Open source licensing plays a pivotal role in modern software development, enabling organizations to leverage reusable components for faster and more cost-effective innovation. By leveraging the licensing capabilities of CycloneDX, organizations can identify any licenses that may be incompatible or require specific compliance obligations, such as attribution or sharing of source code. CycloneDX supports declared, observed, and concluded licenses.
CycloneDX incorporates SPDX license IDs and expressions to document stated licenses of open source components. Licenses can be expressed three ways, by SPDX license ID, by SPDX license expression, or as a license name. Zero or more licenses can be defined by ID or by name.
| License Choice | Validation | Attachment |
|---|---|---|
| SPDX License ID | Strict - Ensures the license ID is valid | ✓ |
| SPDX License Expression | None | |
| License name | None | ✓ |
Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management.
In addition to asserting the declared or concluded license(s) of a component, CycloneDX also supports evidence of other licenses and copyrights found in a given component. These licenses are "observed" in the course of analyzing a software project and form the necessary evidence to substantiate a "concluded" license.
{
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
"version": 1,
"components": [
{
"type": "library",
"name": "Library A",
"version": "3.7.1",
"licenses": [
{
"license": {
"id": "Apache-2.0",
"acknowledgement": "concluded"
}
}
],
"evidence": {
"licenses": [
{
"license": {
"id": "Apache-2.0",
"acknowledgement": "declared",
"text": {
"contentType": "text/plain",
"content": "The text for the license goes here."
}
}
},
{
"license": {
"id": "MIT",
"acknowledgement": "declared",
"text": {
"contentType": "text/plain",
"content": "The text for the license goes here."
}
}
}
]
}
},
{
"type": "library",
"name": "Library B",
"version": "1.0.2",
"licenses": [
{
"expression": "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0",
"acknowledgement": "declared"
}
]
},
{
"type": "library",
"name": "Library C",
"version": "2.0.0",
"licenses": [
{
"license": {
"name": "Some other license",
"text": {
"contentType": "text/plain",
"encoding": "base64",
"content": "VGhlIHRleHQgZm9yIHRoZSBsaWNlbnNlIGdvZXMgaGVyZS4="
}
}
}
]
}
]
}