[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Model suggestions for the IP / licensing section


Agree that expressions are likely the simplest path forward. However, in our conversations yesterday, we also expressed a need to have license name when dealing with an unknown license, as well as the license text. Both of these fields are commonly used in CycloneDX today and are extremely useful to a lot of folks.

I hope we are not suggesting that we’re __solely__ going to use expressions, because license name and text are also valuable.

The way that CycloneDX approaches this is that it supports zero or more SPDX license IDs (strictly validated), license names, and license text (clear text or Base64 encoded), and it supports SPDX license expressions (not validated).

Are SPDX license expressions something that can be validated with XML schema and/or JSON schema?

On Dec 12, 2019, 1:32 PM -0600, Gary O'Neall wrote:

Hi Philippe,


Following up on the model discussion yesterday, I can provide you some UML in XMI format.  Let me know if you would prefer an email, attachment to a github issue or pull request.  If you could also point me to the repo that contains your XMI files, I’ll start with those. 


Also, FYI, the XMI for SPDX 2.2 is at https://github.com/spdx/spdx-spec/blob/development/v2.2/model/spdx-model.xmi


Since yesterday, I have been thinking about simplifying the SBOM model.  For the licensing, we could include license expressions rather than the full model of licenses.


The full license model is rather complex.  It does, however, allow for much stronger validation and the ability to query the graph of license information to answer important questions for some of the use cases.  Most users, however, will only want to express the license for a given material/artifact and the complex license will likely just get in the way.


The license _expression_ is reasonably well defined in BNF in the SPDX spec Appendix IV.  For many of the serialization formats (e.g. XML, JSON, YAML) we are storing the license information as expressions in SPDX.  Only RDF/XML uses the full graph.


My recommendation is to use the simpler license expressions. 


Philippe and the rest of the SBOM community, please let me know if you disagree.





Gary O'Neall

Principal Consultant

Source Auditor Inc.

Mobile: 408.805.0586

Email: CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information.