Automate the Updating of SPDX License List

[msymons]

The SPDX License List is a subschema of the main CDX schema. CyclonedDX is currently using 3.17 of the SPDX License List, whilst the latest version is 3.19. 15 new licenses were added in 3.18 and 3.19

SpdxXsdGenerator.java is used to generate the SPDX subschemas for XLM and JSON. This script also generates a lightweight JSON file containing SPDX license IDs for use with the various CDX implementations.

It would help if the process were automated using a GitHub action that would generate the JSON files for us, and submit PRs for all the individual repos that use them. For example, the Javascript version is here: spdx.SNAPSHOT.schema.json

The updates to the Specification repo should itself be done via a PR (something that does not seem to have happened in the past, eg when updating to 3.17.

[jkowalleck]

Hey, Jan here, I am the maintainer of the PHP lib and JS lib, co-maintainer of the Python lib.

For all repos I maintain, the schema files are pulled manually, and are modified so they are fully offline usable:

• The PHP-lib repo pulls (and modifies/fixes) all the relevant schemas via a schema downloader script - which is triggered manually.
• The JS-lib repo pulls (and modifies/fixes) all the relevant schemas via a schema downloader script - which is triggered manually.

Actually, I would love to have a process, that opens a pullrequest with changes to the SPDX ENUM files.

And this process SHOULD be triggered automatically (only) when the new values were deployed to public

• http://cyclonedx.org/schema/spdx.schema.json
• http://cyclonedx.org/schema/spdx

This process MUST NOT be triggered on every change of these files in the GitHub repo.

[jkowalleck]

@mrutkows I heard you were planning to get offline-capable validation running based on shipped schema files. Then this one might be interesting for you, too.