Open
Description
currently(CDX 1.6), we have the following situation:
- for JSON, the known SPDX licence IDs are in an own schema store: https://github.com/CycloneDX/specification/blob/master/schema/spdx.schema.json
- for XML, the known SPDX licence IDs are in an own schema store: https://github.com/CycloneDX/specification/blob/master/schema/spdx.xsd
- for ProtoBuf, the known SPDX licence IDs are not an enum at all, they are just a free text(
string):specification/schema/bom-1.6.proto
Lines 397 to 400 in b50ff0d
problem
Using arbitrary strings for license.id means, that there is just no baked-in safety.
To improve this, I propose to use a dedicated ProtoBuf package that can be maintained and released outside the regular CDX release cycle, just like the enum for JSON and XML.
possible solution
- have a file
spdx.proto- use an own package
cyclonedx.spdx - declare the like
enum LicenseId { LICENSEID_UNSPECIFIED = 0 // 0BSD LICENSEID_0BSD = 1 // ... // Apache-1.0 LICENSEID_Apache_1_0 // ... }
- have this file checked against breaking changes
- see https://github.com/CycloneDX/specification/blob/master/tools/src/test/proto/buf_breaking-remote.yaml
- see https://github.com/CycloneDX/specification/blob/master/tools/src/test/proto/buf_breaking-version.yaml
- have the license file updated with the other
spdx.*schema files
- use an own package
- in the
bom-1.x.protofile, use that enum (pseudocode)import "cyclonedx.spdx"; message License { oneof license { // A known SPDX license identifier. cyclonedx.spdx.LicenseId = 1; // ... } // ... }
consideration & research
- ❗ this might be a breaking change - need to investigate
- ❕ need to investigate how/where to publish the schema file, so that has the intended effect