cyclonedx-node-yarn icon indicating copy to clipboard operation
cyclonedx-node-yarn copied to clipboard
verified publisher icon CycloneDX

feat: Add complete License-Text to SBOM result

Open jkowalleck opened this issue 1 year ago • 3 comments

caused by #22

similar to

  • https://github.com/CycloneDX/cyclonedx-python/issues/570
  • https://github.com/CycloneDX/cyclonedx-node-npm/issues/256

Is your feature request related to a problem? Please describe.

For legal documentation, we need the original text of the licenses of components.

Describe the solution you'd like

An option to enable integration of the license-text in the BOM file, like the old @cyclonedx/bom package had, would be great to have again here.

read https://cyclonedx.org/news/cyclonedx-v1.3-released/#copyright-and-license-evidence

Acceptance criteria

  • the feature to add license texts should be enabled by a CLI switch called --gather-license-evidence (name to be discussed)
  • the feature is disabled per default
  • only if the feature is enabled:
    • for all components, meta-components, root-components and nested components: regardless of SPDX license ID, SPDX license expression or named license, the deteced license texts should be added, each as an evidence Examples: 
      {
  //...
  "evidence": { 
    "licenses": [
      {"id":"Apache-2.0", "text": {
        "contentType": "text/plain",
        "encoding": "base64",
        // base64 of content of file `LICENSE`
        "content": "bG9yZW0gaXBzdW0="
      }}
      {"name":"file: NOTICE", "text": {
        "contentType": "text/plain",
        "encoding": "base64",
        // base46 of content of file `NOTICE`
        "content": "bG9yZW0gaXBzdW0="
      }}
    ]
  },
  // ...
}
    • if a license text is detected with the package, it would be added to Component's @.evicence.licenses
      • @.name would be 'License of <PackageName>: '
      • @.text would hold the test
        • the content type is to be derived from file extension
        • the content SHOULD be base64 encoded
    • license files patterns are:
      • LICEN[CS]E*
      • NOTICE* -- addendum for Apache-2.0 and others
    • if no license text is shipped with a package, no license test is added as a evidence. Nope, no license template is derived from package's declared SPDX license id.
      Reason: license templates (like BSD clause 3) are designed to be modified (unlike others, like Apache2, which is not a template but a complete text)

jkowalleck avatar Mar 13 '24 10:03 jkowalleck

The license text feature was removed from the code, to ease the way to v1.0/MVP. With the v1.0 release candidate being public for some time now, i do not expect any internal refactoring or changes soon. This means, the implementation is ready to be extended.

@AugustusKling, are you still interested in working on a license text gathering for component evidences?

jkowalleck avatar Jun 07 '24 17:06 jkowalleck

@jkowalleck I'm still willing to provide code to add the license gathering. That said, I'm somewhat occupied these days so I don't know when this will happen.

So far I didn't even find time to go through your changes to the implementation nor to try it out to provide feedback.

AugustusKling avatar Jun 07 '24 18:06 AugustusKling

A similar feature was added to the webpack plugin see https://github.com/CycloneDX/cyclonedx-webpack-plugin/pull/1309 see https://github.com/CycloneDX/cyclonedx-webpack-plugin/pull/1312

jkowalleck avatar Oct 08 '24 09:10 jkowalleck

this feature was released via v1.1.0

jkowalleck avatar Jan 14 '25 13:01 jkowalleck