Declared and concluded license results in error

[rogu-beta]

The attempt to assign both a declared and a concluded license to a component results in the following error. Is it not supported to have both assigned or would this require a different construction of the argument?

Error
Traceback (most recent call last):
  File "C:\Users\user\01-data\10-git\example\tests\test_cyclonedx.py", line 522, in test__generate_sbom
    sbom_str = json_outputter.output_as_string(indent=4)
  File "C:\Users\user\01-data\10-git\example\venv\Lib\site-packages\cyclonedx\output\json.py", line 83, in output_as_string
    self.generate()
    ~~~~~~~~~~~~~^^
  File "C:\Users\user\01-data\10-git\example\venv\Lib\site-packages\cyclonedx\output\json.py", line 71, in generate
    bom.validate()
    ~~~~~~~~~~~~^^
  File "C:\Users\user\01-data\10-git\example\venv\Lib\site-packages\cyclonedx\model\bom.py", line 731, in validate
    raise LicenseExpressionAlongWithOthersException(
        f'Found LicenseExpression along with others licenses in: {elem!r}')
cyclonedx.exception.model.LicenseExpressionAlongWithOthersException: Found LicenseExpression along with others licenses in: <Component bom-ref=<BomRef '1c788db5-fbbf-4223-aeaa-6873238eba95' id=2750769804880>, group=net.bytebuddy, name=byte-buddy, version=1.15.11, type=ComponentType.LIBRARY>

The license expressions where created like this, where export_dependency.declared_spdx_expression and export_dependency.concluded_spdx_expression are strings.

declared_license = LicenseExpression(
    value=export_dependency.declared_spdx_expression,
    acknowledgement=LicenseAcknowledgement.DECLARED
)

concluded_license = LicenseExpression(
    value=export_dependency.concluded_spdx_expression,
    acknowledgement=LicenseAcknowledgement.CONCLUDED
)

The component is instanciated like this:

        component = Component(
            type=ComponentType.LIBRARY,
            bom_ref=product_package.data.get("uuid"),
            group=package_abcd.get("namespace"),
            name=package_abcd.get("name"),
            version=package_abcd.get("version"),
            description=package_abcd.get("description"),
            scope=scope,
            hashes=hashes,
            licenses=[declared_license, concluded_license],
            copyright=package_abcd.get("copyright"),
            cpe=cpe,
            purl=PackageURL.from_string(package_abcd.get("package_url")),
            external_references=external_references
        )

[jkowalleck]

not a bug, this is actually all according to CycloneDX spec:

EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)

see https://cyclonedx.org/docs/1.6/json/#components_items_licenses

---

however, this behavior is going to change with CycloneDX 1.7 - CycloneDX/specification#511
With 1.7 and later, you may have many license expressions, and/or licenses ...

Added: Support for multiple SPDX License Expressions alongside with other licenses (CycloneDX/specification#454 via CycloneDX/specification#582)

[rogu-beta]

Thank you for the very fast response! I must have missed that the list of multiple licenses was only specified for when one is using strings rather than expressions. Only the latter supports the indication what kind of acknowledgement applies though. I will wait for CycloneDX 1.7 to support this then.

Thank you very much for the highly useful library!