Proposal: A way for the repo authors to customize the license for an SBOM

[prabhu]

As an owner of few repos and apps, I would like to specify the licenses to be used for all SBOMs that represent my repos and apps (regardless of how it was generated). These could be different from the actual licenses of the repos and the published artifacts.

Example: I want to use CC0 as the license for the SBOM for my repos and apps, while the source and binary licenses could be different (Say Apache-2.0, MIT, CUSTOM etc).

This way third-party aggregators and researchers can confidently use the SBOM data.

Some ideas

Package manager approach

Package managers such as npm could accept an attribute similar to license and funding.

{
   "license": [
      {"type": "source": "expression": "BSD-3-Clause or ISC"},
      {"type": "sbom": "expression": "CC-0"},
      {"type": "package": "expression": "Apache-2.0"},
   ]
}

Generator tool configuration

Assuming a generator tool (such as cdxgen) accepts a json configuration. A below file could be used to update the metadata.licenses section.

{
   "bomFormat": "CycloneDX",
   "metadata": {
       "licenses": [{
            "expression": "CC-0"
       }]
   }
}

References

https://cyclonedx.org/docs/1.6/json/#metadata_licenses

[jkowalleck]

With today's spec, I would use subcomponents for things that are differently licensed than the respective component.

I am not saying that this is ideal, ... but this could be our practical example - as a point for further discussions 👍

(pseudo, json5)

{
bomFormat: 'CycloneDX',
specVersion: '1.6',
// ... 
metadata: { component: {
  type: 'container',
  name: 'example-component',
  licenses: [
   { license: { 
     id: 'MIT',
     acknowledgement: 'declared',
     // text: ...
   }}
  ],
  components: [
    {
      type: 'file',
      name: 'docs/**.{md,rst,txt}',
      licenses: [
         { license: {
            name: 'CC BY-NC',
            acknowledgement: 'declared',
            // text: ...
         }}
      ]
    }
  ],
}}
}

[jkowalleck]

this is a similar proposal, for the PHP ecosystem 'composer': CycloneDX/cyclonedx-php-composer#131

[jkowalleck]

Package managers such as npm could accept an attribute similar to license and funding.

{
   "license": [
      {"type": "source": "expression": "BSD-3-Clause or ISC"},
      {"type": "sbom": "expression": "CC-0"},
      {"type": "package": "expression": "Apache-2.0"},
   ]
}

I think we should discuss these capabilities.

A package manifest can not tell me under which licence i would have to publish the SBOM I created for a package, right?
But it surely has authority about its own source and the package/assembly/build-artifact they provide, and also for the SBOMs stored in the repo.