specification icon indicating copy to clipboard operation
specification copied to clipboard
Published 1 month ago verified publisher icon CycloneDX

Misalignment in Protobuf Specification with Updated XML and JSON Schemas for LicenseChoice

Open mtsfoni opened this issue 1 year ago • 6 comments

Up to version 1.5, there was a discrepancy between the XML and the JSON Schema, which was resolved as per #204/#205. Since that update, LicenseChoice has become a complex type in the JSON formats to match the XML Schema. It is now defined to potentially include a list of licenses and an (optional) expression.

However, the corresponding protobuf specification was not updated to reflect these changes. As a result, the protobuf still retains the list of LicenseChoice as shown below:

message Component {
...
repeated LicenseChoice licenses = 13;
}

message LicenseChoice {
  oneof choice {
    License license = 1;
    // A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements
    string expression = 2;
  }
  // This field must only be used when "expression" is chosen as the License object has its own acknowledgement.
  optional LicenseAcknowledgementEnumeration acknowledgement = 3;
}

mtsfoni avatar May 12 '24 21:05 mtsfoni

each schema is an implementation of the spec - with the goal to make it possible to model the specification with clear guidelines.

spec is:

EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)

In ProtoBuff we see https://github.com/CycloneDX/specification/blob/8e131b1688ccfe41e1bfdd4b3280f33dcc06d04c/schema/bom-1.6.proto#L367-L375

where License license = 1; is currently not repeated, ~~but it should be repeated License license = 1;, to match the spec.~~
PS: read below: https://github.com/CycloneDX/specification/issues/465#issuecomment-2106378415

jkowalleck avatar May 12 '24 21:05 jkowalleck

However, the corresponding protobuf specification was not updated to reflect these changes.

because it was correct, already. spec says: EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)

You can build a structure with multiple licenses, as it is described by the CycloneDX spec. see https://github.com/CycloneDX/specification/blob/8e131b1688ccfe41e1bfdd4b3280f33dcc06d04c/schema/bom-1.6.proto#L116

multi license component here: https://github.com/CycloneDX/specification/blob/8e131b1688ccfe41e1bfdd4b3280f33dcc06d04c/tools/src/test/resources/1.6/valid-metadata-license-1.6.textproto

jkowalleck avatar May 12 '24 21:05 jkowalleck

@jkowalleck You can currently build everything that is expected, that is a list of licenses or a single license expression. However, you can also build a list of license expressions, which is not intended.

andreas-hilti avatar May 19 '24 19:05 andreas-hilti

However, you can also build a list of license expressions, which is not intended.

I acknowledge a lack of documentation there. Will drop a PR to have it added.

jkowalleck avatar May 24 '24 09:05 jkowalleck

please review https://github.com/CycloneDX/specification/pull/468

jkowalleck avatar May 24 '24 10:05 jkowalleck

please also be aware of upcoming https://github.com/CycloneDX/specification/issues/454

jkowalleck avatar May 24 '24 16:05 jkowalleck