I have a dependency on a component that does not have a SPDX License Id. For example the System.IO 4.3 package only have a license URL to the Microsoft .NET Library license, which does not fulfill the requirements to be included in the official SPDX License ID list.
Converting the SBOM to CycloneDX will only include the license URL which can not be used to identify the license in Dependency Track. Dependency Track relies on SPDX license ID for identification.
Current Behavior
Converting to SPDX will generate a custom license ID that is unique only the SBOM file (and possibly undeterministic?)
Converting to CycloneDX will generate only a license URL
Proposed Behavior
Make it possible to map license url:s to custom license Id:s
Make mapped license id:s part of CycloneDX conversion
This would solve the problem of identification in Dependency Track.
Stretch
Add default mappings that can be enabled/disabled and overriden (this can be nice for common packages from Microsoft)
Problem
I have a dependency on a component that does not have a SPDX License Id. For example the System.IO 4.3 package only have a license URL to the Microsoft .NET Library license, which does not fulfill the requirements to be included in the official SPDX License ID list.
Converting the SBOM to CycloneDX will only include the license URL which can not be used to identify the license in Dependency Track. Dependency Track relies on SPDX license ID for identification.
Current Behavior
Proposed Behavior
This would solve the problem of identification in Dependency Track.
Stretch