cyclonedx-maven-plugin icon indicating copy to clipboard operation
cyclonedx-maven-plugin copied to clipboard
verified publisher icon CycloneDX

Feature: License overrides

Open jakub-bochenski opened this issue 5 months ago • 4 comments

Basically a copy of the feature that spdx-maven-plugin has.

Some components have misspelled license names, which causes problems down the line.

jakub-bochenski avatar Jul 24 '25 16:07 jakub-bochenski

Coming from SPDX to CycloneDX, we would love to have such a feature, too.

@jakub-bochenski As a (dirty) workaround, we use a script executed after the SBOM generation that modifies the licenses section of components based on their purl according to our rules.

spfeiffer-iem avatar Sep 08 '25 08:09 spfeiffer-iem

@jakub-bochenski As a (dirty) workaround, we use a script executed after the SBOM generation that modifies the licenses section of components based on their purl according to our rules.

Yes, I do the same thing

jakub-bochenski avatar Sep 08 '25 11:09 jakub-bochenski

BTW @spfeiffer-iem what you can also do is fork https://github.com/CycloneDX/cyclonedx-core-java/blob/master/src/main/resources/license-mapping.json and add you own mappings, then use it like https://github.com/jakub-bochenski/example-cyclonedx-core-java/blob/master/pom.xml#L51-L61

It's cleaner if you are only on Maven, but won't handle cases where license is missing completely

jakub-bochenski avatar Sep 08 '25 11:09 jakub-bochenski

"Some components have misspelled license names, which causes problems down the line."

Some components have no license at all, which also causes problems down the line. So that feature would be really helpful...

Lonzak avatar Dec 08 '25 19:12 Lonzak