feat: Add complete License-Text to SBOM result

[jkowalleck]

caused by #22

similar to

• feat: Add complete License-Text to cyclonedx bom cyclonedx-python#570
• FEAT: Option to add license text to SBOM result cyclonedx-node-npm#256

---

Is your feature request related to a problem? Please describe.

For legal documentation, we need the original text of the licenses of components.

Describe the solution you'd like

An option to enable integration of the license-text in the BOM file, like the old @cyclonedx/bom package had, would be great to have again here.

---

read https://cyclonedx.org/news/cyclonedx-v1.3-released/#copyright-and-license-evidence

Acceptance criteria

• the feature to add license texts should be enabled by a CLI switch called --gather-license-evidence (name to be discussed)
• the feature is disabled per default
• only if the feature is enabled:
  • for all components, meta-components, root-components and nested components:
    regardless of SPDX license ID, SPDX license expression or named license, the deteced license texts should be added, each as an evidence
    Examples:

    {
      //...
      "evidence": { 
        "licenses": [
          {"id":"Apache-2.0", "text": {
            "contentType": "text/plain",
            "encoding": "base64",
            // base64 of content of file `LICENSE`
            "content": "bG9yZW0gaXBzdW0="
          }}
          {"name":"file: NOTICE", "text": {
            "contentType": "text/plain",
            "encoding": "base64",
            // base46 of content of file `NOTICE`
            "content": "bG9yZW0gaXBzdW0="
          }}
        ]
      },
      // ...
    }

  • if a license text is detected with the package, it would be added to Component's @.evicence.licenses
    • @.name would be 'License of : '
    • @.text would hold the test
      • the content type is to be derived from file extension
      • the content SHOULD be base64 encoded
  • license files patterns are:
    • LICEN[CS]E*
    • NOTICE* -- addendum for Apache-2.0 and others
  • if no license text is shipped with a package, no license test is added as a evidence.
    Nope, no license template is derived from package's declared SPDX license id.
    Reason: license templates (like BSD clause 3) are designed to be modified (unlike others, like Apache2, which is not a template but a complete text)

[jkowalleck]

The license text feature was removed from the code, to ease the way to v1.0/MVP.
With the v1.0 release candidate being public for some time now, i do not expect any internal refactoring or changes soon. This means, the implementation is ready to be extended.

@AugustusKling, are you still interested in working on a license text gathering for component evidences?

[AugustusKling]

@jkowalleck I'm still willing to provide code to add the license gathering. That said, I'm somewhat occupied these days so I don't know when this will happen.

So far I didn't even find time to go through your changes to the implementation nor to try it out to provide feedback.

[jkowalleck]

A similar feature was added to the webpack plugin
see CycloneDX/cyclonedx-webpack-plugin#1309
see CycloneDX/cyclonedx-webpack-plugin#1312