feat(cyclonedx): Include the effective license as an SPDX expression

fviernau · fviernau · commit d965a780a268 · 2026-05-12T11:23:25.000+02:00
In CycloneDX 1.7 it will be possible to change ORT's implementation to place only a single (expression) object into `component.license[]` and move all the additional license information under the `expressionDetails` property [^1] of that expression, such as for example the origin of the license. This way, the report would contain the effective license in the components dedicated field as an SPDX expression. As the `expressionDetails` is not yet present in CycloneDX 1.6, that refactoring is not yet possible. So, simply use a generic property to annotate the component with the effective license SPDX expression. Note: Currently, `component.license[]` contains exactly the license identifiers contained in the effective license. If the effective license contains (unmade) license choices, that current representation lacks some information compared to the effective license SPDX expression. [1]: https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_licenses_items_oneOf_i1_expressionDetails Signed-off-by: Frank Viernau <frank.viernau@gmail.com>
diff --git a/plugins/reporters/cyclonedx/README.md b/plugins/reporters/cyclonedx/README.md
@@ -7,4 +7,5 @@ This table defines the [taxonomy](https://cyclonedx.github.io/cyclonedx-property
 | Property Name | Parent Entity | Description |
 | ------------- | ------------- | ----------- |
 | `ort:dependencyType` | `component` | The type of dependency in relation to the parent component. Valid values: "direct", "transitive". |
+| `ort:effectiveLicense` | `component` | The effective license of the component as an SPDX expression. |
 | `ort:origin` | `license` | The origin of the license. Valid values: "declared license", "detected license", "concluded license". |
diff --git a/plugins/reporters/cyclonedx/src/funTest/resources/cyclonedx-reporter-expected-result-different-projects.json b/plugins/reporters/cyclonedx/src/funTest/resources/cyclonedx-reporter-expected-result-different-projects.json
@@ -36,7 +36,13 @@
           }
         }
       ],
-      "copyright" : "Copyright 1"
+      "copyright" : "Copyright 1",
+      "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT"
+        }
+      ]
     },
     "licenses" : [
       {
@@ -141,6 +147,10 @@
         }
       ],
       "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT AND MIT WITH Libtool-exception"
+        },
         {
           "name" : "ort:dependencyType",
           "value" : "direct"
@@ -205,6 +215,10 @@
         }
       ],
       "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT AND BSD-3-Clause"
+        },
         {
           "name" : "ort:dependencyType",
           "value" : "direct"
@@ -251,6 +265,10 @@
         }
       ],
       "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT"
+        },
         {
           "name" : "ort:dependencyType",
           "value" : "direct"
@@ -334,6 +352,10 @@
         }
       ],
       "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT AND BSD-3-Clause AND LicenseRef-scancode-truecrypt-3.1 AND LGPL-3.0-or-later WITH openvpn-openssl-exception"
+        },
         {
           "name" : "ort:dependencyType",
           "value" : "direct"
@@ -374,6 +396,10 @@
         }
       ],
       "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT"
+        },
         {
           "name" : "ort:dependencyType",
           "value" : "direct"
diff --git a/plugins/reporters/cyclonedx/src/funTest/resources/cyclonedx-reporter-expected-result-name-override.json b/plugins/reporters/cyclonedx/src/funTest/resources/cyclonedx-reporter-expected-result-name-override.json
@@ -37,7 +37,13 @@
           }
         }
       ],
-      "copyright" : "Copyright 1"
+      "copyright" : "Copyright 1",
+      "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT"
+        }
+      ]
     },
     "licenses" : [
       {
@@ -142,6 +148,10 @@
         }
       ],
       "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT AND MIT WITH Libtool-exception"
+        },
         {
           "name" : "ort:dependencyType",
           "value" : "direct"
@@ -206,6 +216,10 @@
         }
       ],
       "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT AND BSD-3-Clause"
+        },
         {
           "name" : "ort:dependencyType",
           "value" : "direct"
@@ -252,6 +266,10 @@
         }
       ],
       "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT"
+        },
         {
           "name" : "ort:dependencyType",
           "value" : "direct"
@@ -335,6 +353,10 @@
         }
       ],
       "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT AND BSD-3-Clause AND LicenseRef-scancode-truecrypt-3.1 AND LGPL-3.0-or-later WITH openvpn-openssl-exception"
+        },
         {
           "name" : "ort:dependencyType",
           "value" : "direct"
@@ -375,6 +397,10 @@
         }
       ],
       "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT"
+        },
         {
           "name" : "ort:dependencyType",
           "value" : "direct"
diff --git a/plugins/reporters/cyclonedx/src/funTest/resources/cyclonedx-reporter-expected-result-top-level-project.json b/plugins/reporters/cyclonedx/src/funTest/resources/cyclonedx-reporter-expected-result-top-level-project.json
@@ -37,7 +37,13 @@
           }
         }
       ],
-      "copyright" : "Copyright 1"
+      "copyright" : "Copyright 1",
+      "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT"
+        }
+      ]
     },
     "licenses" : [
       {
@@ -142,6 +148,10 @@
         }
       ],
       "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT AND MIT WITH Libtool-exception"
+        },
         {
           "name" : "ort:dependencyType",
           "value" : "direct"
@@ -206,6 +216,10 @@
         }
       ],
       "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT AND BSD-3-Clause"
+        },
         {
           "name" : "ort:dependencyType",
           "value" : "direct"
@@ -252,6 +266,10 @@
         }
       ],
       "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT"
+        },
         {
           "name" : "ort:dependencyType",
           "value" : "direct"
@@ -335,6 +353,10 @@
         }
       ],
       "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT AND BSD-3-Clause AND LicenseRef-scancode-truecrypt-3.1 AND LGPL-3.0-or-later WITH openvpn-openssl-exception"
+        },
         {
           "name" : "ort:dependencyType",
           "value" : "direct"
@@ -375,6 +397,10 @@
         }
       ],
       "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT"
+        },
         {
           "name" : "ort:dependencyType",
           "value" : "direct"
diff --git a/plugins/reporters/cyclonedx/src/funTest/resources/cyclonedx-reporter-expected-result-type-override.json b/plugins/reporters/cyclonedx/src/funTest/resources/cyclonedx-reporter-expected-result-type-override.json
@@ -37,7 +37,13 @@
           }
         }
       ],
-      "copyright" : "Copyright 1"
+      "copyright" : "Copyright 1",
+      "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT"
+        }
+      ]
     },
     "licenses" : [
       {
@@ -142,6 +148,10 @@
         }
       ],
       "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT AND MIT WITH Libtool-exception"
+        },
         {
           "name" : "ort:dependencyType",
           "value" : "direct"
@@ -206,6 +216,10 @@
         }
       ],
       "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT AND BSD-3-Clause"
+        },
         {
           "name" : "ort:dependencyType",
           "value" : "direct"
@@ -252,6 +266,10 @@
         }
       ],
       "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT"
+        },
         {
           "name" : "ort:dependencyType",
           "value" : "direct"
@@ -335,6 +353,10 @@
         }
       ],
       "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT AND BSD-3-Clause AND LicenseRef-scancode-truecrypt-3.1 AND LGPL-3.0-or-later WITH openvpn-openssl-exception"
+        },
         {
           "name" : "ort:dependencyType",
           "value" : "direct"
@@ -375,6 +397,10 @@
         }
       ],
       "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT"
+        },
         {
           "name" : "ort:dependencyType",
           "value" : "direct"
diff --git a/plugins/reporters/cyclonedx/src/funTest/resources/cyclonedx-reporter-expected-result-with-findings.json b/plugins/reporters/cyclonedx/src/funTest/resources/cyclonedx-reporter-expected-result-with-findings.json
@@ -38,7 +38,13 @@
           }
         }
       ],
-      "copyright" : "Copyright 1"
+      "copyright" : "Copyright 1",
+      "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT"
+        }
+      ]
     },
     "licenses" : [
       {
@@ -143,6 +149,10 @@
         }
       ],
       "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT AND MIT WITH Libtool-exception"
+        },
         {
           "name" : "ort:dependencyType",
           "value" : "direct"
@@ -207,6 +217,10 @@
         }
       ],
       "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT AND BSD-3-Clause"
+        },
         {
           "name" : "ort:dependencyType",
           "value" : "direct"
@@ -253,6 +267,10 @@
         }
       ],
       "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT"
+        },
         {
           "name" : "ort:dependencyType",
           "value" : "direct"
@@ -336,6 +354,10 @@
         }
       ],
       "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT AND BSD-3-Clause AND LicenseRef-scancode-truecrypt-3.1 AND LGPL-3.0-or-later WITH openvpn-openssl-exception"
+        },
         {
           "name" : "ort:dependencyType",
           "value" : "direct"
@@ -376,6 +398,10 @@
         }
       ],
       "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "MIT"
+        },
         {
           "name" : "ort:dependencyType",
           "value" : "direct"
diff --git a/plugins/reporters/cyclonedx/src/funTest/resources/cyclonedx-reporter-expected-result-without-findings.json b/plugins/reporters/cyclonedx/src/funTest/resources/cyclonedx-reporter-expected-result-without-findings.json
@@ -20,7 +20,13 @@
       "group" : "@ort",
       "name" : "project-without-findings",
       "version" : "1.0",
-      "description" : ""
+      "description" : "",
+      "properties" : [
+        {
+          "name" : "ort:effectiveLicense",
+          "value" : "NONE"
+        }
+      ]
     },
     "licenses" : [
       {
diff --git a/plugins/reporters/cyclonedx/src/funTest/resources/cyclonedx-reporter-expected-result.json b/plugins/reporters/cyclonedx/src/funTest/resources/cyclonedx-reporter-expected-result.json
diff --git a/plugins/reporters/cyclonedx/src/funTest/resources/cyclonedx-reporter-expected-result.xml b/plugins/reporters/cyclonedx/src/funTest/resources/cyclonedx-reporter-expected-result.xml
diff --git a/plugins/reporters/cyclonedx/src/main/kotlin/CycloneDxModelMapper.kt b/plugins/reporters/cyclonedx/src/main/kotlin/CycloneDxModelMapper.kt

Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,13 @@`
`36`	`36`	`}`
`37`	`37`	`}`
`38`	`38`	`],`
`39`		`- "copyright" : "Copyright 1"`
	`39`	`+ "copyright" : "Copyright 1",`
	`40`	`+ "properties" : [`
	`41`	`+ {`
	`42`	`+ "name" : "ort:effectiveLicense",`
	`43`	`+ "value" : "MIT"`
	`44`	`+ }`
	`45`	`+ ]`
`40`	`46`	`},`
`41`	`47`	`"licenses" : [`
`42`	`48`	`{`
`@@ -141,6 +147,10 @@`
`141`	`147`	`}`
`142`	`148`	`],`
`143`	`149`	`"properties" : [`
	`150`	`+ {`
	`151`	`+ "name" : "ort:effectiveLicense",`
	`152`	`+ "value" : "MIT AND MIT WITH Libtool-exception"`
	`153`	`+ },`
`144`	`154`	`{`
`145`	`155`	`"name" : "ort:dependencyType",`
`146`	`156`	`"value" : "direct"`
`@@ -205,6 +215,10 @@`
`205`	`215`	`}`
`206`	`216`	`],`
`207`	`217`	`"properties" : [`
	`218`	`+ {`
	`219`	`+ "name" : "ort:effectiveLicense",`
	`220`	`+ "value" : "MIT AND BSD-3-Clause"`
	`221`	`+ },`
`208`	`222`	`{`
`209`	`223`	`"name" : "ort:dependencyType",`
`210`	`224`	`"value" : "direct"`
`@@ -251,6 +265,10 @@`
`251`	`265`	`}`
`252`	`266`	`],`
`253`	`267`	`"properties" : [`
	`268`	`+ {`
	`269`	`+ "name" : "ort:effectiveLicense",`
	`270`	`+ "value" : "MIT"`
	`271`	`+ },`
`254`	`272`	`{`
`255`	`273`	`"name" : "ort:dependencyType",`
`256`	`274`	`"value" : "direct"`
`@@ -334,6 +352,10 @@`
`334`	`352`	`}`
`335`	`353`	`],`
`336`	`354`	`"properties" : [`
	`355`	`+ {`
	`356`	`+ "name" : "ort:effectiveLicense",`
	`357`	`+ "value" : "MIT AND BSD-3-Clause AND LicenseRef-scancode-truecrypt-3.1 AND LGPL-3.0-or-later WITH openvpn-openssl-exception"`
	`358`	`+ },`
`337`	`359`	`{`
`338`	`360`	`"name" : "ort:dependencyType",`
`339`	`361`	`"value" : "direct"`
`@@ -374,6 +396,10 @@`
`374`	`396`	`}`
`375`	`397`	`],`
`376`	`398`	`"properties" : [`
	`399`	`+ {`
	`400`	`+ "name" : "ort:effectiveLicense",`
	`401`	`+ "value" : "MIT"`
	`402`	`+ },`
`377`	`403`	`{`
`378`	`404`	`"name" : "ort:dependencyType",`
`379`	`405`	`"value" : "direct"`
Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,13 @@`
`37`	`37`	`}`
`38`	`38`	`}`
`39`	`39`	`],`
`40`		`- "copyright" : "Copyright 1"`
	`40`	`+ "copyright" : "Copyright 1",`
	`41`	`+ "properties" : [`
	`42`	`+ {`
	`43`	`+ "name" : "ort:effectiveLicense",`
	`44`	`+ "value" : "MIT"`
	`45`	`+ }`
	`46`	`+ ]`
`41`	`47`	`},`
`42`	`48`	`"licenses" : [`
`43`	`49`	`{`
`@@ -142,6 +148,10 @@`
`142`	`148`	`}`
`143`	`149`	`],`
`144`	`150`	`"properties" : [`
	`151`	`+ {`
	`152`	`+ "name" : "ort:effectiveLicense",`
	`153`	`+ "value" : "MIT AND MIT WITH Libtool-exception"`
	`154`	`+ },`
`145`	`155`	`{`
`146`	`156`	`"name" : "ort:dependencyType",`
`147`	`157`	`"value" : "direct"`
`@@ -206,6 +216,10 @@`
`206`	`216`	`}`
`207`	`217`	`],`
`208`	`218`	`"properties" : [`
	`219`	`+ {`
	`220`	`+ "name" : "ort:effectiveLicense",`
	`221`	`+ "value" : "MIT AND BSD-3-Clause"`
	`222`	`+ },`
`209`	`223`	`{`
`210`	`224`	`"name" : "ort:dependencyType",`
`211`	`225`	`"value" : "direct"`
`@@ -252,6 +266,10 @@`
`252`	`266`	`}`
`253`	`267`	`],`
`254`	`268`	`"properties" : [`
	`269`	`+ {`
	`270`	`+ "name" : "ort:effectiveLicense",`
	`271`	`+ "value" : "MIT"`
	`272`	`+ },`
`255`	`273`	`{`
`256`	`274`	`"name" : "ort:dependencyType",`
`257`	`275`	`"value" : "direct"`
`@@ -335,6 +353,10 @@`
`335`	`353`	`}`
`336`	`354`	`],`
`337`	`355`	`"properties" : [`
	`356`	`+ {`
	`357`	`+ "name" : "ort:effectiveLicense",`
	`358`	`+ "value" : "MIT AND BSD-3-Clause AND LicenseRef-scancode-truecrypt-3.1 AND LGPL-3.0-or-later WITH openvpn-openssl-exception"`
	`359`	`+ },`
`338`	`360`	`{`
`339`	`361`	`"name" : "ort:dependencyType",`
`340`	`362`	`"value" : "direct"`
`@@ -375,6 +397,10 @@`
`375`	`397`	`}`
`376`	`398`	`],`
`377`	`399`	`"properties" : [`
	`400`	`+ {`
	`401`	`+ "name" : "ort:effectiveLicense",`
	`402`	`+ "value" : "MIT"`
	`403`	`+ },`
`378`	`404`	`{`
`379`	`405`	`"name" : "ort:dependencyType",`
`380`	`406`	`"value" : "direct"`
Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,13 @@`
`38`	`38`	`}`
`39`	`39`	`}`
`40`	`40`	`],`
`41`		`- "copyright" : "Copyright 1"`
	`41`	`+ "copyright" : "Copyright 1",`
	`42`	`+ "properties" : [`
	`43`	`+ {`
	`44`	`+ "name" : "ort:effectiveLicense",`
	`45`	`+ "value" : "MIT"`
	`46`	`+ }`
	`47`	`+ ]`
`42`	`48`	`},`
`43`	`49`	`"licenses" : [`
`44`	`50`	`{`
`@@ -143,6 +149,10 @@`
`143`	`149`	`}`
`144`	`150`	`],`
`145`	`151`	`"properties" : [`
	`152`	`+ {`
	`153`	`+ "name" : "ort:effectiveLicense",`
	`154`	`+ "value" : "MIT AND MIT WITH Libtool-exception"`
	`155`	`+ },`
`146`	`156`	`{`
`147`	`157`	`"name" : "ort:dependencyType",`
`148`	`158`	`"value" : "direct"`
`@@ -207,6 +217,10 @@`
`207`	`217`	`}`
`208`	`218`	`],`
`209`	`219`	`"properties" : [`
	`220`	`+ {`
	`221`	`+ "name" : "ort:effectiveLicense",`
	`222`	`+ "value" : "MIT AND BSD-3-Clause"`
	`223`	`+ },`
`210`	`224`	`{`
`211`	`225`	`"name" : "ort:dependencyType",`
`212`	`226`	`"value" : "direct"`
`@@ -253,6 +267,10 @@`
`253`	`267`	`}`
`254`	`268`	`],`
`255`	`269`	`"properties" : [`
	`270`	`+ {`
	`271`	`+ "name" : "ort:effectiveLicense",`
	`272`	`+ "value" : "MIT"`
	`273`	`+ },`
`256`	`274`	`{`
`257`	`275`	`"name" : "ort:dependencyType",`
`258`	`276`	`"value" : "direct"`
`@@ -336,6 +354,10 @@`
`336`	`354`	`}`
`337`	`355`	`],`
`338`	`356`	`"properties" : [`
	`357`	`+ {`
	`358`	`+ "name" : "ort:effectiveLicense",`
	`359`	`+ "value" : "MIT AND BSD-3-Clause AND LicenseRef-scancode-truecrypt-3.1 AND LGPL-3.0-or-later WITH openvpn-openssl-exception"`
	`360`	`+ },`
`339`	`361`	`{`
`340`	`362`	`"name" : "ort:dependencyType",`
`341`	`363`	`"value" : "direct"`
`@@ -376,6 +398,10 @@`
`376`	`398`	`}`
`377`	`399`	`],`
`378`	`400`	`"properties" : [`
	`401`	`+ {`
	`402`	`+ "name" : "ort:effectiveLicense",`
	`403`	`+ "value" : "MIT"`
	`404`	`+ },`
`379`	`405`	`{`
`380`	`406`	`"name" : "ort:dependencyType",`
`381`	`407`	`"value" : "direct"`