Skip to content

[FEATURE]: "properties" on an SPDX-expression license #549

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mcombuechen opened this issue Dec 6, 2024 · 7 comments · Fixed by #599 · May be fixed by #511
Closed

[FEATURE]: "properties" on an SPDX-expression license #549

mcombuechen opened this issue Dec 6, 2024 · 7 comments · Fixed by #599 · May be fixed by #511
Assignees
@jkowalleck
Labels
promote to tc54 Promote to Ecma Technical Committee 54 proposed core enhancement RFC notice sent A public RFC notice was distributed to the CycloneDX mailing list for consideration RFC vote accepted tc54 accepted Ecma TC54 has accepted the feature candidate
Milestone
1.7

Comments

@mcombuechen
Copy link

Describe the feature

When defining a component's licenses, one has three options to choose from:

  1. A license with SPDX identifier
  2. A named license
  3. An SPDX license expression

While options 1 & 2 afford the possibility of a "properties" attribute (key-value store), this is not available on option 3, the SPDX expression. See https://cyclonedx.org/docs/1.6/json/#tab-pane_components_items_licenses_oneOf_i1.

Would it make sense to also add "properties" to an SPDX-expression license?

Possible solutions

Add "properties" as an optional attribute to SPDX-expression licenses.

Alternatives

n.a.

Additional context

We are looking to store custom data plus an SPDX expression on a license definition.
@stevespringett
Copy link
Member

Thanks for the suggestion. What is the use case? Do you want to annotate licenses? If so, the annotations feature can provide this functionality today. See https://cyclonedx.org/docs/1.6/json/#annotations

If you’re looking to store data, what kind of data is it?

@mcombuechen
Copy link
Author

We are in the process of adopting CycloneDX as an internal DTO; there are a few edge cases where we would like to stuff prioprietary data into the documents. For the sake of illustration, let's say we'd like to attach a createdAt value to a license. It would be great if there could be something like:

{
  "expression": "MIT",
  "properties": {
    "snyk:createdAt": "2001-01-01T12:00:00.000+00:00"
  }
}

For any consuming application of this document it would be easy to look this information up. Looking in other parts of the document would increase complexity ever so slightly.

I understand that this is a "it's not you, it's me" problem: if we have certain feature requests because we'd like to use them internally, we should not force that onto the specification. However, since other license definition option afford the "properties" feature, maybe an SPDX license expression could, too?

@Joerki Joerki mentioned this issue Feb 21, 2025
Merged
4 tasks
@Joerki
Copy link

Joerki commented Feb 21, 2025
edited
Loading

Basically I see that it should be possible to provide the same information for elements for an SPDX license expression as with have already with ID/name license elements.

See also #599.

@jkowalleck
Copy link
Member

See also #599.

the structures we are planning via #599 are easily extendable for additional data (properties/fields/elements/attributes)

@jkowalleck jkowalleck added this to the 1.7 milestone Feb 27, 2025
@jkowalleck
Copy link
Member

jkowalleck commented Feb 27, 2025
edited
Loading

added this to milestone 1.7,
as this ticket looks like a low-hanging fruit after #599 got implemented.

@jkowalleck jkowalleck self-assigned this Feb 27, 2025
@jkowalleck jkowalleck linked a pull request Feb 27, 2025 that will close this issue
feat: license expression details and properties - text attachment, licensing, etc #599
Merged
4 tasks
@jkowalleck
Copy link
Member

this feature is expected to be solved via #599

@jkowalleck jkowalleck added the RFC notice sent A public RFC notice was distributed to the CycloneDX mailing list for consideration label Mar 16, 2025
@jkowalleck jkowalleck mentioned this issue Mar 18, 2025
Open
@jkowalleck jkowalleck added RFC vote accepted promote to tc54 Promote to Ecma Technical Committee 54 labels Apr 14, 2025
@jkowalleck jkowalleck mentioned this issue Jun 5, 2025
Draft
@jkowalleck jkowalleck added the tc54 accepted Ecma TC54 has accepted the feature candidate label Jun 5, 2025
@jkowalleck
Copy link
Member

the solution for this was just accepted by Ecma TC54 🚀

jkowalleck added a commit that referenced this issue Jun 5, 2025
@jkowalleck
feat: license expression details and properties - text attachment, li…
6425bd8 
…censing, etc (#599)

As discussed via #549, this PR adds new structures to allow documenting
the licensing and "properties" of SPDX expressions
As discussed via #554, this PR adds new structures to allow documenting
the license texts for SPDX expressions' individual parts.


----

TODO
- [x] agree on data models & finalize examples
- [x] write the schemata 
- [x] write the spec
- [x] write a proper summary for this PR

----

- fixes #554
- fixes #549
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jkowalleck jkowalleck

Labels
promote to tc54 Promote to Ecma Technical Committee 54 proposed core enhancement RFC notice sent A public RFC notice was distributed to the CycloneDX mailing list for consideration RFC vote accepted tc54 accepted Ecma TC54 has accepted the feature candidate
Projects
None yet
Milestone
1.7
4 participants
@mcombuechen @Joerki @jkowalleck @stevespringett