Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add complete License-Text to cyclonedx bom #33

Open
jkowalleck opened this issue Mar 13, 2024 · 0 comments
Open

feat: Add complete License-Text to cyclonedx bom #33

jkowalleck opened this issue Mar 13, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@jkowalleck
Copy link
Member

jkowalleck commented Mar 13, 2024
edited

caused by #22

similar to

Is your feature request related to a problem? Please describe.

For legal documentation, we need the original text of the licenses of components.

Describe the solution you'd like

An option to enable integration of the license-text in the BOM file, like the old @cyclonedx/bom package had, would be great to have again here.

read https://cyclonedx.org/news/cyclonedx-v1.3-released/#copyright-and-license-evidence

Acceptance criteria

  • the feature to add license texts should be enabled by a CLI switch called --gather-license-evidence (name to be discussed)
  • the feature is disabled per default
  • only if the feature is enabled:
    • for all components, meta-components, root-components and nested components:
      regardless of SPDX license ID, SPDX license expression or named license, the deteced license texts should be added, each as an evidence
      Examples: 
      {
  //...
  "evidence": { 
    "licenses": [
      {"id":"Apache-2.0", "text": {
        "contentType": "text/plain",
        "encoding": "base64",
        // base64 of content of file `LICENSE`
        "content": "bG9yZW0gaXBzdW0="
      }}
      {"name":"file: NOTICE", "text": {
        "contentType": "text/plain",
        "encoding": "base64",
        // base46 of content of file `NOTICE`
        "content": "bG9yZW0gaXBzdW0="
      }}
    ]
  },
  // ...
}
    • if a license text is detected with the package, it would be added to Component's @.evicence.licenses
      • @.name would be 'License of : '
      • @.text would hold the test
        • the content type is to be derived from file extension
        • the content SHOULD be base64 encoded
    • license files patterns are:
      • LICEN[CS]E*
      • NOTICE* -- addendum for Apache-2.0 and others
    • if no license text is shipped with a package, no license test is added as a evidence.
      Nope, no license template is derived from package's declared SPDX license id.
      Reason: license templates (like BSD clause 3) are designed to be modified (unlike others, like Apache2, which is not a template but a complete text)
@jkowalleck jkowalleck added the enhancement New feature or request label Mar 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jkowalleck