search

CycloneDX / cdxgen

Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. Slack: https://cyclonedx.slack.com/archives/C04NFFE1962
https://cyclonedx.github.io/cdxgen/
Apache License 2.0
490 stars 142 forks source link

"License information" (FETCH_LICENSE vs. includeLicenseText) #270

Open crusy opened 1 year ago

crusy commented 1 year ago

Hello all,

I switched from cyclonedx-gradle-plugin to cdxgen, as cdxgen is less "invasive", it does not require to add a dependency to the target project. I use it to retrieve the licenses for my projects' dependencies. But I think I noticed a major drawback:

First of all: This "npm and golang only" kind of conflicts with the env var GITHUB_TOKEN's description, which reads "Specify GitHub token to prevent traffic shaping while querying license and repo information" – so Github is always queried for licenses? Or does FETCH_LICENSE cover Github as well? Or ...?

But more important: cdxgen does not retrieve the license text, only an ID and an URL. Is this correct? Is it on purpose? If so, I think it's an important information for the README. Are there plans to add licenses' text support?

crusy commented 1 year ago

More details of what I expected, and a more general explanation why I expected it:

https://cyclonedx.org/use-cases/#license-compliance shows an example json which does not only contain id and url, but also text, which consist of contentType, encoding and: content. It does not state any limitation of the actual CycloneDX lib to use to get such information.

crusy commented 1 year ago

PS: At https://cyclonedx.org/use-cases/#license-compliance I read about SPDX, so it maybe resolves the licenses' texts? You state in your README

Conversion to SPDX format

Use the CycloneDX CLI tool for advanced use cases such as conversion, diff and merging.

, does that cover my use case as well? I do not see anything like "resolve licenses" in the README of `cyclonedx-cli...

prabhu commented 1 year ago

@crusy, as per the spec only the id or name is mandatory

https://cyclonedx.org/docs/1.4/json/#tab-pane_components_items_licenses_items_license_oneOf_i0

I will try to add includeLicenseText as a feature.

crusy commented 1 year ago

I see, thank you for clarification.

In the meantime I found some external libs based on SPDX. They have their own repo, e.g. :smile: Including text and json formats. There are npm packages as well (spdx-license-list holds all the texts), maybe I try one of them

mcsma commented 4 months ago

@prabhu any news on the implementation of a flag that includes the license text soon? Does anyone know of an easy way to retrieve said information?

prabhu commented 4 months ago

@mcsma no plans. Pull Request or sponsorship to pay developers are always welcome.