cyclonedx-core-java icon indicating copy to clipboard operation
cyclonedx-core-java copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

License Mapping for BSD-3-Clause and BSD-4-Clause

Open msymons opened this issue 2 years ago • 4 comments

With this addition to license mappings in PR #195 https://github.com/CycloneDX/cyclonedx-core-java/blob/b664a13f3e7c41a7e086ec508d804c2bd4207140/src/main/resources/license-mapping.json#L67

The consequence is that the component antlr4 now maps to BSD-4-Clause when the intention of the antlr project is the the license should beBSD-3-Clause.

See LICENSE.txt

From antlr4 POM:

    <licenses>
        <license>
            <name>The BSD License</name>
            <url>http://www.antlr.org/license.html</url>
            <distribution>repo</distribution>
        </license>
    </licenses>

So, is this a problem with cyclonedx-core-java license mapping, or is it a problem with antlr4 POM?

The consequence of thinking that a BSD-3-Clause is actually BSD-4-Clause is that the latter:

  • Adds an "advertising clause" that requires an acknowledgment of the original source in all advertising material.
  • Was rescinded in 1999
  • Is not OSI-approved.

msymons avatar May 30 '22 17:05 msymons

According to wikipedia, "BSD License" is the 4-clause license. Thus CycloneDX-Core-Java is properly identifying the license from the antlr4 pom.

https://en.wikipedia.org/wiki/BSD_licenses

If the antlr4 project is licensed under BSD-3-Clause, then perhaps the project should explicitly state that using the BSD-3-Clause SPDX identifier.

stevespringett avatar Jun 05 '22 04:06 stevespringett

@stevespringett, the POM for antl4 say "The BSD License" and not "BSD License". The wikipedia page says..

While the original license is sometimes referred to as the "BSD-old", the resulting 3-clause version is sometimes referred to by "BSD-new." Other names include "New BSD", "revised BSD", "BSD-3", or "3-clause BSD". This version has been vetted as an Open source license by the OSI as "The BSD License"

ie, a reading of this is that "The BSD License" is 3-clause and not 4-clause.

So, is the license mapping in cyclonedx-core-java really correct on this point?

Having said that, I will most definitely try to get the antlr4 project to use the BSD-3-Clause SPDX identifier.

msymons avatar Jun 05 '22 13:06 msymons

The antlr4 project is proven to be BSD-3-Clause, see LICENSE.txt.

tmehnert avatar Jun 22 '22 20:06 tmehnert

The antlr4 project is proven to be BSD-3-Clause, see LICENSE.txt.

Yes, @tmehnert , that's because the license that you link to is the one is based on the PR that I submitted 😄

msymons avatar Feb 02 '23 13:02 msymons