I agree that persisting the _expression_ instead of an object graph for licenses makes a lot of sense.
Following up on the model discussion yesterday, I can provide you some UML in XMI format. Let me know if you would prefer an email, attachment to a github issue or pull request. If you could also point me to the repo that contains your XMI files, I’ll start with those.
Also, FYI, the XMI for SPDX 2.2 is at https://github.com/spdx/spdx-spec/blob/development/v2.2/model/spdx-model.xmi
Since yesterday, I have been thinking about simplifying the SBOM model. For the licensing, we could include license expressions rather than the full model of licenses.
The full license model is rather complex. It does, however, allow for much stronger validation and the ability to query the graph of license information to answer important questions for some of the use cases. Most users, however, will only want to express the license for a given material/artifact and the complex license will likely just get in the way.
The license _expression_ is reasonably well defined in BNF in the SPDX spec Appendix IV. For many of the serialization formats (e.g. XML, JSON, YAML) we are storing the license information as expressions in SPDX. Only RDF/XML uses the full graph.
My recommendation is to use the simpler license expressions.
Philippe and the rest of the SBOM community, please let me know if you disagree.
Source Auditor Inc.
CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information.