Misalignment in Protobuf Specification with Updated XML and JSON Schemas for LicenseChoice

[mtsfoni]

Up to version 1.5, there was a discrepancy between the XML and the JSON Schema, which was resolved as per #204/#205. Since that update, LicenseChoice has become a complex type in the JSON formats to match the XML Schema. It is now defined to potentially include a list of licenses and an (optional) expression.

However, the corresponding protobuf specification was not updated to reflect these changes. As a result, the protobuf still retains the list of LicenseChoice as shown below:

message Component {
...
repeated LicenseChoice licenses = 13;
}

message LicenseChoice {
  oneof choice {
    License license = 1;
    // A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements
    string expression = 2;
  }
  // This field must only be used when "expression" is chosen as the License object has its own acknowledgement.
  optional LicenseAcknowledgementEnumeration acknowledgement = 3;
}

[jkowalleck]

each schema is an implementation of the spec - with the goal to make it possible to model the specification with clear guidelines.

spec is:

EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)

In ProtoBuff we see

specification/schema/bom-1.6.proto

Lines 367 to 375 in 8e131b1

	message LicenseChoice {
	oneof choice {
	License license = 1;
	// A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements
	string expression = 2;
	}
	// This field must only be used when "expression" is chosen as the License object has its own acknowledgement.
	optional LicenseAcknowledgementEnumeration acknowledgement = 3;
	}

where License license = 1; is currently not repeated,
but it should be repeated License license = 1;, to match the spec.
PS: read below: #465 (comment)

[jkowalleck]

However, the corresponding protobuf specification was not updated to reflect these changes.

because it was correct, already.
spec says: EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)

You can build a structure with multiple licenses, as it is described by the CycloneDX spec.
see

specification/schema/bom-1.6.proto

Line 116 in 8e131b1

repeated LicenseChoice licenses = 13;

multi license component here: https://github.com/CycloneDX/specification/blob/8e131b1688ccfe41e1bfdd4b3280f33dcc06d04c/tools/src/test/resources/1.6/valid-metadata-license-1.6.textproto

[andreas-hilti]

@jkowalleck You can currently build everything that is expected, that is a list of licenses or a single license expression. However, you can also build a list of license expressions, which is not intended.

[jkowalleck]

However, you can also build a list of license expressions, which is not intended.

I acknowledge a lack of documentation there. Will drop a PR to have it added.

[jkowalleck]

please review #468

[jkowalleck]

please also be aware of upcoming #454