SBOM/SPDX Generation: Add in LicenseRef info for licenses which are not recognized by SPDX (OASIS-IPR) #104
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ot recognized by SPDX (OASIS-IPR) The sbom.spdx for corePKCS11 fails the SPDX validation check because OASIS-IPR is not a valid SPDX License This commit changes the following output to convert it to a LicenseRef and fix the validation check. $ diff -u sbom-original.spdx sbom-fixup.spdx --- sbom-original.spdx 2024-03-29 09:46:53.203092500 -0400 +++ sbom-fixup.spdx 2024-03-29 09:48:03.900301885 -0400 @@ -340,8 +340,8 @@ SPDXID: SPDXRef-Package-pkcs11 PackageVersion: v2.40_errata01 PackageDownloadLocation: https://github.com/amazon-freertos/pkcs11.git -PackageLicenseDeclared: OASIS-IPR -PackageLicenseConcluded: OASIS-IPR +PackageLicenseDeclared: LicenseRef-OASIS-IPR +PackageLicenseConcluded: LicenseRef-OASIS-IPR PackageLicenseInfoFromFiles: NOASSERTION FilesAnalyzed: True PackageVerificationCode: 0c50b69c6789adbc08378264ec75fa6e6a616364 @@ -1848,3 +1848,7 @@ Relationship: SPDXRef-Package-corePKCS11 DEPENDS_ON SPDXRef-Package-pkcs11 Relationship: SPDXRef-Package-corePKCS11 DEPENDS_ON SPDXRef-Package-mbedtls + +LicenseID: LicenseRef-OASIS-IPR +LicenseName: OASIS-IPR +ExtractedText: <text>OASIS-IPR</text>
paulbartell
approved these changes
Apr 2, 2024
AniruddhaKanhere
approved these changes
Apr 2, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The sbom.spdx for corePKCS11 fails the SPDX validation check because OASIS-IPR is not a valid SPDX License
SPDX License list: https://spdx.github.io/spdx-spec/v2.3/SPDX-license-list
The correct way of solving this is by using a LicenseRef-
See: https://spdx.github.io/spdx-spec/v2.3/other-licensing-information-detected/#101-license-identifier-field
An example of how the LicenseRef is used is here:
https://github.com/spdx/spdx-examples/blob/master/software/example6/spdx2.2/example6-bin.spdx#L20C47-L20C57
This commit changes the following output to convert it to a LicenseRef and fix the validation check.
Tool used to validate: https://github.com/spdx/tools-java/releases/tag/v1.1.8
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.