Skip to content

Provide mapping for "original licence", "distribution licence", and "effective licence" (BSI TR-03183-2) #1255

@bact

Description

@bact

"original licence", "distribution licence", and "effective licence" are defined and used in the German Federal BSI TR-03183-2: Cyber Resilience Requirements for Manufacturers and Products - Part 2: Software Bill of Materials (SBOM) Version 2.1.0 (see text below).

We may like to assess if it is necessary or desired to provide a mapping of SPDX properties/relationships to those license type definitions. Probably in the Licensing profile description: https://github.com/spdx/spdx-3-model/blob/develop/model/Licensing/Licensing.md

Relevant text from BSI TR-03183-2:

3.2.8 Licence information

This Technical Guideline distinguishes between three categories of licence information:

  • Original licence(s)
    Original licence(s) are all licences that have been assigned by the creator of the component.
  • Distribution licence(s)
    Distribution licence(s) are all licences under which a component recorded in the current SBOM can be used by a licensee.
  • Effective licence
    The effective licence is the licence under which the component is used by the licensee that is the creator of the current SBOM.

The terms “concluded licences” and “declared licences” are not defined and used consistently throughout different SBOM standards and implementations. To avoid inconsistencies and confusion and allow for an easy mapping this Technical Guideline uses different terms.

Note: Because the “effective licence” is set by the creator of the current SBOM, it has to be set anew when merging SBOMs. However, this process may result in the same “effective licence”.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Profile:LicensingLicensing profiles, including SimpleLicensing and ExpandedLicensing, and related matters

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions