CycloneDX
feat: SPDX license instead of expression
BASED ON Discussed in https://github.com/CycloneDX/cyclonedx-python/discussions/377
have a feature switch, that causes the output to change in behaviour:
instead of
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.4"
serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
version="1">
<components>
<component type="library">
<group>org.acme</group>
<name>card-verifier</name>
<version>1.0.2</version>
<licenses>
<expression>(Apache-2.0 OR MIT)</expression>
</licenses>
</component>
</components>
</bom>
the output should look like this:
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.4"
serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
version="1">
<components>
<component type="library">
<group>org.acme</group>
<name>card-verifier</name>
<version>1.0.2</version>
<licenses>
<license>
<id>Apache-2.0</id>
</license>
<license>
<id>MIT</id>
</license>
</licenses>
</component>
</components>
</bom>
discussed the topic with @madpah , and we think we will prefer ad different solution: we will take the opportunity and create a factory in the cyclonedx-python-lib via https://github.com/CycloneDX/cyclonedx-python-lib/issues/304 that accepts any string and will create the fitting license model from it - an expression, a named, or an SPDX one.
This feature will be part of the next/upcoming major release.
Changelog: see https://github.com/CycloneDX/cyclonedx-python/pull/605
Install via: pip install cyclonedx-bom==4.0.0rc1