[FEATURE]: there SHOULD be at most one "declared" and one "conclude" license per component

[jkowalleck]

Describe the feature

CycloneDX allows multiple licenses in parallel, per component/evidence/etc.

Currently, it is possible to have multiple "declared" licenses.
Currently, it is possible to have multiple "concluded" licenses.

It is desired to only have one "concluded" license -- how would you have multiple?
Similar situation with the "declared" licenses.

For evidences, we have the desire to not have any license acknowledgement at all.

Changing this from a "MAY" (current state) to a "MUST"/"MUST NOT" - would be a breaking change.

Using a "SHOULD" might be possible easily for ambiguous license lists.
Using a "MUST" for license expressions - for "concluded", and "SHOULD" for "declared".

There must be no constraints for license evidence!

Possible solutions

Change the spec tests

• for evidences, have a text say "licenses should not have an acknowledgement, it they do, it shall be ignored."
• for components/services/etc, have the text say "licenses should have anacknowledgement; the same acknowledgement shall be used not more than once."

a follow up: create a ticket for v2.0 that makes these should/shall a must.

Alternatives

What other things would suite the needs?

Additional context

this ticket was created because of

• licenses: allow mix of multiple SPDX expressions AND/OR multiple named/spdx licenses #454 (comment)
• licenses: allow mix of multiple SPDX expressions AND/OR multiple named/spdx licenses #454 (comment)

[jkowalleck]

this is a ticket that is intended to handle your remarks from #454 (comment)

@pombredanne, could you see whether it covers your ideas?

[jkowalleck]

had a call with @pombredanne, and we modified the ticket's test until he was satisfied.