specification icon indicating copy to clipboard operation
specification copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

Dedicated node for licenses

Open fnxpt opened this issue 1 year ago • 1 comments

Currently with the current spec if we have n dependencies with the same license and if we need to include the license text this leads to a lot of duplicated text and huge increase on the file size. As an example on the files we are generating if we do not include the license text the file is around 5MB, if we include the text we have more than 500MB per file. Ideally we should have a dedicated node that could contain the details, so the dependencies contain the ID and this dedicated node could contain the details like the license text.

{
// ...
"components": [
    // ...
    {
      "type": "library",
      "bom-ref": "pkg:xxx",
      "publisher": "xxxx",
      "group": "com.xxx",
      "name": "xxx",
      "version": "x.x.x",
      // ....
      "licenses": [
        {
          "license": {
            "id": "Apache-2.0"
          }
        }
      ],
  }
],
     licenses: {
          "Apache-2.0": {
               "text" : "licence text",
          }
     },
}

see also: https://cyclonedx.slack.com/archives/CVA0G10FN/p1688979060505779

fnxpt avatar Jul 11 '23 09:07 fnxpt

without assessment of the topic of this feature request, here is a proposal that use bom-refs and attachments, rather than some magic values.

{
// ...
"components": [
    // ...
    {
      "name": "component-A"
      // ....
      "licenses": [
        {
          "license": {
            "id": "Apache-2.0",
            "bom-ref": "license-A"
          }
        }
      ],
  },
{
      "name": "component-B"
      // ....
      "licenses": [
        {
          "license": {
            "id": "Apache-2.0",
            "bom-ref": "license-B"
          }
        }
      ],
  },
  {
      "name": "Component-C",
      // ....
      "evidence" {
        "licenses": [
          {
            "license": {
              "name": "custom license",
              "bom-ref": "license-C"
            }
          }
        ],
      } 
    }
],
     licenses: [
          {
             "refs" : [
                // list of (ref-Link or Bom-Link)
                "license-A",
                "license-B"
             ],
             "text" : {
               // type = #/definitions/attackment 
               "contentType": "text/plain",
               "encoding": "base64",
               // base64 of the standard Apache-2.0 license text
               "text" : "bG9yZW0gdXBzdW0=", 
             }
          },
          {
             "refs" : [
                // list of (ref-Link or Bom-Link)
                "license-C"
             ],
             "text" : {
               // type = #/definitions/attackment 
               "contentType": "text/plain",
               "encoding": "base64",
               // base64 of the actual detected license text found
               "text" : "bG9yZW0gdXBzdW0gZG9sb3Igc2l0IA==", 
             }
          }
     ],
}

jkowalleck avatar Jul 11 '23 09:07 jkowalleck