License Schema Inconsistency between XML/JSON

[TiberiusDRAIG]

The XML schema does not require an ID for the license property, whereas the JSON schema not only requires it but also enforces that it be one of the SPDX values specified.

This causes problems when a package does not provide an SPDX ID; for example, Microsoft's System.IO package, which only provides a URL, results in the cyclonedx-dotnet tool generating this:

<license> <url>http://go.microsoft.com/fwlink/?LinkId=329770</url> </license>

This validates successfully against the XML schema.

The equivalent JSON:

"license": { "url": "http://go.microsoft.com/fwlink/?LinkId=329770" }

...is considered invalid as it has no ID.

[TiberiusDRAIG]

Ah, sorry - realised I was misreading the JSON schema and 'Name' can be used instead. What, however, should we be doing if a package doesn't provide a license name? Is this a case of manually updating the BOM by hand?

EDIT: This is still inconsistent since 'choice' in the XML schema doesn't enforce that at least one element must be present, but rather that only one of the elements can be present.

[stevespringett]

What, however, should we be doing if a package doesn't provide a license name?

I would recommend naming the license after 1) the name of the project, or 2) the name of the organization, whichever is most relevant. The important thing is to capture the complete license text for non-standard licenses.

For example:

• ImageMagic License - https://www.imagemagick.org/script/license.php
• Acme Product License - https://example.com/license

This is still inconsistent since 'choice' in the XML schema doesn't enforce that at least one element must be present, but rather that only one of the elements can be present.

I'm not entirely sure why that is. Will need to investigate.

See also: https://cyclonedx.org/use-cases/#license-compliance

[TiberiusDRAIG]

Okay, thanks - I'll use the CycloneDX Core models to add-in the missing information in a follow-up script.

[jkowalleck]

this report appears to be still relevant.
https://github.com/CycloneDX/specification/blob/1.5/schema/bom-1.5.xsd#L643-L654

change/patch

            <xs:choice>
-               <xs:element name="id" type="spdx:licenseId" minOccurs="0" maxOccurs="1">
+               <xs:element name="id" type="spdx:licenseId" minOccurs="1" maxOccurs="1">
                    <xs:annotation>
                        <xs:documentation>A valid SPDX license ID</xs:documentation>
                    </xs:annotation>
                </xs:element>
-               <xs:element name="name" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
+               <xs:element name="name" type="xs:normalizedString" minOccurs="1" maxOccurs="1">
                    <xs:annotation>
                        <xs:documentation>If SPDX does not define the license used, this field may be used to provide the license name</xs:documentation>
                    </xs:annotation>
                </xs:element>
            </xs:choice>

unfortunately, this would be a breaking change, even though it fixes a "bug"

[jkowalleck]

is duplicated by #288