Skip to content

feat: add support for license expression details #908

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
+592 −5
Open

feat: add support for license expression details #908

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
f06071d
feat: add support for license expression details
Churro Nov 2, 2025
2fd2063
use local import for SchemaVersion
Churro Nov 2, 2025
fdfea5a
fix linting errors
Churro Nov 3, 2025
77fd7b7
Update cyclonedx/model/license.py
Churro Nov 5, 2025
ebe9f2e
add transpiling for CDX < 1.7
Churro Nov 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
341 changes: 339 additions & 2 deletions cyclonedx/model/license.py
View file
Open in desktop

Large diffs are not rendered by default.

23 changes: 22 additions & 1 deletion tests/_data/models.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,14 @@
ImpactAnalysisState,
)
from cyclonedx.model.issue import IssueClassification, IssueType, IssueTypeSource
from cyclonedx.model.license import DisjunctiveLicense, License, LicenseAcknowledgement, LicenseExpression
from cyclonedx.model.license import (
DisjunctiveLicense,
ExpressionDetails,
License,
LicenseAcknowledgement,
LicenseExpression,
LicenseExpressionDetailed,
)
from cyclonedx.model.lifecycle import LifecyclePhase, NamedLifecycle, PredefinedLifecycle
from cyclonedx.model.release_note import ReleaseNotes
from cyclonedx.model.service import Service
Expand Down Expand Up @@ -1061,6 +1068,15 @@ def get_vulnerability_source_owasp() -> VulnerabilitySource:


def get_bom_with_licenses() -> Bom:
expression_details = [
ExpressionDetails(license_identifier='GPL-3.0-or-later',
url=XsUri('https://www.apache.org/licenses/LICENSE-2.0.txt'),
text=AttachedText(content='specific GPL-3.0-or-later license text')),
ExpressionDetails(license_identifier='GPL-2.0',
bom_ref='some-bomref-1234',
text=AttachedText(content='specific GPL-2.0 license text')),
]

return _make_bom(
metadata=BomMetaData(
licenses=[DisjunctiveLicense(id='CC-BY-1.0')],
Expand All @@ -1082,6 +1098,11 @@ def get_bom_with_licenses() -> Bom:
DisjunctiveLicense(name='some additional',
text=AttachedText(content='this is additional license text')),
]),
Component(name='c-with-expression-details', type=ComponentType.LIBRARY, bom_ref='C4',
licenses=[LicenseExpressionDetailed(expression='GPL-3.0-or-later OR GPL-2.0',
expression_details=expression_details,
acknowledgement=LicenseAcknowledgement.DECLARED
)]),
],
services=[
Service(name='s-with-expression', bom_ref='S1',
Expand Down
5 changes: 5 additions & 0 deletions tests/_data/snapshots/get_bom_with_licenses-1.0.xml.bin
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,11 @@
<version/>
<modified>false</modified>
</component>
<component type="library">
<name>c-with-expression-details</name>
<version/>
<modified>false</modified>
</component>
<component type="library">
<name>c-with-name</name>
<version/>
Expand Down
7 changes: 7 additions & 0 deletions tests/_data/snapshots/get_bom_with_licenses-1.1.xml.bin
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,13 @@
<expression>Apache-2.0 OR MIT</expression>
</licenses>
</component>
<component type="library" bom-ref="C4">
<name>c-with-expression-details</name>
<version/>
<licenses>
<expression>GPL-3.0-or-later OR GPL-2.0</expression>
</licenses>
</component>
<component type="library" bom-ref="C3">
<name>c-with-name</name>
<version/>
Expand Down
14 changes: 14 additions & 0 deletions tests/_data/snapshots/get_bom_with_licenses-1.2.json.bin
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,17 @@
"type": "library",
"version": ""
},
{
"bom-ref": "C4",
"licenses": [
{
"expression": "GPL-3.0-or-later OR GPL-2.0"
}
],
"name": "c-with-expression-details",
"type": "library",
"version": ""
},
{
"bom-ref": "C3",
"licenses": [
Expand Down Expand Up @@ -62,6 +73,9 @@
{
"ref": "C3"
},
{
"ref": "C4"
},
{
"ref": "S1"
},
Expand Down
8 changes: 8 additions & 0 deletions tests/_data/snapshots/get_bom_with_licenses-1.2.xml.bin
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,13 @@
<expression>Apache-2.0 OR MIT</expression>
</licenses>
</component>
<component type="library" bom-ref="C4">
<name>c-with-expression-details</name>
<version/>
<licenses>
<expression>GPL-3.0-or-later OR GPL-2.0</expression>
</licenses>
</component>
<component type="library" bom-ref="C3">
<name>c-with-name</name>
<version/>
Expand Down Expand Up @@ -79,6 +86,7 @@
<dependency ref="C1"/>
<dependency ref="C2"/>
<dependency ref="C3"/>
<dependency ref="C4"/>
<dependency ref="S1"/>
<dependency ref="S2"/>
<dependency ref="S3"/>
Expand Down
14 changes: 14 additions & 0 deletions tests/_data/snapshots/get_bom_with_licenses-1.3.json.bin
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,17 @@
"type": "library",
"version": ""
},
{
"bom-ref": "C4",
"licenses": [
{
"expression": "GPL-3.0-or-later OR GPL-2.0"
}
],
"name": "c-with-expression-details",
"type": "library",
"version": ""
},
{
"bom-ref": "C3",
"licenses": [
Expand Down Expand Up @@ -62,6 +73,9 @@
{
"ref": "C3"
},
{
"ref": "C4"
},
{
"ref": "S1"
},
Expand Down
8 changes: 8 additions & 0 deletions tests/_data/snapshots/get_bom_with_licenses-1.3.xml.bin
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,13 @@
<expression>Apache-2.0 OR MIT</expression>
</licenses>
</component>
<component type="library" bom-ref="C4">
<name>c-with-expression-details</name>
<version/>
<licenses>
<expression>GPL-3.0-or-later OR GPL-2.0</expression>
</licenses>
</component>
<component type="library" bom-ref="C3">
<name>c-with-name</name>
<version/>
Expand Down Expand Up @@ -84,6 +91,7 @@
<dependency ref="C1"/>
<dependency ref="C2"/>
<dependency ref="C3"/>
<dependency ref="C4"/>
<dependency ref="S1"/>
<dependency ref="S2"/>
<dependency ref="S3"/>
Expand Down
13 changes: 13 additions & 0 deletions tests/_data/snapshots/get_bom_with_licenses-1.4.json.bin
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,16 @@
"name": "c-with-expression",
"type": "library"
},
{
"bom-ref": "C4",
"licenses": [
{
"expression": "GPL-3.0-or-later OR GPL-2.0"
}
],
"name": "c-with-expression-details",
"type": "library"
},
{
"bom-ref": "C3",
"licenses": [
Expand Down Expand Up @@ -59,6 +69,9 @@
{
"ref": "C3"
},
{
"ref": "C4"
},
{
"ref": "S1"
},
Expand Down
7 changes: 7 additions & 0 deletions tests/_data/snapshots/get_bom_with_licenses-1.4.xml.bin
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,12 @@
<expression>Apache-2.0 OR MIT</expression>
</licenses>
</component>
<component type="library" bom-ref="C4">
<name>c-with-expression-details</name>
<licenses>
<expression>GPL-3.0-or-later OR GPL-2.0</expression>
</licenses>
</component>
<component type="library" bom-ref="C3">
<name>c-with-name</name>
<licenses>
Expand Down Expand Up @@ -80,6 +86,7 @@
<dependency ref="C1"/>
<dependency ref="C2"/>
<dependency ref="C3"/>
<dependency ref="C4"/>
<dependency ref="S1"/>
<dependency ref="S2"/>
<dependency ref="S3"/>
Expand Down
13 changes: 13 additions & 0 deletions tests/_data/snapshots/get_bom_with_licenses-1.5.json.bin
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,16 @@
"name": "c-with-expression",
"type": "library"
},
{
"bom-ref": "C4",
"licenses": [
{
"expression": "GPL-3.0-or-later OR GPL-2.0"
}
],
"name": "c-with-expression-details",
"type": "library"
},
{
"bom-ref": "C3",
"licenses": [
Expand Down Expand Up @@ -59,6 +69,9 @@
{
"ref": "C3"
},
{
"ref": "C4"
},
{
"ref": "S1"
},
Expand Down
7 changes: 7 additions & 0 deletions tests/_data/snapshots/get_bom_with_licenses-1.5.xml.bin
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,12 @@
<expression>Apache-2.0 OR MIT</expression>
</licenses>
</component>
<component type="library" bom-ref="C4">
<name>c-with-expression-details</name>
<licenses>
<expression>GPL-3.0-or-later OR GPL-2.0</expression>
</licenses>
</component>
<component type="library" bom-ref="C3">
<name>c-with-name</name>
<licenses>
Expand Down Expand Up @@ -80,6 +86,7 @@
<dependency ref="C1"/>
<dependency ref="C2"/>
<dependency ref="C3"/>
<dependency ref="C4"/>
<dependency ref="S1"/>
<dependency ref="S2"/>
<dependency ref="S3"/>
Expand Down
14 changes: 14 additions & 0 deletions tests/_data/snapshots/get_bom_with_licenses-1.6.json.bin
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,17 @@
"name": "c-with-expression",
"type": "library"
},
{
"bom-ref": "C4",
"licenses": [
{
"acknowledgement": "declared",
"expression": "GPL-3.0-or-later OR GPL-2.0"
}
],
"name": "c-with-expression-details",
"type": "library"
},
{
"bom-ref": "C3",
"licenses": [
Expand Down Expand Up @@ -61,6 +72,9 @@
{
"ref": "C3"
},
{
"ref": "C4"
},
{
"ref": "S1"
},
Expand Down
7 changes: 7 additions & 0 deletions tests/_data/snapshots/get_bom_with_licenses-1.6.xml.bin
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,12 @@
<expression acknowledgement="concluded">Apache-2.0 OR MIT</expression>
</licenses>
</component>
<component type="library" bom-ref="C4">
<name>c-with-expression-details</name>
<licenses>
<expression acknowledgement="declared">GPL-3.0-or-later OR GPL-2.0</expression>
</licenses>
</component>
<component type="library" bom-ref="C3">
<name>c-with-name</name>
<licenses>
Expand Down Expand Up @@ -80,6 +86,7 @@
<dependency ref="C1"/>
<dependency ref="C2"/>
<dependency ref="C3"/>
<dependency ref="C4"/>
<dependency ref="S1"/>
<dependency ref="S2"/>
<dependency ref="S3"/>
Expand Down
32 changes: 32 additions & 0 deletions tests/_data/snapshots/get_bom_with_licenses-1.7.json.bin
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,35 @@
"name": "c-with-expression",
"type": "library"
},
{
"bom-ref": "C4",
"licenses": [
{
"acknowledgement": "declared",
"expression": "GPL-3.0-or-later OR GPL-2.0",
"expressionDetails": [
{
"bom-ref": "some-bomref-1234",
"licenseIdentifier": "GPL-2.0",
"text": {
"content": "specific GPL-2.0 license text",
"contentType": "text/plain"
}
},
{
"licenseIdentifier": "GPL-3.0-or-later",
"text": {
"content": "specific GPL-3.0-or-later license text",
"contentType": "text/plain"
},
"url": "https://www.apache.org/licenses/LICENSE-2.0.txt"
}
]
}
],
"name": "c-with-expression-details",
"type": "library"
},
{
"bom-ref": "C3",
"licenses": [
Expand Down Expand Up @@ -61,6 +90,9 @@
{
"ref": "C3"
},
{
"ref": "C4"
},
{
"ref": "S1"
},
Expand Down
15 changes: 15 additions & 0 deletions tests/_data/snapshots/get_bom_with_licenses-1.7.xml.bin
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,20 @@
<expression acknowledgement="concluded">Apache-2.0 OR MIT</expression>
</licenses>
</component>
<component type="library" bom-ref="C4">
<name>c-with-expression-details</name>
<licenses>
<expression-detailed expression="GPL-3.0-or-later OR GPL-2.0" acknowledgement="declared">
<details bom-ref="some-bomref-1234" license-identifier="GPL-2.0">
<text content-type="text/plain">specific GPL-2.0 license text</text>
</details>
<details license-identifier="GPL-3.0-or-later">
<text content-type="text/plain">specific GPL-3.0-or-later license text</text>
<url>https://www.apache.org/licenses/LICENSE-2.0.txt</url>
</details>
</expression-detailed>
</licenses>
</component>
<component type="library" bom-ref="C3">
<name>c-with-name</name>
<licenses>
Expand Down Expand Up @@ -80,6 +94,7 @@
<dependency ref="C1"/>
<dependency ref="C2"/>
<dependency ref="C3"/>
<dependency ref="C4"/>
<dependency ref="S1"/>
<dependency ref="S2"/>
<dependency ref="S3"/>
Expand Down
Loading