From bcb4ba1853b29544a2fa327ce742597f1f01ec3a Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 14 Apr 2025 22:22:56 +0200 Subject: [PATCH] feat: license acknowledge should beunique Signed-off-by: Jan Kowalleck --- schema/bom-1.7.proto | 11 +++++++---- schema/bom-1.7.schema.json | 11 +++++++---- schema/bom-1.7.xsd | 28 +++++++++++++++++++++++++--- 3 files changed, 39 insertions(+), 11 deletions(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 999dccba..097cf25b 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -122,7 +122,8 @@ message Component { optional Scope scope = 11; // The hashes of the component. repeated Hash hashes = 12; - // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression) + // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression). + // There should be no more than one per license acknowledgement. repeated LicenseChoice licenses = 13; // An optional copyright notice informing users of the underlying claims to copyright ownership in a published work. optional string copyright = 14; @@ -520,7 +521,7 @@ message Metadata { // The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager. optional OrganizationalEntity supplier = 6; // The license information for the BOM document. This may be different from the license(s) of the component(s) that the BOM describes. - // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression) + // There should be no more than one per license acknowledgement. repeated LicenseChoice licenses = 7; // Specifies optional, custom, properties repeated Property properties = 8; @@ -655,7 +656,8 @@ message Service { optional bool x_trust_boundary = 9; // Specifies information about the data including the directional flow of data and the data classification. repeated DataFlow data = 10; - // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression) + // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression). + // There should be no more than one per license acknowledgement. repeated LicenseChoice licenses = 11; // Provides the ability to document external references related to the service. repeated ExternalReference external_references = 12; @@ -759,7 +761,8 @@ message EvidenceCopyright { // Provides the ability to document evidence collected through various forms of extraction or analysis. message Evidence { - // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression) + // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression). + // There should be no license acknowledgement assigned to any of these. repeated LicenseChoice licenses = 1; // Copyright evidence captures intellectual property assertions, providing evidence of possible ownership and legal protection. repeated EvidenceCopyright copyright = 2; diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index 60459495..58c539b7 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -704,7 +704,7 @@ }, "licenses": { "title": "BOM License(s)", - "description": "The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.", + "description": "The license information for the BOM document. This may be different from the license(s) of the component(s) that the BOM describes.\nThere should be no more than one per license acknowledgement.", "$ref": "#/definitions/licenseChoice" }, "properties": { @@ -965,7 +965,8 @@ }, "licenses": { "$ref": "#/definitions/licenseChoice", - "title": "Component License(s)" + "title": "Component License(s)", + "description": "EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression).\nThere should be no more than one per license acknowledgement." }, "copyright": { "type": "string", @@ -1968,7 +1969,8 @@ }, "licenses": { "$ref": "#/definitions/licenseChoice", - "title": "Service License(s)" + "title": "Service License(s)", + "description": "EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression).\nThere should be no more than one per license acknowledgement." }, "externalReferences": { "type": "array", @@ -2242,7 +2244,8 @@ }, "licenses": { "$ref": "#/definitions/licenseChoice", - "title": "License Evidence" + "title": "License Evidence", + "description": "EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression).\nThere should be no license acknowledgement assigned to any of these." }, "copyright": { "type": "array", diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd index dfc9eaa5..be7bf3d1 100644 --- a/schema/bom-1.7.xsd +++ b/schema/bom-1.7.xsd @@ -243,6 +243,7 @@ limitations under the License. The license information for the BOM document. This may be different from the license(s) of the component(s) that the BOM describes. + There should be no more than one per license acknowledgement. @@ -595,7 +596,14 @@ limitations under the License. - + + + + "EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression). + There should be no more than one per license acknowledgement. + + + A copyright notice informing users of the underlying claims to copyright ownership in a published work. @@ -2214,7 +2222,14 @@ limitations under the License. - + + + + "EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression). + There should be no more than one per license acknowledgement. + + + Provides the ability to document external references related to the service. @@ -2701,7 +2716,14 @@ limitations under the License. - + + + + EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression). + There should be no license acknowledgement assigned to any of these. + + +