search

spdx / cdx2spdx

Utility that converts SBOM documents from CycloneDX to SPDX
Apache License 2.0
29 stars 9 forks source link

Allow for data licenses other than CC0 #36

Closed goneall closed 1 year ago

goneall commented 1 year ago

Fixes issue #35

flemminglau commented 1 year ago

Not sure if this is my preferred method for fixing this. My understanding is that you allow any value of the license.

In my case it is my cdx file aggregator which hardcoded sets the license so from my point of view it is completely arbitrary.

Not sure what would be a better alternative but to force the value of CC0 always. But maybe my case is special.

goneall commented 1 year ago

Not sure if this is my preferred method for fixing this. My understanding is that you allow any value of the license.

In my case it is my cdx file aggregator which hardcoded sets the license so from my point of view it is completely arbitrary.

Not sure what would be a better alternative but to force the value of CC0 always. But maybe my case is special.

@flemminglau as mentioned in my issue comment, I do not think we should be changing a data license. If someone (or something) places a license on data, that should be carried forward to any transformation of the data. I know if I put a license on something and someone (or something) translated it and changed the license, I would not be happy.

If indeed the assignment of the MIT license is arbitrary, perhaps you can have the source utility that creates the CDX documents generate a compatible CC0 license.