Optionally include license text in the License element #15
Comments
Agreed |
|
Hi @stevespringett, What would be the next step to move this forward? |
|
@juanjoDiaz Glad to know your org finds CycloneDX useful and am always happy to have contributions. CycloneDX is a versioned schema. There are a number of improvements coming in schema v1.1. They're documented here: https://github.com/CycloneDX/specification/milestone/1. Most are done or may have minor changes left. SPDX expressions is currently in progress and will likely be complete in the next day or two. The plan is to release 1.1-DRAFT-2 this week followed and a third and final draft the week after. Assuming all tests pass and the community doesn't have any objections, 1.1 will be released on March 1. At that point, all official CycloneDX implementations will need to be updated to support both 1.0 and 1.1 of the specification. For the Defaults to: content-type: text/plain with no encoding <text>text goes here</text>Overriding the default with the specified content-type <text content-type="text/markdown">text goes here</text>Overriding the default with the specified content-type and encoding <text content-type="text/xml" encoding="base64">PGxpY2Vuc2U+dGV4dCBnb2VzIGhlcmU8L2xpY2Vuc2U+</text> |
|
That sounds good. What about the |
|
Regarding the encoding attribute, detecting the exact encoding from the license file with 100% accuracy is challenging, and if failed, it could cause confusion (e.g., UTF-8 versus ISO-8859-1). In my opinion, the encoding is not relevant here. However, we could consider converting longer license texts to base64 in order to keep the look of the XML file elegant. The @stevespringett Any thoughts on these? |
|
@RaineInto I agree with your position on encoding and feel like we should omit that from the specification. I don't want to overburden the various CycloneDX implementations to figure out the exact encoding. The plan is to update all official CycloneDX implementations (npm, nuget, maven, etc) to be able to produce boms compatible with schema 1.0 and 1.1. If a user selects to output v1.1 format, then Going forward, schema versions will be less of an issue as 1.1 can now include any element in a bom or component which is not defined by the specification as long as that element defines an external namespace. So i envision 'extensions' to CycloneDX 1.1 in the future without a real need to modify the spec. |
|
@RaineInto For clarification, encoding (according to the spec) is optional and may only contain a value of "base64" if present. Encoding in this context doesn't mean specifying UTF-8, ISO-8859-1, etc. So the spec supports "data encoding" not "character encoding". |
|
Included in CycloneDX 1.1 |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
This is an enhancement proposal to the CycloneDX specification to support license text.
... <licenses> <license> <name>Juanjo's made-up License</name> <text>Juanjo Diaz(r) Source Code License Agreement\n\nCopyright(c) 2019 Juanjo Diaz. All rights reserved.</text> </license> </licenses> ...There is two use cases for this:
This is specially important for licenses that require it's to be include in any derivative work.
In somes cases this can be automatically obtained from the
LICENSEorLICENSE.mdfile in the asset (specially node or python). NuGet only seem to include the license URL as NPM does (optionally) so aurlfield might be also a good addition to the license element.This proposal might be somehow related to #7 which proposed generic external reference to include, among other, the URL containing the full text of the license. However, I think that this would fit better in the license element.
The text was updated successfully, but these errors were encountered: