cdxgen icon indicating copy to clipboard operation
cdxgen copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

"License information" (FETCH_LICENSE vs. includeLicenseText)

Open crusy opened this issue 1 year ago • 6 comments

Hello all,

I switched from cyclonedx-gradle-plugin to cdxgen, as cdxgen is less "invasive", it does not require to add a dependency to the target project. I use it to retrieve the licenses for my projects' dependencies. But I think I noticed a major drawback:

  • cyclonedx-gradle-plugin as a configuration option includeLicenseText which includes, well, the license's text
  • cdxgen has an environment variable FETCH_LICENSE "to fetch license information from the registry. npm and golang only"

First of all: This "npm and golang only" kind of conflicts with the env var GITHUB_TOKEN's description, which reads "Specify GitHub token to prevent traffic shaping while querying license and repo information" – so Github is always queried for licenses? Or does FETCH_LICENSE cover Github as well? Or ...?

But more important: cdxgen does not retrieve the license text, only an ID and an URL. Is this correct? Is it on purpose? If so, I think it's an important information for the README. Are there plans to add licenses' text support?

crusy avatar Mar 20 '23 09:03 crusy

More details of what I expected, and a more general explanation why I expected it:

https://cyclonedx.org/use-cases/#license-compliance shows an example json which does not only contain id and url, but also text, which consist of contentType, encoding and: content. It does not state any limitation of the actual CycloneDX lib to use to get such information.

crusy avatar Mar 20 '23 09:03 crusy

PS: At https://cyclonedx.org/use-cases/#license-compliance I read about SPDX, so it maybe resolves the licenses' texts? You state in your README

Conversion to SPDX format

Use the CycloneDX CLI tool for advanced use cases such as conversion, diff and merging.

, does that cover my use case as well? I do not see anything like "resolve licenses" in the README of `cyclonedx-cli...

crusy avatar Mar 20 '23 09:03 crusy

@crusy, as per the spec only the id or name is mandatory

https://cyclonedx.org/docs/1.4/json/#tab-pane_components_items_licenses_items_license_oneOf_i0

I will try to add includeLicenseText as a feature.

prabhu avatar Mar 20 '23 10:03 prabhu

I see, thank you for clarification.

In the meantime I found some external libs based on SPDX. They have their own repo, e.g. :smile: Including text and json formats. There are npm packages as well (spdx-license-list holds all the texts), maybe I try one of them

crusy avatar Mar 20 '23 10:03 crusy

@prabhu any news on the implementation of a flag that includes the license text soon? Does anyone know of an easy way to retrieve said information?

mcsma avatar Mar 06 '24 16:03 mcsma

@mcsma no plans. Pull Request or sponsorship to pay developers are always welcome.

prabhu avatar Mar 06 '24 16:03 prabhu