) of the component(s) that the BOM describes.
-  // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)
+  // A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
   repeated LicenseChoice licenses = 7;
   // Specifies optional, custom, properties
   repeated Property properties = 8;
@@ -710,7 +710,7 @@ message Service {
   optional bool x_trust_boundary = 9;
   // Specifies information about the data including the directional flow of data and the data classification.
   repeated DataFlow data = 10;
-  // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)
+  // A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
   repeated LicenseChoice licenses = 11;
   // Provides the ability to document external references related to the service.
   repeated ExternalReference external_references = 12;
@@ -832,7 +832,7 @@ message EvidenceCopyright {
 
 // Provides the ability to document evidence collected through various forms of extraction or analysis.
 message Evidence {
-  // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)
+  // A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
   repeated LicenseChoice licenses = 1;
   // Copyright evidence captures intellectual property assertions, providing evidence of possible ownership and legal protection.
   repeated EvidenceCopyright copyright = 2;
diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json
@@ -1525,36 +1525,31 @@
     },
     "licenseChoice": {
       "title": "License Choice",
-      "description": "EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)",
+      "description": "A list of SPDX licenses and/or named licenses and/or SPDX License Expression.",
       "type": "array",
-      "oneOf": [
-        {
-          "title": "Multiple licenses",
-          "description": "A list of SPDX licenses and/or named licenses.",
-          "type": "array",
-          "items": {
+      "items": {
+        "oneOf": [
+          {
             "type": "object",
             "title": "License",
-            "required": ["license"],
+            "required": [
+              "license"
+            ],
             "additionalProperties": false,
             "properties": {
-              "license": {"$ref": "#/definitions/license"}
+              "license": {
+                "$ref": "#/definitions/license"
+              }
             }
-          }
-        },
-        {
-          "title": "SPDX License Expression",
-          "description": "A tuple of exactly one SPDX License Expression.",
-          "type": "array",
-          "additionalItems": false,
-          "minItems": 1,
-          "maxItems": 1,
-          "items": [{
+          },
+          {
             "title": "License Expression",
             "description": "Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.",
             "type": "object",
             "additionalProperties": false,
-            "required": ["expression"],
+            "required": [
+              "expression"
+            ],
             "properties": {
               "expression": {
                 "type": "string",
@@ -1600,7 +1595,9 @@
                       "type": "string",
                       "title": "License URL",
                       "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness",
-                      "examples": ["https://www.apache.org/licenses/LICENSE-2.0.txt"],
+                      "examples": [
+                        "https://www.apache.org/licenses/LICENSE-2.0.txt"
+                      ],
                       "format": "iri-reference"
                     }
                   },
@@ -1615,17 +1612,21 @@
                 "title": "BOM Reference",
                 "description": "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."
               },
-              "licensing": {"$ref": "#/definitions/licensing"},
+              "licensing": {
+                "$ref": "#/definitions/licensing"
+              },
               "properties": {
                 "type": "array",
                 "title": "Properties",
                 "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.",
-                "items": {"$ref": "#/definitions/property"}
+                "items": {
+                  "$ref": "#/definitions/property"
+                }
               }
             }
-          }]
-        }
-      ]
+          }
+        ]
+      }
     },
     "commit": {
       "type": "object",
diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd
@@ -2556,10 +2556,13 @@ limitations under the License.
     </xs:simpleType>
 
     <xs:complexType name="licenseChoiceType">
-        <xs:choice>
-            <xs:element name="license" type="bom:licenseType" minOccurs="0" maxOccurs="unbounded"/>
-            <xs:element name="expression" type="bom:licenseExpressionType" minOccurs="0" maxOccurs="1" />
-            <xs:element name="expression-detailed" type="bom:licenseExpressionDetailedType" minOccurs="0" maxOccurs="1" />
+        <xs:annotation>
+            <xs:documentation>A list of SPDX licenses and/or named licenses and/or SPDX License Expression.</xs:documentation>
+        </xs:annotation>
+        <xs:choice minOccurs="0" maxOccurs="unbounded">
+            <xs:element name="license" type="bom:licenseType"/>
+            <xs:element name="expression" type="bom:licenseExpressionType"/>
+            <xs:element name="expression-detailed" type="bom:licenseExpressionDetailedType"/>
         </xs:choice>
     </xs:complexType>
 
diff --git a/tools/src/test/resources/1.6/invalid-license-declared-concluded-mix-1.6.json b/tools/src/test/resources/1.6/invalid-license-declared-concluded-mix-1.6.json
@@ -0,0 +1,79 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "serialNumber": "urn:uuid:df628836-6b9b-41c9-a724-b44743c54d42",
+  "version": 1,
+  "metadata": {
+    "lifecycles": [{"phase": "design"}]
+  },
+  "components": [
+    {
+      "type": "library",
+      "group": "com.example",
+      "name": "situation-A",
+      "version": "1",
+      "description": "Multiple licenses: declared ids/names, and a concluded expression",
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT",
+            "acknowledgement": "declared"
+          }
+        },
+        {
+          "license": {
+            "id": "PostgreSQL",
+            "acknowledgement": "declared"
+          }
+        },
+        {
+          "license": {
+            "name": "Apache Software License",
+            "acknowledgement": "declared"
+          }
+        },
+        {
+          "expression": "(MIT OR PostgreSQL OR Apache-2.0)",
+          "acknowledgement": "concluded"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "group": "com.example",
+      "name": "situation-B",
+      "version": "1",
+      "description": "Multiple license expressions: one declared, one concluded",
+      "licenses": [
+        {
+          "expression": "MIT OR (GPL-3.0 OR GPL-2.0)",
+          "acknowledgement": "declared"
+        },
+        {
+          "expression": "(GPL-3.0-only AND LGPL-2.0-only)",
+          "acknowledgement": "concluded"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "group": "com.example",
+      "name": "situation-C",
+      "version": "1",
+      "description": "Multiple license: one declared expression, one concluded id",
+      "licenses": [
+        {
+          "expression": "GPL-3.0-or-later OR GPL-2.0",
+          "acknowledgement": "declared"
+        },
+        {
+          "license": {
+            "id": "GPL-3.0-only",
+            "acknowledgement": "concluded"
+          }
+        }
+      ]
+    }
+  ]
+}
diff --git a/tools/src/test/resources/1.6/invalid-license-declared-concluded-mix-1.6.xml b/tools/src/test/resources/1.6/invalid-license-declared-concluded-mix-1.6.xml
@@ -0,0 +1,46 @@
+<?xml version="1.0"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.6"
+     serialNumber="urn:uuid:df628836-6b9b-41c9-a724-b44743c54d42"
+>
+    <!--
+    All license posture in here is for show-case ony.
+    This is not a real law-case!
+    -->
+    <metadata>
+        <lifecycles><lifecycle><phase>design</phase></lifecycle></lifecycles>
+    </metadata>
+    <components>
+        <component type="library">
+            <group>com.example</group>
+            <name>situation-A</name>
+            <version>1</version>
+            <description>Multiple licenses: declared ids/names, and a concluded expression</description>
+            <licenses>
+                <license acknowledgement="declared"><id>MIT</id></license>
+                <license acknowledgement="declared"><id>PostgreSQL</id></license>
+                <license acknowledgement="declared"><name>Apache Software License</name></license>
+                <expression acknowledgement="concluded">(MIT OR PostgreSQL OR Apache-2.0)</expression>
+            </licenses>
+        </component>
+        <component type="library">
+            <group>com.example</group>
+            <name>situation-B</name>
+            <version>1</version>
+            <description>Multiple license expressions: one declared, one concluded</description>
+            <licenses>
+                <expression acknowledgement="declared">MIT OR (GPL-3.0 OR GPL-2.0)</expression>
+                <expression acknowledgement="concluded">(GPL-3.0-only AND LGPL-2.0-only)</expression>
+            </licenses>
+        </component>
+        <component type="library">
+            <group>com.example</group>
+            <name>situation-C</name>
+            <version>1</version>
+            <description>Multiple license: one declared expression, one concluded id</description>
+            <licenses>
+                <expression acknowledgement="declared">GPL-3.0-or-later OR GPL-2.0</expression>
+                <license acknowledgement="concluded"><id>GPL-3.0-only</id></license>
+            </licenses>
+        </component>
+    </components>
+</bom>
diff --git a/tools/src/test/resources/1.7/valid-license-choice-1.7.json b/tools/src/test/resources/1.7/valid-license-choice-1.7.json
@@ -0,0 +1,45 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.7",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "components": [
+    {
+      "type": "application",
+      "publisher": "Acme Inc",
+      "group": "com.acme",
+      "name": "tomcat-catalina",
+      "version": "9.0.14",
+      "description": "Modified version of Apache Catalina",
+      "scope": "required",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0"
+          }
+        },
+        {
+          "expression": "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0"
+        },
+        {
+          "license": {
+            "name": "My Own License",
+            "text": {
+              "content": "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua."
+            }
+          }
+        },
+        {
+          "expression": "LicenseRef-MIT-Style-2",
+          "expressionDetails": [
+            {
+              "licenseIdentifier": "LicenseRef-MIT-Style-2",
+              "url": "https://example.com/license"
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}
diff --git a/tools/src/test/resources/1.7/valid-license-choice-1.7.textproto b/tools/src/test/resources/1.7/valid-license-choice-1.7.textproto
@@ -0,0 +1,43 @@
+# proto-file: schema/bom-1.7.proto
+# proto-message: Bom
+
+# All license posture in here is for show-case ony.
+# This is not a real law-case!
+
+spec_version: "1.7"
+serial_number: "urn:uuid:b1ef52c6-7cd8-43d5-9e42-5e69044bbe9e"
+version: 1
+components {
+  type: CLASSIFICATION_APPLICATION
+  publisher: "Acme Inc"
+  group: "com.acme"
+  name: "tomcat-catalina"
+  version: "9.0.14"
+  description: "Modified version of Apache Catalina"
+  scope: SCOPE_REQUIRED
+  licenses {
+    license {
+      id: "Apache-2.0"
+    }
+  }
+  licenses {
+    expression: "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0"
+  }
+  licenses {
+    license {
+      name: "My Own License"
+      text {
+        value: "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua."
+      }
+    }
+  }
+  licenses {
+    expression_detailed {
+      expression: "LicenseRef-MIT-Style-2"
+      details {
+        license_identifier: "LicenseRef-MIT-Style-2"
+        url: "https://example.com/license"
+      }
+    }
+  }
+}
diff --git a/tools/src/test/resources/1.7/valid-license-choice-1.7.xml b/tools/src/test/resources/1.7/valid-license-choice-1.7.xml
@@ -1,5 +1,8 @@
 <?xml version="1.0"?>
-<bom serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1" xmlns="http://cyclonedx.org/schema/bom/1.7">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.7"
+     serialNumber="urn:uuid:b1ef52c6-7cd8-43d5-9e42-5e69044bbe9e"
+     version="1"
+>
     <components>
         <component type="application">
             <publisher>Acme Inc</publisher>
@@ -8,17 +11,20 @@
             <version>9.0.14</version>
             <description>Modified version of Apache Catalina</description>
             <scope>required</scope>
-            <hashes>
-                <hash alg="MD5">3942447fac867ae5cdb3229b658f4d48</hash>
-                <hash alg="SHA-1">e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a</hash>
-                <hash alg="SHA-256">f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b</hash>
-                <hash alg="SHA-512">e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282</hash>
-            </hashes>
             <licenses>
                 <license>
                     <id>Apache-2.0</id>
                 </license>
                 <expression>EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0</expression>
+                <license>
+                    <name>My Own License</name>
+                    <text><![CDATA[Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.]]></text>
+                </license>
+                <expression-detailed expression="LicenseRef-MIT-Style-2">
+                   <details license-identifier="LicenseRef-MIT-Style-2">
+                       <url>https://example.com/license</url>
+                   </details>
+                </expression-detailed>
             </licenses>
             <purl>pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar</purl>
         </component>
diff --git a/tools/src/test/resources/1.7/valid-license-declared-concluded-mix-1.7.json b/tools/src/test/resources/1.7/valid-license-declared-concluded-mix-1.7.json
diff --git a/tools/src/test/resources/1.7/valid-license-declared-concluded-mix-1.7.textproto b/tools/src/test/resources/1.7/valid-license-declared-concluded-mix-1.7.textproto
diff --git a/tools/src/test/resources/1.7/valid-license-declared-concluded-mix-1.7.xml b/tools/src/test/resources/1.7/valid-license-declared-concluded-mix-1.7.xml
