sbom-utility
sbom-utility copied to clipboard
CycloneDX
SBOM Utility is not vaidating the SMAIL-GPL SPDX License
I created a CDX 1.4 SBOM with the licenses for one package as
GPL-2.0-or-later, SMAIL-GPL, public-domain
These were broken up correctly into their separate licenses in the SBOM, but on importing the SBOM into DT it failed.
I ran a validation tool against it and it failed with (to summarize) SMAIL-GPL is not an SPDX license.
It is - https://spdx.org/licenses/SMAIL-GPL.html
It was introduced to the SPDX list in Oct 2024 and I am guessing that SBOM utility needs to be updated to accept it.
I changed the license to the primary one for this package:
GPL-2.0-or-later
and the SBOM validated and imported into DT.
@nigellh The utility uses the https://github.com/CycloneDX/license-scanner which looks like it needs to be updated to the Version: 3.26.0 2024-12-30 license list published here: https://spdx.org/licenses/.
Will see if I can submit a PR to that project to update from v3.21; feel free to beat me to that update (as a PR in the license-scanner project ;)
If license-scanner gets updated, I can easily update to its latest version and create a release with updated package version.
@nigellh it looks like the license you are referencing was added on 3.26 according to release notes: https://github.com/spdx/license-list-XML/releases
if IBM has an opinion of the default policy for this license, please let me know here as we can update that config. file
Hi Matt, no idea, that would take a legal opinion and it might vary from product to product on how it is used. Just need to make sure the SPDX ID is there. Many thanks.
@nigellh Indeed, looking at "kf-sbom-validation-report.txt" it is a schema issue and not under control of sbom-utility unless a new cyclonedx version is released which references an updated spdx schema that hopefully added the license in question...
@nigellh The utility uses the https://github.com/CycloneDX/license-scanner which looks like it needs to be updated to the Version: 3.26.0 2024-12-30 license list published here: https://spdx.org/licenses/.
Will see if I can submit a PR to that project to update from v3.21; feel free to beat me to that update (as a PR in the
license-scannerproject ;)If license-scanner gets updated, I can easily update to its latest version and create a release with updated package version.
I made a bad assumption and saw the ref. license was added to spdx v3.26 (and updated the license-scanner to support all new licenses from 3.21-3.26); however, the schema that has the enumeration of spdx-ids is the real issue it seems (i.e., it is a schema ref. by the cdx schema).
Good news is that it appears the spdx schema was updated via this commit: https://github.com/CycloneDX/specification/commit/e9e0e4e6f4226d60e739a957bbcdb65fd3510ffd
@nigellh I wrote my own testcase and believe it is fixed. Please verify by building main branch and running against your BOM.
jqgrid_5.8.8_20250401_164415-collect-1-4-sbom.cdx.json.zip
Hi Matt. Here is a scan of an open source package and I have dumped the SMAIL-GPL license against a few of the packages.