feat: license expression details and properties - text attachment, licensing, etc#599
Merged
jkowalleck merged 26 commits into1.7-devfrom Jun 5, 2025
Merged
Conversation
- tests: examples for licenses with text - tests: draft for expressiosn with text Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
jkowalleck
force-pushed
the
feat/license-expression-text-attachment
branch
from
dac5995 to
39524a2
Compare
jkowalleck
commented
Feb 20, 2025
jkowalleck
commented
Feb 20, 2025
see #599 (comment) Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Joerki
reviewed
Feb 21, 2025
Joerki
reviewed
Feb 21, 2025
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
as suggested in https://github.com/CycloneDX/specification/pull/599/files#r1965445439 Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Member
Author
Hi @jkowalleck , I stumbled over the explanation of "content" of the text: |
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Member
Author
added via c16b24a |
Member
Author
this is not a difference in naming, but in structure. in JSON, we have this one object that contains the property "expression", and additional properties. Hope this helps to understand. XSD and JSON-schema and ProtoBuf-schema are just implementations of the CycloneDX spec. |
Member
Author
I've copied this over from the existing spec somewhere. Feel free to open an issue/pullrequest to improve this in the spec 👍 In addition, I've revisited the docs and and changed them - hopefully to the better: 7c49125 |
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
jkowalleck
changed the title
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
jkowalleck
force-pushed
the
feat/license-expression-text-attachment
branch
from
49bded2 to
5b12e67
Compare
stevespringett
approved these changes
Mar 6, 2025
Member
Author
|
RFC notice sent.
Public RFC period ends April 8, 2025 |
jkowalleck
added
request for comment
ready for review
draft
RFC notice sent
jkowalleck
added
promote to tc54
Member
Author
|
This feature was just approved by Ecma TC54 👍 |
Merged
stevespringett
added a commit
that referenced
this pull request
Oct 21, 2025
## Fixed * XML schema: add type for `ComponentData` sub-elements ([#600] via [#601]) * JSON schema: added the correct `deprecated` mark for already deprecated structures (via [a973a6b]) ## Deprecated * Deprecated various fields and structures related to _cryptographic transparency_ - _CBOM_ . (via [#657]) Use the newly added structures and fields for detailing the information instead. ## Changed * Extended the scope of _formulations_. (via [#647]) From now on, _formulations_ may be used to describe how any referencable object within the BOM came together, including components, services, metadata, declarations, or the BOM itself. Before, it was restricted to components and services. ## Added * Support for _external components_ with _version-ranges_ ([#321] via [#586]) * Support for _multiple_ SPDX License Expressions alongside with other licenses ([#454] via [#582]) * Support for _Streebog hashing algorithm_ ([#485] via [#525]) * Support for license expression _details and properties_ ([#549], [#554] via [#599]) * Support for expressing BOM distribution constraints with the _Traffic Light Protocol_ (TLP) in metadata ([#595] via [#604], [#653]) * Support for representing _patent information_ ([#596] via [#597]) * Support for _properties_ on external-references ([#608] via [#610]) * Support for _citations_ ([#630] via [#629]) * Support for detailing _cryptographic transparency_ information - _CBOM_ ([#569] via [#657]) ## Documentation * Elaborated component classification "platform", explicitly expressed that it includes just-in-time compilers and interpreters ([#233] via [#647]) * Removed the term "optional" from the schema where the definition was already unambiguous ([#616], [#649] via [#680]) ## Test data * Add test data for CycloneDX 1.7 implementations in XML, JSON, Protobuf [#233]: #233 [#321]: #321 [#454]: #454 [#485]: #485 [#525]: #525 [#549]: #549 [#554]: #554 [#569]: #569 [#582]: #582 [#586]: #586 [#595]: #595 [#596]: #596 [#597]: #597 [#599]: #599 [#600]: #600 [#601]: #601 [#604]: #604 [#608]: #608 [#610]: #610 [#616]: #616 [#629]: #629 [#630]: #630 [#647]: #647 [#649]: #649 [#653]: #653 [#657]: #657 [#680]: #680 [a973a6b]: a973a6b ---- - fixes #233 - fixes #321 - fixes #454 - fixes #485 - fixes #549 - fixes #554 - fixes #595 - fixes #596 - fixes #600 - fixes #608 - fixes #629 - fixes #616 - fixes #649
luckystar-crypto
pushed a commit
to luckystar-crypto/specification
that referenced
this pull request
Jan 27, 2026
see CycloneDX/specification#599 (comment) Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
luckystar-crypto
pushed a commit
to luckystar-crypto/specification
that referenced
this pull request
Jan 27, 2026
## Fixed * XML schema: add type for `ComponentData` sub-elements ([#600] via [#601]) * JSON schema: added the correct `deprecated` mark for already deprecated structures (via [a973a6b]) ## Deprecated * Deprecated various fields and structures related to _cryptographic transparency_ - _CBOM_ . (via [#657]) Use the newly added structures and fields for detailing the information instead. ## Changed * Extended the scope of _formulations_. (via [#647]) From now on, _formulations_ may be used to describe how any referencable object within the BOM came together, including components, services, metadata, declarations, or the BOM itself. Before, it was restricted to components and services. ## Added * Support for _external components_ with _version-ranges_ ([#321] via [#586]) * Support for _multiple_ SPDX License Expressions alongside with other licenses ([#454] via [#582]) * Support for _Streebog hashing algorithm_ ([#485] via [#525]) * Support for license expression _details and properties_ ([#549], [#554] via [#599]) * Support for expressing BOM distribution constraints with the _Traffic Light Protocol_ (TLP) in metadata ([#595] via [#604], [#653]) * Support for representing _patent information_ ([#596] via [#597]) * Support for _properties_ on external-references ([#608] via [#610]) * Support for _citations_ ([#630] via [#629]) * Support for detailing _cryptographic transparency_ information - _CBOM_ ([#569] via [#657]) ## Documentation * Elaborated component classification "platform", explicitly expressed that it includes just-in-time compilers and interpreters ([#233] via [#647]) * Removed the term "optional" from the schema where the definition was already unambiguous ([#616], [#649] via [#680]) ## Test data * Add test data for CycloneDX 1.7 implementations in XML, JSON, Protobuf [#233]: CycloneDX/specification#233 [#321]: CycloneDX/specification#321 [#454]: CycloneDX/specification#454 [#485]: CycloneDX/specification#485 [#525]: CycloneDX/specification#525 [#549]: CycloneDX/specification#549 [#554]: CycloneDX/specification#554 [#569]: CycloneDX/specification#569 [#582]: CycloneDX/specification#582 [#586]: CycloneDX/specification#586 [#595]: CycloneDX/specification#595 [#596]: CycloneDX/specification#596 [#597]: CycloneDX/specification#597 [#599]: CycloneDX/specification#599 [#600]: CycloneDX/specification#600 [#601]: CycloneDX/specification#601 [#604]: CycloneDX/specification#604 [#608]: CycloneDX/specification#608 [#610]: CycloneDX/specification#610 [#616]: CycloneDX/specification#616 [#629]: CycloneDX/specification#629 [#630]: CycloneDX/specification#630 [#647]: CycloneDX/specification#647 [#649]: CycloneDX/specification#649 [#653]: CycloneDX/specification#653 [#657]: CycloneDX/specification#657 [#680]: CycloneDX/specification#680 [a973a6b]: CycloneDX/specification@a973a6b ---- - fixes #233 - fixes #321 - fixes #454 - fixes #485 - fixes #549 - fixes #554 - fixes #595 - fixes #596 - fixes #600 - fixes #608 - fixes #629 - fixes #616 - fixes #649
jvdsn
pushed a commit
to jvdsn/specification
that referenced
this pull request
Feb 23, 2026
see CycloneDX#599 (comment) Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
jvdsn
pushed a commit
to jvdsn/specification
that referenced
this pull request
Feb 23, 2026
…censing, etc (CycloneDX#599) As discussed via CycloneDX#549, this PR adds new structures to allow documenting the licensing and "properties" of SPDX expressions As discussed via CycloneDX#554, this PR adds new structures to allow documenting the license texts for SPDX expressions' individual parts. ---- TODO - [x] agree on data models & finalize examples - [x] write the schemata - [x] write the spec - [x] write a proper summary for this PR ---- - fixes CycloneDX#554 - fixes CycloneDX#549
jvdsn
pushed a commit
to jvdsn/specification
that referenced
this pull request
Feb 23, 2026
## Fixed * XML schema: add type for `ComponentData` sub-elements ([CycloneDX#600] via [CycloneDX#601]) * JSON schema: added the correct `deprecated` mark for already deprecated structures (via [a973a6b]) ## Deprecated * Deprecated various fields and structures related to _cryptographic transparency_ - _CBOM_ . (via [CycloneDX#657]) Use the newly added structures and fields for detailing the information instead. ## Changed * Extended the scope of _formulations_. (via [CycloneDX#647]) From now on, _formulations_ may be used to describe how any referencable object within the BOM came together, including components, services, metadata, declarations, or the BOM itself. Before, it was restricted to components and services. ## Added * Support for _external components_ with _version-ranges_ ([CycloneDX#321] via [CycloneDX#586]) * Support for _multiple_ SPDX License Expressions alongside with other licenses ([CycloneDX#454] via [CycloneDX#582]) * Support for _Streebog hashing algorithm_ ([CycloneDX#485] via [CycloneDX#525]) * Support for license expression _details and properties_ ([CycloneDX#549], [CycloneDX#554] via [CycloneDX#599]) * Support for expressing BOM distribution constraints with the _Traffic Light Protocol_ (TLP) in metadata ([CycloneDX#595] via [CycloneDX#604], [CycloneDX#653]) * Support for representing _patent information_ ([CycloneDX#596] via [CycloneDX#597]) * Support for _properties_ on external-references ([CycloneDX#608] via [CycloneDX#610]) * Support for _citations_ ([CycloneDX#630] via [CycloneDX#629]) * Support for detailing _cryptographic transparency_ information - _CBOM_ ([CycloneDX#569] via [CycloneDX#657]) ## Documentation * Elaborated component classification "platform", explicitly expressed that it includes just-in-time compilers and interpreters ([CycloneDX#233] via [CycloneDX#647]) * Removed the term "optional" from the schema where the definition was already unambiguous ([CycloneDX#616], [CycloneDX#649] via [CycloneDX#680]) ## Test data * Add test data for CycloneDX 1.7 implementations in XML, JSON, Protobuf [CycloneDX#233]: CycloneDX#233 [CycloneDX#321]: CycloneDX#321 [CycloneDX#454]: CycloneDX#454 [CycloneDX#485]: CycloneDX#485 [CycloneDX#525]: CycloneDX#525 [CycloneDX#549]: CycloneDX#549 [CycloneDX#554]: CycloneDX#554 [CycloneDX#569]: CycloneDX#569 [CycloneDX#582]: CycloneDX#582 [CycloneDX#586]: CycloneDX#586 [CycloneDX#595]: CycloneDX#595 [CycloneDX#596]: CycloneDX#596 [CycloneDX#597]: CycloneDX#597 [CycloneDX#599]: CycloneDX#599 [CycloneDX#600]: CycloneDX#600 [CycloneDX#601]: CycloneDX#601 [CycloneDX#604]: CycloneDX#604 [CycloneDX#608]: CycloneDX#608 [CycloneDX#610]: CycloneDX#610 [CycloneDX#616]: CycloneDX#616 [CycloneDX#629]: CycloneDX#629 [CycloneDX#630]: CycloneDX#630 [CycloneDX#647]: CycloneDX#647 [CycloneDX#649]: CycloneDX#649 [CycloneDX#653]: CycloneDX#653 [CycloneDX#657]: CycloneDX#657 [CycloneDX#680]: CycloneDX#680 [a973a6b]: CycloneDX@a973a6b ---- - fixes CycloneDX#233 - fixes CycloneDX#321 - fixes CycloneDX#454 - fixes CycloneDX#485 - fixes CycloneDX#549 - fixes CycloneDX#554 - fixes CycloneDX#595 - fixes CycloneDX#596 - fixes CycloneDX#600 - fixes CycloneDX#608 - fixes CycloneDX#629 - fixes CycloneDX#616 - fixes CycloneDX#649
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
As discussed via #549, this PR adds new structures to allow documenting the licensing and "properties" of SPDX expressions
As discussed via #554, this PR adds new structures to allow documenting the license texts for SPDX expressions' individual parts.
TODO