SPDX license instead of expression

[Jonas-vdb]

The SBOM of our Python project generated with cyclonedx-python also includes licenses (using environment as source). The license however is added as a SPDX expression which is not supported by Dependency Track (See DependencyTrack/dependency-track#170)

Is there a workaround or option to output the license as SPDX license (https://cyclonedx.org/docs/1.4/xml/#type_licenseType) rather than as a SPDX expression?

<xs:complexType name="licenseChoiceType">
   <xs:choice>
      <xs:element name="license" type="bom:licenseType" minOccurs="0" maxOccurs="unbounded"/>
      <xs:element name="expression" type="xs:normalizedString" minOccurs="0" maxOccurs="1"/>
   </xs:choice>
</xs:complexType>

If this is not available, does that mean nobody is using the license policy management in Dependency Track for Python projects?

Looking forward to a reply.

[jkowalleck]

does the following describe the change you would appreciate?

instead of

<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.4"
     serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
     version="1">
    <components>
        <component type="library">
            <group>org.acme</group>
            <name>card-verifier</name>
            <version>1.0.2</version>
            <licenses>
                <expression>(Apache-2.0 OR MIT)</expression>
            </licenses>
        </component>
    </components>
</bom>

the output should look like this:

<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.4"
     serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
     version="1">
    <components>
        <component type="library">
            <group>org.acme</group>
            <name>card-verifier</name>
            <version>1.0.2</version>
            <licenses>
                <license>
                    <id>Apache-2.0</id>
                </license>
                <license>
                    <id>MIT</id>
                </license>
            </licenses>
        </component>
    </components>
</bom>

[Jonas-vdb]

Yes, indeed.

This would make it possible to see the licenses and to allow using the policy management in DT.
One drawback: because DT does not support multiple licenses, it will only take into account the last license in the list of licenses. (just tried it out)

In my opinion this is better than not having support at all. For the dependencies with multiple licenses (minority) we can always mention it in the policy violations audit trail.

[jkowalleck]

sounds like a reasonable feature request.
will convert this discussion to an issue, then.

are you planning to implement this, or should i mark this as "need help"?

[Jonas-vdb]

I can take a look.

[madpah]

A consideration is that the license string we are able to get, may not be an SPDX compliant license identifier, which can cause the resultant CycloneDX to be invalid.

FYI: @jkowalleck @Jonas-vdb

[jkowalleck]

discussed the topic with @madpah , and we think we will prefer ad different solution:
we will take the opportunity and create a factory in thecyclonedx-python-lib via CycloneDX/cyclonedx-python-lib#304
that accepts any string and will create the fitting license model from it - an expression, a named, or an SPDX one.