Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

licenses: allow mix of multiple SPDX expressions AND/OR multiple named/spdx licenses #454

Open
jkowalleck opened this issue Apr 29, 2024 · 7 comments · May be fixed by #582
Open

licenses: allow mix of multiple SPDX expressions AND/OR multiple named/spdx licenses #454

jkowalleck opened this issue Apr 29, 2024 · 7 comments · May be fixed by #582
Assignees
@jkowalleck
Labels
proposed core enhancement
Milestone
1.7

Comments

@jkowalleck
Copy link
Member

jkowalleck commented Apr 29, 2024
edited
Loading

current situation (CDX 1.6):

  • it is allowed to have EITHER one spdx license expression OR multiple named/spdx licenses. see spec
  • each license(expression/named/spdx) can have a acknowledgement - none or "declared" or "concluded". see spec

problem

the current situation does not allow the following:

  • situation A: multiple declared licenses ids (like in python license trove-classifiers) and one concluded expression
    • Declared spdx license id "MIT" - as set in the project manifest
    • Declared spdx license id "PostgreSQL" - as set in the project manifest
    • Declared named license "Apache Software License" - as set in the project manifest
    • License evidence from the README file: "chose the license that applies best to you: PostgreSql or MIT or Apache2"
    • Concluded spdx license expression license "(MIT OR PostgreSQL OR Apache-2.0)" - (this is just an example for spec reasons, this is not a real-world law case!)
  • situation B: declared expression and concluded expression
    • Delcared spdx expression "MIT OR (GPL-3.0 OR GPL-2.0)"
    • Concluded spdx expression "(GPL-3.0-only AND LGPL-2.0-only)" - after some lawyer checked for actual applied situation - (this is just an example for spec reasons, this is not a real-world law case!)
  • situation C: declared expression and concluded spdx id
    • Declared spdx expression "GPL-3.0-or-later OR GPL-2.0"
    • Concluded spdx id " GPL-3.0-only" - after some lawyer checked for actual applied situation - (this is just an example for spec reasons, this is not a real-world law case!)

request

allow the following:

  • multiple SPDX expressions at the same time
  • allow mix of SPDX expression and other licenses at the same time

possible results

{ 
"bomFormat": "CycloneDX",
"specVersion": "1.x",
// ...
"components": [
 
{
 // ... component properties ...
 "licenses": [
    // situation A -- (this is just an example for spec reasons, this is not a real-world law case!)
    { "license": { 
      "id": "MIT", 
      "acknowledgement": "declared" } },
    { "license": { 
      "id": "PostgreSQL", 
      "acknowledgement": "declared" } },
    { "license": { 
      "name": "Apache Software License", 
      "acknowledgement": "declared" } },
    { "expression": "(MIT OR PostgreSQL OR Apache-2.0)",
      "acknowledgement": "concluded" }
  ]
},

{
 // ... component properties ...
 "licenses": [
    // situation B -- (this is just an example for spec reasons, this is not a real-world law case!)
    { "expression": "MIT OR (GPL-3.0 OR GPL-2.0)", 
      "acknowledgement": "declared" },
    { "expression": "(GPL-2.0-only AND LGPL-2.0-only)",
      "acknowledgement": "concluded" }
  ]
},

{
 // ... component properties ...
 "licenses": [
    // situation C -- (this is just an example for spec reasons, this is not a real-world law case!)
    { "expression": "GPL-3.0+ OR GPL-2.0", 
      "acknowledgement": "declared" },
    { "license": { 
      "id": " GPL-3.0-only", 
      "acknowledgement": "concluded" } }
  ]
},

{
 // ... component properties ...
 "licenses": [
   // example with concluded LicenseRef -- (this is just an example for spec reasons, this is not a real-world law case!)
    { "license": { 
      "id": "MIT", 
      "acknowledgement": "declared" } },
    { "license": { 
      "name": "Amazon Software License", 
      "acknowledgement": "declared" } },
    { "expression": "MIT AND LicenseRef-.amazon.com.-AmznSL-1.0",
      "acknowledgement": "concluded" }
  ]
},


]
}
@jkowalleck jkowalleck added this to the 1.7 milestone May 24, 2024
@jkowalleck jkowalleck self-assigned this May 24, 2024
@jkowalleck jkowalleck mentioned this issue May 24, 2024
Closed
@jkowalleck jkowalleck mentioned this issue Nov 8, 2024
Closed
@jkowalleck
Copy link
Member Author

related: CycloneDX/cyclonedx-python#826

@villaflaminio
Copy link

villaflaminio commented Nov 8, 2024
edited
Loading

I agree with the problem, especially case C.
I would like to be able to have a lawyer or some automatic mechanism review the product sbom so that I can identify which licence to "refer" to for each individual component based on my use case.
It is more than reasonable to have two licenses defined for a product, e.g. if the component is used in open source projects then the license is type A, otherwise if it is used for commercial purposes then the license is type B.
This is just an example.
And, of course, in the report I would like to avoid replacing the license expression declared by whoever produced the component in question.
One solution might be to allow to have one license expression and only one license by specifying ‘acknowledgement concluded’, but I don't know whether this would create problems elsewhere.

This was referenced Dec 14, 2024
Closed
Open
@jkowalleck
Copy link
Member Author

I will be working on a solution for this, planned for CycloneDX 1.7.
All comments, discussions, and any help is welcome.

@Joerki
Copy link

Joerki commented Dec 19, 2024

The example should also mention "LicenseRef-" items to clearly state that such simple expressions are also SPDX expression by definition of SPDX, not only compound expressions.

Situation B:
After discussing the topic "concluded" license with our OSCO (Open Source Compliance Officer) my understanding is that a concluded license must not contain a compound statement with "OR". A decision must be taken.
The example would be the same as "MIT OR GPL-3.0-only OR GPL-2.0-only"
Based on current existing licenses it is compatible with "MIT OR GPL-2.0-or-later" or "MIT OR GPL-2.0+"

Concluded license possiblities:

  • MIT (MIT)
  • GPL-2.0 (GPL-2.0-only)
  • GPL-3.0 (GPL-3.0-only)

Situation C:
"GPL-2.0+" cannot by used as concluded license based on the legal information I have (see also link below). It has an implicit "OR". As a consumer I have the choice to select between GPL-2.0 or a higher version (GPL-3.0) and I have to make a choice in my context. The GPL licenses are not fully compatible, so it is a legal requirement to select what applies for me as concluded license.

Clear statement here (Standard License Header):
https://spdx.org/licenses/GPL-2.0-or-later.html

Another significant reference:
BSI-TR-03183-2 Version 2.0.0 (10.10.2024)
Federal Office for Information Security (BSI)
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2-2_0_0.html
Chapter 6.1 (License identifiers and expressions)
They refer to SPDX annexes about usage, they also recommend to use the Scancode LicenseDB Aboutcode!

@jkowalleck
Copy link
Member Author

re: #454 (comment)

Thanks for pointing that out.
I tried to incorporate your remarks in the description, and also added a section "expected results" to showcase the results.
Could you check whether all your use cases are represented, @Joerki ?

Anyway, the examples exist for showcasing needed options(requirements). As stated

(this is just an example for spec reasons, this is not a real-world law case!)

@jkowalleck
Copy link
Member Author

"GPL-2.0+" cannot by used as concluded license based on the legal information I have (see also link below). It has an implicit "OR". As a consumer I have the choice to select between GPL-2.0 or a higher version (GPL-3.0) and I have to make a choice in my context. The GPL licenses are not fully compatible, so it is a legal requirement to select what applies for me as concluded license.

this might be true for OBOM and alike, but not for SBOM.
lets say i am pulling a library from the internet, and i have a lawyer analyzing the license posture, and they conclude "I've analyzed the license's README and other evidences, and i conclude the license to be free to chose from A or B ... -- which one is applied can be decided only after the lib was integrated into a system."

@jkowalleck jkowalleck changed the title licenses: allow mix of multiple SPDX expressions AND multiple named/spdx licenses licenses: allow mix of multiple SPDX expressions AND/OR multiple named/spdx licenses Jan 20, 2025
@jkowalleck jkowalleck linked a pull request Jan 20, 2025 that will close this issue
Open
8 tasks
@jkowalleck
Copy link
Member Author

jkowalleck commented Jan 20, 2025
edited
Loading

please review the proposed implementation changes to enable the features outlined in this very ticket:
#582

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jkowalleck jkowalleck

Labels
proposed core enhancement
Projects
None yet
Milestone
1.7
Development

Successfully merging a pull request may close this issue.

feat: multi license mix CycloneDX/specification
3 participants
@Joerki @jkowalleck @villaflaminio