licenses: allow mix of multiple SPDX expressions AND/OR multiple named/spdx licenses

[jkowalleck]

current situation (CDX 1.6):

• it is allowed to have EITHER one spdx license expression OR multiple named/spdx licenses. see spec
• each license(expression/named/spdx) can have a acknowledgement - none or "declared" or "concluded". see spec

problem

the current situation does not allow the following:

• situation A: multiple declared licenses ids (like in python license trove-classifiers) and one concluded expression
  • Declared spdx license id "MIT" - as set in the project manifest
  • Declared spdx license id "PostgreSQL" - as set in the project manifest
  • Declared named license "Apache Software License" - as set in the project manifest
  • License evidence from the README file: "chose the license that applies best to you: PostgreSql or MIT or Apache2"
  • Concluded spdx license expression license "(MIT OR PostgreSQL OR Apache-2.0)" - (this is just an example for spec reasons, this is not a real-world law case!)
• situation B: declared expression and concluded expression
  • Delcared spdx expression "MIT OR (GPL-3.0 OR GPL-2.0)"
  • Concluded spdx expression "(GPL-3.0-only AND LGPL-2.0-only)" - after some lawyer checked for actual applied situation - (this is just an example for spec reasons, this is not a real-world law case!)
• situation C: declared expression and concluded spdx id
  • Declared spdx expression "GPL-3.0-or-later OR GPL-2.0"
  • Concluded spdx id " GPL-3.0-only" - after some lawyer checked for actual applied situation - (this is just an example for spec reasons, this is not a real-world law case!)

▶ more regarding reasons and practical use cases here: #454 (comment)

▶ more practical examples to justify this feature can be found in the examples:
https://github.com/CycloneDX/specification/blob/feat/licenses-multi-mix-all/tools/src/test/resources/1.7/valid-license-declared-concluded-mix-1.7.xml

request

allow the following:

• multiple SPDX expressions at the same time
• allow mix of SPDX expression and other licenses at the same time

possible results

clickhere to uncollapse the example

{ 
"bomFormat": "CycloneDX",
"specVersion": "1.x",
// ...
"components": [
 
{
 // ... component properties ...
 "licenses": [
    // situation A -- (this is just an example for spec reasons, this is not a real-world law case!)
    { "license": { 
      "id": "MIT", 
      "acknowledgement": "declared" } },
    { "license": { 
      "id": "PostgreSQL", 
      "acknowledgement": "declared" } },
    { "license": { 
      "name": "Apache Software License", 
      "acknowledgement": "declared" } },
    { "expression": "(MIT OR PostgreSQL OR Apache-2.0)",
      "acknowledgement": "concluded" }
  ]
},

{
 // ... component properties ...
 "licenses": [
    // situation B -- (this is just an example for spec reasons, this is not a real-world law case!)
    { "expression": "MIT OR (GPL-3.0 OR GPL-2.0)", 
      "acknowledgement": "declared" },
    { "expression": "(GPL-2.0-only AND LGPL-2.0-only)",
      "acknowledgement": "concluded" }
  ]
},

{
 // ... component properties ...
 "licenses": [
    // situation C -- (this is just an example for spec reasons, this is not a real-world law case!)
    { "expression": "GPL-3.0+ OR GPL-2.0", 
      "acknowledgement": "declared" },
    { "license": { 
      "id": " GPL-3.0-only", 
      "acknowledgement": "concluded" } }
  ]
},

{
 // ... component properties ...
 "licenses": [
   // example with concluded LicenseRef -- (this is just an example for spec reasons, this is not a real-world law case!)
    { "license": { 
      "id": "MIT", 
      "acknowledgement": "declared" } },
    { "license": { 
      "name": "Amazon Software License", 
      "acknowledgement": "declared" } },
    { "expression": "MIT AND LicenseRef-.amazon.com.-AmznSL-1.0",
      "acknowledgement": "concluded" }
  ]
},


]
}

[jkowalleck]

related: CycloneDX/cyclonedx-python#826

[villaflaminio]

I agree with the problem, especially case C.
I would like to be able to have a lawyer or some automatic mechanism review the product sbom so that I can identify which licence to "refer" to for each individual component based on my use case.
It is more than reasonable to have two licenses defined for a product, e.g. if the component is used in open source projects then the license is type A, otherwise if it is used for commercial purposes then the license is type B.
This is just an example.
And, of course, in the report I would like to avoid replacing the license expression declared by whoever produced the component in question.
One solution might be to allow to have one license expression and only one license by specifying ‘acknowledgement concluded’, but I don't know whether this would create problems elsewhere.

[jkowalleck]

I will be working on a solution for this, planned for CycloneDX 1.7.
All comments, discussions, and any help is welcome.

[Joerki]

The example should also mention "LicenseRef-" items to clearly state that such simple expressions are also SPDX expression by definition of SPDX, not only compound expressions.

Situation B:
After discussing the topic "concluded" license with our OSCO (Open Source Compliance Officer) my understanding is that a concluded license must not contain a compound statement with "OR". A decision must be taken.
The example would be the same as "MIT OR GPL-3.0-only OR GPL-2.0-only"
Based on current existing licenses it is compatible with "MIT OR GPL-2.0-or-later" or "MIT OR GPL-2.0+"

Concluded license possiblities:

• MIT (MIT)
• GPL-2.0 (GPL-2.0-only)
• GPL-3.0 (GPL-3.0-only)

Situation C:
"GPL-2.0+" cannot by used as concluded license based on the legal information I have (see also link below). It has an implicit "OR". As a consumer I have the choice to select between GPL-2.0 or a higher version (GPL-3.0) and I have to make a choice in my context. The GPL licenses are not fully compatible, so it is a legal requirement to select what applies for me as concluded license.

Clear statement here (Standard License Header):
https://spdx.org/licenses/GPL-2.0-or-later.html

Another significant reference:
BSI-TR-03183-2 Version 2.0.0 (10.10.2024)
Federal Office for Information Security (BSI)
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2-2_0_0.html
Chapter 6.1 (License identifiers and expressions)
They refer to SPDX annexes about usage, they also recommend to use the Scancode LicenseDB Aboutcode!

[jkowalleck]

re: #454 (comment)

Thanks for pointing that out.
I tried to incorporate your remarks in the description, and also added a section "expected results" to showcase the results.
Could you check whether all your use cases are represented, @Joerki ?

Anyway, the examples exist for showcasing needed options(requirements). As stated

(this is just an example for spec reasons, this is not a real-world law case!)

[jkowalleck]

"GPL-2.0+" cannot by used as concluded license based on the legal information I have (see also link below). It has an implicit "OR". As a consumer I have the choice to select between GPL-2.0 or a higher version (GPL-3.0) and I have to make a choice in my context. The GPL licenses are not fully compatible, so it is a legal requirement to select what applies for me as concluded license.

this might be true for OBOM and alike, but not for SBOM.
lets say i am pulling a library from the internet, and i have a lawyer analyzing the license posture, and they conclude "I've analyzed the license's README and other evidences, and i conclude the license to be free to chose from A or B ... -- which one is applied can be decided only after the lib was integrated into a system."