You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are using Nuget packages as a method for distributing commercial software. These packages are not published to NuGet but are consumed through different internal feeds. There are a couple of options for packing a license (Using a license expression or a license file). We are trying to avoid packaging the license in each and every NuGet package but using the LicenseExpression introduces issues as below:
When using the license expression property in our C# project, to define the license like so:
Then, generating an SBOM using CycloneDX we end up with an SBOM that contains this result for the license, which fails schema validation as the value for the "id" element is not one of the enumerated SPDX license id's.
CycloneDX incorporates SPDX license IDs and expressions to document stated licenses of open source components. Licenses can be expressed three ways, by SPDX license ID, by SPDX license expression, or as a license name. Zero or more licenses can be defined by ID or by name.
Also, with the license expression defined as "LicenseRef-CompanyName-Commercial" - Visual Studio package management also cannot be recognized.
Any thoughts on how Nuget packages should be licensed so that the correct license information is available throughout the supply chain? I've opened an issue in the CycloneDX project to also get some input (CycloneDX/cyclonedx-dotnet#1090)
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
We are using Nuget packages as a method for distributing commercial software. These packages are not published to NuGet but are consumed through different internal feeds. There are a couple of options for packing a license (Using a license expression or a license file). We are trying to avoid packaging the license in each and every NuGet package but using the LicenseExpression introduces issues as below:
When using the license expression property in our C# project, to define the license like so:
Then, generating an SBOM using CycloneDX we end up with an SBOM that contains this result for the license, which fails schema validation as the value for the "id" element is not one of the enumerated SPDX license id's.
CycloneDX incorporates SPDX license IDs and expressions to document stated licenses of open source components. Licenses can be expressed three ways, by SPDX license ID, by SPDX license expression, or as a license name. Zero or more licenses can be defined by ID or by name.
I would expect to see this as the output.
Perhaps we are mis-reading how license expressions are supposed to be defined. When using the license expression (An SPDX user defined license reference) as defined under the Simple license expressions from (https://spdx.github.io/spdx-spec/v3.0.1/annexes/spdx-license-expressions/)
Also, with the license expression defined as "LicenseRef-CompanyName-Commercial" - Visual Studio package management also cannot be recognized.
Any thoughts on how Nuget packages should be licensed so that the correct license information is available throughout the supply chain? I've opened an issue in the CycloneDX project to also get some input (CycloneDX/cyclonedx-dotnet#1090)
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions