cyclonedx-python-lib [LEGAL] get rid of (optional/transitive) dependencies licensed under GPL

there may be use-cases where people want to re-distribute this library with all its dependencies.

some (optional/transitive) dependencies might be licensed under GPL, which prevents an assembled re-distribution. see

https://github.com/CycloneDX/cyclonedx-python-lib/issues/568
https://github.com/CycloneDX/cyclonedx-python-lib/discussions/658

yes, it is not under the control of this very library, how others assemble or redistribute this library, but some community members argue otherwise - or are concerned anyway. Therefore, this issue exists.

if anybody wants for work on a replacement fir the currently optional dependencies, here is the list of requirements:

all current features must be supported, still . the dependencies in question are optional already, replacing them with optional dependencies that dont do the required job is a no-go.
provide (unit) tests for your change. some might already exist, better add additional ones

here is a list of all dependencies' libraries

$ python -m venv lib
$ lib/bin/pip install cyclonedx-python-lib[validation]
$ grep -E '^License: |^License-Expression: |^Classifier: License' lib/lib/python*/site-packages/*.dist-info/METADATA
lib/lib/python3.11/site-packages/arrow-1.3.0.dist-info/METADATA:Classifier: License :: OSI Approved :: Apache Software License
lib/lib/python3.11/site-packages/attrs-24.2.0.dist-info/METADATA:License-Expression: MIT
lib/lib/python3.11/site-packages/attrs-24.2.0.dist-info/METADATA:Classifier: License :: OSI Approved :: MIT License
lib/lib/python3.11/site-packages/boolean.py-4.0.dist-info/METADATA:License: BSD-2-Clause
lib/lib/python3.11/site-packages/cyclonedx_python_lib-8.5.0.dist-info/METADATA:License: Apache-2.0
lib/lib/python3.11/site-packages/cyclonedx_python_lib-8.5.0.dist-info/METADATA:Classifier: License :: OSI Approved :: Apache Software License
lib/lib/python3.11/site-packages/defusedxml-0.7.1.dist-info/METADATA:License: PSFL
lib/lib/python3.11/site-packages/defusedxml-0.7.1.dist-info/METADATA:Classifier: License :: OSI Approved :: Python Software Foundation License
lib/lib/python3.11/site-packages/fqdn-1.5.1.dist-info/METADATA:License: MPL 2.0
lib/lib/python3.11/site-packages/fqdn-1.5.1.dist-info/METADATA:Classifier: License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0)
lib/lib/python3.11/site-packages/idna-3.10.dist-info/METADATA:Classifier: License :: OSI Approved :: BSD License
lib/lib/python3.11/site-packages/isoduration-20.11.0.dist-info/METADATA:License: UNKNOWN
lib/lib/python3.11/site-packages/isoduration-20.11.0.dist-info/METADATA:Classifier: License :: OSI Approved :: ISC License (ISCL)
lib/lib/python3.11/site-packages/jsonpointer-3.0.0.dist-info/METADATA:License: Modified BSD License
lib/lib/python3.11/site-packages/jsonpointer-3.0.0.dist-info/METADATA:Classifier: License :: OSI Approved :: BSD License
lib/lib/python3.11/site-packages/jsonschema-4.23.0.dist-info/METADATA:License: MIT
lib/lib/python3.11/site-packages/jsonschema-4.23.0.dist-info/METADATA:Classifier: License :: OSI Approved :: MIT License
lib/lib/python3.11/site-packages/jsonschema_specifications-2024.10.1.dist-info/METADATA:Classifier: License :: OSI Approved :: MIT License
lib/lib/python3.11/site-packages/license_expression-30.4.0.dist-info/METADATA:License: Apache-2.0
lib/lib/python3.11/site-packages/lxml-5.3.0.dist-info/METADATA:License: BSD-3-Clause
lib/lib/python3.11/site-packages/lxml-5.3.0.dist-info/METADATA:Classifier: License :: OSI Approved :: BSD License
lib/lib/python3.11/site-packages/packageurl_python-0.16.0.dist-info/METADATA:License: MIT
lib/lib/python3.11/site-packages/packageurl_python-0.16.0.dist-info/METADATA:Classifier: License :: OSI Approved :: MIT License
lib/lib/python3.11/site-packages/packageurl_python-0.16.0.dist-info/METADATA:License: MIT
lib/lib/python3.11/site-packages/pip-23.0.1.dist-info/METADATA:License: MIT
lib/lib/python3.11/site-packages/pip-23.0.1.dist-info/METADATA:Classifier: License :: OSI Approved :: MIT License
lib/lib/python3.11/site-packages/py_serializable-1.1.2.dist-info/METADATA:License: Apache-2.0
lib/lib/python3.11/site-packages/py_serializable-1.1.2.dist-info/METADATA:Classifier: License :: OSI Approved :: Apache Software License
lib/lib/python3.11/site-packages/python_dateutil-2.9.0.post0.dist-info/METADATA:License: Dual License
lib/lib/python3.11/site-packages/python_dateutil-2.9.0.post0.dist-info/METADATA:Classifier: License :: OSI Approved :: BSD License
lib/lib/python3.11/site-packages/python_dateutil-2.9.0.post0.dist-info/METADATA:Classifier: License :: OSI Approved :: Apache Software License
lib/lib/python3.11/site-packages/referencing-0.35.1.dist-info/METADATA:Classifier: License :: OSI Approved :: MIT License
lib/lib/python3.11/site-packages/rfc3339_validator-0.1.4.dist-info/METADATA:License: MIT license
lib/lib/python3.11/site-packages/rfc3339_validator-0.1.4.dist-info/METADATA:Classifier: License :: OSI Approved :: MIT License
lib/lib/python3.11/site-packages/rfc3987-1.3.8.dist-info/METADATA:License: GNU GPLv3+
lib/lib/python3.11/site-packages/rfc3987-1.3.8.dist-info/METADATA:Classifier: License :: OSI Approved :: GNU General Public License v3 or later (GPLv3+)
lib/lib/python3.11/site-packages/rpds_py-0.21.0.dist-info/METADATA:Classifier: License :: OSI Approved :: MIT License
lib/lib/python3.11/site-packages/setuptools-66.1.1.dist-info/METADATA:Classifier: License :: OSI Approved :: MIT License
lib/lib/python3.11/site-packages/six-1.16.0.dist-info/METADATA:License: MIT
lib/lib/python3.11/site-packages/six-1.16.0.dist-info/METADATA:Classifier: License :: OSI Approved :: MIT License
lib/lib/python3.11/site-packages/sortedcontainers-2.4.0.dist-info/METADATA:License: Apache 2.0
lib/lib/python3.11/site-packages/sortedcontainers-2.4.0.dist-info/METADATA:Classifier: License :: OSI Approved :: Apache Software License
lib/lib/python3.11/site-packages/types_python_dateutil-2.9.0.20241003.dist-info/METADATA:License: Apache-2.0
lib/lib/python3.11/site-packages/types_python_dateutil-2.9.0.20241003.dist-info/METADATA:Classifier: License :: OSI Approved :: Apache Software License
lib/lib/python3.11/site-packages/uri_template-1.3.0.dist-info/METADATA:License: MIT License
lib/lib/python3.11/site-packages/uri_template-1.3.0.dist-info/METADATA:Classifier: License :: OSI Approved :: MIT License
lib/lib/python3.11/site-packages/webcolors-24.11.1.dist-info/METADATA:License: BSD-3-Clause
lib/lib/python3.11/site-packages/webcolors-24.11.1.dist-info/METADATA:Classifier: License :: OSI Approved :: BSD License

affected dependencies:

rfc3987 - https://pypi.org/project/rfc3987/

Nov 20 '24 16:11 jkowalleck

@jkowalleck Thanks. Do you know if there are existing tests specifically for the features that would be uniquely provided by the rfc3987 library?

Nov 20 '24 18:11 pombredanne

CycloneDX JSON schema uses iri-reference for URLs and alike. see https://github.com/CycloneDX/specification/blob/db041a4c5ee2ae74b3a39372b8ab16aa61f420a1/schema/bom-1.6.schema.json#L351-L356

According to https://python-jsonschema.readthedocs.io/en/latest/validate/#validating-formats, the validation of these requires the rfc3987 library.

Nov 21 '24 10:11 jkowalleck

GPL, which prevents an assembled re-distribution

It's not just that. Even when not assembled with dependencies, it still matters.

According to the FSF, a software project that has a dependency on a GPL library must be licensed under the GPL as well. Even if it is dynamically linked like in Python. Although this hasn't been tested in court, it's the general opinion of free software developers. This means this repo is likely infringing on copyright. This must be fixed by removing the GPL dependency.

Sources:

https://www.gnu.org/licenses/gpl-faq.en.html#GPLStaticVsDynamic
https://opensource.stackexchange.com/a/7331
https://opensource.stackexchange.com/a/6036
https://opensource.stackexchange.com/a/13828

Jul 15 '25 15:07 makew0rld

need to investigate if another library implements the iri-reference correctly, and how it can be incorporated in our JSON schema validator. candidates:

https://pypi.org/project/rfc3987-syntax/
https://pypi.org/project/iriuri/
to be continued

I might work on this topic over the next days/weeks and publish my findings here. If anybody wants to collaborate, feel free to so so 🥇

PS: see https://github.com/python-jsonschema/jsonschema/issues/1387

Jul 15 '25 15:07 jkowalleck

actions taken

[x] find a non-GPL implementation for RFC 3987
- [x] make the implementation feature complete for iri and iri_references - https://github.com/willynilly/rfc3987-syntax/pull/2
- [x] fixed bugs in the implementation - https://github.com/willynilly/rfc3987-syntax/pull/3
[x] have this implementation available in the JSON schema library
- https://github.com/python-jsonschema/jsonschema/pull/1388
- availabke since https://github.com/python-jsonschema/jsonschema/releases/tag/v4.25.0
[x] use the non-GPL implementation as an install-dependency
- https://github.com/CycloneDX/cyclonedx-python-lib/pull/854

Jul 18 '25 07:07 jkowalleck

a fix was released via https://github.com/CycloneDX/cyclonedx-python-lib/releases/tag/v10.5.0

Jul 20 '25 15:07 jkowalleck