cyclonedx-core-java icon indicating copy to clipboard operation
cyclonedx-core-java copied to clipboard
verified publisher icon CycloneDX

feat: Alias `Bouncy Castle Licence` to `MIT`

Open jakub-bochenski opened this issue 5 months ago • 5 comments

Per SPDX the license is equivalent to MIT: https://github.com/spdx/license-list-XML/issues/910#issuecomment-518336341

Fixes #643

jakub-bochenski avatar Jul 25 '25 14:07 jakub-bochenski

I am not 100% confident we can simply resolve Bouncy Castle License to MIT. Even if they are effectively the same, I believe this replacement would qualify as data loss.

@stevespringett @msymons @mr-zepol Any thoughts?

nscuro avatar Jul 29 '25 17:07 nscuro

The way I understand it there is no data loss.

Assigning SPDX ID means that the license text matches the license template associated with said SPDX ID.

Above is true for the Bouncycastle License

jakub-bochenski avatar Jul 30 '25 12:07 jakub-bochenski

I trust @swinslow's opinion and agree that Bouncy Castle ~= MIT.

However, the project did not declare the license to be MIT. They declared it to be the Bouncy Castle Licence. IMO, the aliasing in this library needs to be expanded to support the difference between declared and concluded licenses.

IMO, what should happen in this scenario is this:

  • Declared license is Bouncy Castle Licence.
  • Concluded license is MIT.

This would result in something like this:

{
  "type": "library",
  "group": "org.bouncycastle"
  "name": "bcprov-jdk18on",
  "version": "1.8.1",
  "purl": "pkg:maven/org.bouncycastle/[email protected]",
  "licenses": [
    {
      "license": {
        "name": "Bouncy Castle Licence",
        "acknowledgement": "declared"
      }
    },
    {
      "license": {
        "id": "MIT",
        "acknowledgement": "concluded"
      }
    }
  ]
}

stevespringett avatar Jul 30 '25 20:07 stevespringett

Given that Dependency-Track only supports 1 license ATM, and uses order to prioritize them it would be better if the concluded license was first.

{
  "type": "library",
  "group": "org.bouncycastle"
  "name": "bcprov-jdk18on",
  "version": "1.8.1",
  "purl": "pkg:maven/org.bouncycastle/[email protected]",
  "licenses": [
    {
      "license": {
        "id": "MIT",
        "acknowledgement": "concluded"
      }
    },
    {
      "license": {
        "name": "Bouncy Castle Licence",
        "acknowledgement": "declared"
      }
    }
  ]
}

jakub-bochenski avatar Jul 31 '25 13:07 jakub-bochenski

I see there is already a similiar case - variants of Eclipse Distribution License are resolved to BSD-3-Clause https://github.com/CycloneDX/cyclonedx-core-java/blob/master/src/main/resources/license-mapping.json#L65-L68

jakub-bochenski avatar Jul 31 '25 15:07 jakub-bochenski