The model I plan on proposing allows for references to licenses defined within the SBOM document itself.
For example, lets say you find the complete text of a license that doesn’t match one of the standard SPDX license ID’s.
You would include in the SBOM an object which contains an ID (e.g. LicenseRef-1) and the complete text of the license as properties. There are also optional fields for license name, URL, etc.
One detail that may be controversial (so I’ll point it out here) is whether the text for these “local licenses” is required or not. In SPDX we require the text. From a tools implementation point of view, this may be difficult or impossible depending on the situation. Sometimes you only have a name or a URL.
On Dec 12, 2019, 1:32 PM -0600, Gary O'Neall <Email: