|
| 1 | +# License Compliance |
| 2 | +CycloneDX can be used for open-source and commercial license compliance. By leveraging the licensing capabilities of |
| 3 | +CycloneDX, organizations can identify any licenses that may be incompatible or require specific compliance obligations, |
| 4 | +such as attribution or sharing of source code. |
| 5 | + |
| 6 | +## Open Source Licensing |
| 7 | +The following is an example of a components license. CycloneDX communicates this information using the SPDX license IDs |
| 8 | +along with optionally including a Base64 encoded representation of the full license text. |
| 9 | + |
| 10 | +```json |
| 11 | +"licenses": [ |
| 12 | + { |
| 13 | + "license": { |
| 14 | + "id": "Apache-2.0", |
| 15 | + "acknowledgement": "declared", |
| 16 | + "text": { |
| 17 | + "contentType": "text/plain", |
| 18 | + "encoding": "base64", |
| 19 | + "content": "RW5jb2RlZCBsaWNlbnNlIHRleHQgZ29lcyBoZXJlLg==" |
| 20 | + }, |
| 21 | + "url": "https://www.apache.org/licenses/LICENSE-2.0.txt" |
| 22 | + } |
| 23 | + } |
| 24 | +] |
| 25 | +``` |
| 26 | + |
| 27 | +SPDX license expressions are also fully supported. |
| 28 | + |
| 29 | +```json |
| 30 | +"licenses": [ |
| 31 | + { |
| 32 | + "expression": "(LGPL-2.1 OR BSD-3-Clause AND MIT)", |
| 33 | + "acknowledgement": "declared" |
| 34 | + } |
| 35 | +] |
| 36 | +``` |
| 37 | + |
| 38 | +## Declared and Concluded Licenses |
| 39 | +Declared licenses and concluded licenses represent two different stages in the licensing process within software |
| 40 | +development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms |
| 41 | +under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis |
| 42 | +of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from |
| 43 | +the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, |
| 44 | +concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper |
| 45 | +compliance and risk management. |
| 46 | + |
| 47 | +| Acknowledgement | Description | |
| 48 | +|-----------------|------------------------------------------------------------------------------------------------------------| |
| 49 | +| declared | Declared licenses represent the initial intentions of authors regarding the licensing terms of their code. | |
| 50 | +| concluded | Concluded licenses are verified and confirmed. | |
| 51 | + |
| 52 | + |
| 53 | +## Using Evidence To Substantiate Concluded Licenses and Track Copyrights |
| 54 | +In addition to asserting the declared or concluded license(s) of a component, CycloneDX also supports evidence of other |
| 55 | +licenses and copyrights found in a given component. These licenses are "observed" in the course of analyzing a |
| 56 | +software project and form the necessary evidence to substantiate a "concluded" license. For example: |
| 57 | + |
| 58 | +```json |
| 59 | +"evidence": { |
| 60 | + "licenses": [ |
| 61 | + { "license": { "id": "Apache-2.0" } }, |
| 62 | + { "license": { "id": "LGPL-2.1-only" } } |
| 63 | + ], |
| 64 | + "copyright": [ |
| 65 | + { "text": "Copyright 2012 Acme Inc. All Rights Reserved." }, |
| 66 | + { "text": "Copyright (C) 2004,2005 University of Example" } |
| 67 | + ] |
| 68 | +} |
| 69 | +``` |
| 70 | +Refer to the "Evidence" chapter for more information. |
| 71 | + |
| 72 | + |
| 73 | +## Commercial Licensing |
| 74 | +CycloneDX can also help organizations manage their commercial software licenses by providing a clear understanding of |
| 75 | +what licenses are in use and which ones require renewal or additional purchases, which may impact the operational aspects |
| 76 | +of applications or systems. By leveraging CycloneDX for commercial license compliance, organizations can reduce the risks |
| 77 | +associated with license violations, enhance their license management practices, and align their SBOM practice with |
| 78 | +Software Asset Management (SAM) and IT Asset Management (ITAM) systems for enterprise visibility. |
| 79 | + |
| 80 | +The following example illustrates a commercial license for a given component. |
| 81 | + |
| 82 | +```json |
| 83 | +"licenses": [ |
| 84 | + { |
| 85 | + "license": { |
| 86 | + "name": "Acme Commercial License", |
| 87 | + "licensing": { |
| 88 | + "licensor": { |
| 89 | + "organization": { "name": "Acme Inc" } |
| 90 | + }, |
| 91 | + "licensee": { |
| 92 | + "organization": { "name": "Example Co." } |
| 93 | + }, |
| 94 | + "purchaser": { |
| 95 | + "individual": { |
| 96 | + "name": "Samantha Wright", |
| 97 | + "email": "samantha.wright@gmail.com", |
| 98 | + "phone": "800-555-1212" |
| 99 | + } |
| 100 | + }, |
| 101 | + "purchaseOrder": "PO-12345", |
| 102 | + "licenseTypes": [ "appliance" ], |
| 103 | + "lastRenewal": "2022-04-13T20:20:39+00:00", |
| 104 | + "expiration": "2023-04-13T20:20:39+00:00" |
| 105 | + } |
| 106 | + } |
| 107 | + } |
| 108 | +] |
| 109 | +``` |
| 110 | + |
| 111 | +All commercial license fields are optional. The licensor, licensee, and purchaser may be an organization or individual. |
| 112 | +Multiple license types may be specified and include: |
| 113 | + |
| 114 | +| **License Type** | **Description** | |
| 115 | +|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------| |
| 116 | +| academic | A license that grants use of software solely for the purpose of education or research. | |
| 117 | +| appliance | A license covering use of software embedded in a specific piece of hardware. | |
| 118 | +| client-access | A Client Access License (CAL) allows client computers to access services provided by server software. | |
| 119 | +| concurrent-user | A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users. | |
| 120 | +| core-points | A license where the core of a computer's processor is assigned a specific number of points. | |
| 121 | +| custom-metric | A license for which consumption is measured by non-standard metrics. | |
| 122 | +| device | A license that covers a defined number of installations on computers and other types of devices. | |
| 123 | +| evaluation | A license that grants permission to install and use software for trial purposes. | |
| 124 | +| named-user | A license that grants access to the software to one or more pre-defined users. | |
| 125 | +| node-locked | A license that grants access to the software on one or more pre-defined computers or devices. | |
| 126 | +| oem | An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware. | |
| 127 | +| perpetual | A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely. | |
| 128 | +| processor-points | A license where each installation consumes points per processor. | |
| 129 | +| subscription | A license where the licensee pays a fee to use the software or service. | |
| 130 | +| user | A license that grants access to the software or service by a specified number of users. | |
| 131 | +| other | Another license type. | |
| 132 | + |
| 133 | + |
| 134 | +Solutions supporting the Software Development Life Cycle (SDLC) typically involve open-source license compliance or |
| 135 | +intellectual property use cases. Whereas Software Asset Management (SAM) is primarily concerned with commercial license |
| 136 | +and procurement use cases. OWASP CycloneDX has extensive support for both and can be applied to any component or service |
| 137 | +within a BOM. |
| 138 | + |
| 139 | +<div style="page-break-after: always; visibility: hidden"> |
| 140 | +\newpage |
| 141 | +</div> |
0 commit comments