feat: Add complete License-Text to SBOM result

jkowalleck commented 8 months ago

caused by #22

similar to

Is your feature request related to a problem? Please describe.

For legal documentation, we need the original text of the licenses of components.

Describe the solution you'd like

An option to enable integration of the license-text in the BOM file, like the old @cyclonedx/bom package had, would be great to have again here.

read https://cyclonedx.org/news/cyclonedx-v1.3-released/#copyright-and-license-evidence

Acceptance criteria

the feature to add license texts should be enabled by a CLI switch called --gather-license-evidence (name to be discussed)
the feature is disabled per default
only if the feature is enabled:
- for all components, meta-components, root-components and nested components: regardless of SPDX license ID, SPDX license expression or named license, the deteced license texts should be added, each as an evidence Examples:
```
{
//...
"evidence": { 
  "licenses": [
    {"id":"Apache-2.0", "text": {
      "contentType": "text/plain",
      "encoding": "base64",
      // base64 of content of file `LICENSE`
      "content": "bG9yZW0gaXBzdW0="
    }}
    {"name":"file: NOTICE", "text": {
      "contentType": "text/plain",
      "encoding": "base64",
      // base46 of content of file `NOTICE`
      "content": "bG9yZW0gaXBzdW0="
    }}
  ]
},
// ...
}
```
- if a license text is detected with the package, it would be added to Component's @.evicence.licenses
- @.name would be 'License of : '
- @.text would hold the test
  - the content type is to be derived from file extension
  - the content SHOULD be base64 encoded
- license files patterns are:
- LICEN[CS]E*
- NOTICE* -- addendum for Apache-2.0 and others
- if no license text is shipped with a package, no license test is added as a evidence. Nope, no license template is derived from package's declared SPDX license id.
  Reason: license templates (like BSD clause 3) are designed to be modified (unlike others, like Apache2, which is not a template but a complete text)

jkowalleck commented 5 months ago

The license text feature was removed from the code, to ease the way to v1.0/MVP. With the v1.0 release candidate being public for some time now, i do not expect any internal refactoring or changes soon. This means, the implementation is ready to be extended.

@AugustusKling, are you still interested in working on a license text gathering for component evidences?

AugustusKling commented 5 months ago

@jkowalleck I'm still willing to provide code to add the license gathering. That said, I'm somewhat occupied these days so I don't know when this will happen.

So far I didn't even find time to go through your changes to the implementation nor to try it out to provide feedback.

jkowalleck commented 1 month ago

A similar feature was added to the webpack plugin see https://github.com/CycloneDX/cyclonedx-webpack-plugin/pull/1309 see https://github.com/CycloneDX/cyclonedx-webpack-plugin/pull/1312

CycloneDX / cyclonedx-node-yarn