Example for license texts

[cuhland]

The CyclonDX specification allows to add the text of a license

1. since 1.2 directly in the license
2. since 1.3 as evidence

Unfortunately there is no example of this in the bom-examples repository.

Another topic I wanted to bring up here (don't know where to address it otherwise) is the implementation in the various projects. The generators are not working consistent, and most miss the option to configure if the license-text should be added directly to the license or if it should be added as evidence.

I will give an overview here

project	inserted as
cyclonedx-gomod	?
cyclonedx-maven-plugin	license
cyclonedx-node-yarn	evidence
cyclonedx-node-npm	evidence
cyclonedx-webpack-plugin	evidence
cyclonedx-python	license and/or evidence
to be continued	..

*) the list was adjusted, extended and updated my the CycloneDX-CWG/maintainers

[jkowalleck]

Thank you for the feedback, @cuhland .

Another topic I wanted to bring up here (don't know where to address it otherwise) is the implementation in the various projects. The generators are not working consistent, and most miss the option to configure if the license-text should be added directly to the license or if it should be added as evidence.

Observed license texts are "evidence", while declared licenses are component licenses with the respective "acknowledgement".

The respective implementation heavily depends on the data source, and therefore there cannot be a consistency.
For example, in python it is possible to include or even import license texts in the package metadata/manifest -- this is a declared license text.
For example, in NodeJS there is only a license id/expression possible in metadata/manifest, license texts need to be gathered from files in the package -- this is a observed license (license evidence).

here is an example with observed licenses in an NPM-sourced package: https://github.com/CycloneDX/cyclonedx-webpack-plugin/blob/affddd57a515e8ac49ba5d43fa576fb92a4993f5/tests/integration/__snapshots__/index.test.js.snap#L6760-L6805
here is an example with declared licenses in a Python-env package: https://github.com/CycloneDX/cyclonedx-python/blob/main/tests/_data/snapshots/environment/pep639-texts_with-license-pep639_1.6.xml.bin

---

Our CycloneDX generators are community efforts. If you feel there is a need for improvement, let them know - write a ticket in the respective project, describe your needs, and see if your request is feasible based on the actual data source the generator works on. You can ping me in any such ticket, and i will see if i can help the maintainers figure things out :-)
In some projects the respective tickets for these feature already exist. For some project the feature is in the making, for other projects the feature is still not championed. Feel free to contribute where ever you (or your organization) can.