related: CycloneDX/cyclonedx-python#826

I agree with the problem, especially case C.
I would like to be able to have a lawyer or some automatic mechanism review the product sbom so that I can identify which licence to "refer" to for each individual component based on my use case.
It is more than reasonable to have two licenses defined for a product, e.g. if the component is used in open source projects then the license is type A, otherwise if it is used for commercial purposes then the license is type B.
This is just an example.
And, of course, in the report I would like to avoid replacing the license expression declared by whoever produced the component in question.
One solution might be to allow to have one license expression and only one license by specifying ‘acknowledgement concluded’, but I don't know whether this would create problems elsewhere.

I will be working on a solution for this, planned for CycloneDX 1.7.
All comments, discussions, and any help is welcome.

The example should also mention "LicenseRef-" items to clearly state that such simple expressions are also SPDX expression by definition of SPDX, not only compound expressions.

Situation B:
After discussing the topic "concluded" license with our OSCO (Open Source Compliance Officer) my understanding is that a concluded license must not contain a compound statement with "OR". A decision must be taken.
The example would be the same as "MIT OR GPL-3.0-only OR GPL-2.0-only"
Based on current existing licenses it is compatible with "MIT OR GPL-2.0-or-later" or "MIT OR GPL-2.0+"

Concluded license possiblities:

• MIT (MIT)
• GPL-2.0 (GPL-2.0-only)
• GPL-3.0 (GPL-3.0-only)

Situation C:
"GPL-2.0+" cannot by used as concluded license based on the legal information I have (see also link below). It has an implicit "OR". As a consumer I have the choice to select between GPL-2.0 or a higher version (GPL-3.0) and I have to make a choice in my context. The GPL licenses are not fully compatible, so it is a legal requirement to select what applies for me as concluded license.

Clear statement here (Standard License Header):
https://spdx.org/licenses/GPL-2.0-or-later.html

Another significant reference:
BSI-TR-03183-2 Version 2.0.0 (10.10.2024)
Federal Office for Information Security (BSI)
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2-2_0_0.html
Chapter 6.1 (License identifiers and expressions)
They refer to SPDX annexes about usage, they also recommend to use the Scancode LicenseDB Aboutcode!

re: #454 (comment)

Thanks for pointing that out.
I tried to incorporate your remarks in the description, and also added a section "expected results" to showcase the results.
Could you check whether all your use cases are represented, @Joerki ?

Anyway, the examples exist for showcasing needed options(requirements). As stated

(this is just an example for spec reasons, this is not a real-world law case!)

"GPL-2.0+" cannot by used as concluded license based on the legal information I have (see also link below). It has an implicit "OR". As a consumer I have the choice to select between GPL-2.0 or a higher version (GPL-3.0) and I have to make a choice in my context. The GPL licenses are not fully compatible, so it is a legal requirement to select what applies for me as concluded license.

this might be true for OBOM and alike, but not for SBOM.
lets say i am pulling a library from the internet, and i have a lawyer analyzing the license posture, and they conclude "I've analyzed the license's README and other evidences, and i conclude the license to be free to chose from A or B ... -- which one is applied can be decided only after the lib was integrated into a system."

please review the proposed implementation changes to enable the features outlined in this very ticket:
#582

@jkowalleck Since you are tackling licensing, I would suggest considering these:

1. Deprecate entirely "single SPDX license IDs, and named licenses" and only use license expressions in the future (dropping entirely "single SPDX license IDs, and named licenses" in 1.8 or 1.9. The support of "A list of SPDX licenses and/or named licenses and/or SPDX License Expression." is confusing IMHO. Expressions are enough, especially if combined with 2. and 3. Names and ids are mostly unusable for any kind of automation.
2. Add explicit support for scancode LicenseRef (they are recommended in Germany and India) and local LicenseRef as per @Joerki
3. Add support for tracking the actual license text and notices which is missing today and needed for local LicenseRef
4. Also adopt expressions for the various spec artifacts like this

   specification/schema/bom-1.7.schema.json

   Line 6 in 3f3873e

   "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.",

@Joerki re: #454 (comment)

I have to make a choice in my context. The GPL licenses are not fully compatible, so it is a legal requirement to select what applies for me as concluded license.

Actually the mileage may vary. Some lawyers may prefer to convey the choice, some may prefer to pick one. So I am not sure there is any legal requirement to select a license, except in a few rare case.

One such case is with FreeType https://gitlab.freedesktop.org/freetype/freetype/-/blob/b1f47850878d232eea372ab167e760ccac4c4e32/LICENSE.TXT#L9 ...

This means that you must choose one of the two licenses described
below, then obey all its terms and conditions when using FreeType 2 in
any of your projects or products.

.... but this is a really rare case. Most exceptions allow to keep or drop the exception, and many licensing that allow future versions may not even give you the choice to drop future version (like the Eclipse license).

re: #454 (comment)

A friendly reminder: do not mix multiple scopes in one ticket. Deprecating one structure, and enhancing another are two different scopes, and should be handled in separate tickets and separate pull requests.

re topic 1

Deprecate entirely "single SPDX license IDs, and named licenses" and only use license expressions in the future (dropping entirely "single SPDX license IDs, and named licenses" in 1.8 or 1.9. The support of "A list of SPDX licenses and/or named licenses and/or SPDX License Expression." is confusing IMHO. Expressions are enough, especially if combined with 2. and 3. Names and ids are mostly unusable for any kind of automation.

This is not in the scope of this very ticket. I do not intend to switch scopes of this ticket.
I am planning to bring a "fix"/"feature" to CycloneDX that helps users ASAP. I do not intend to drive a years-long discussion about alternatives and such.

Anybody interested in pursuing the goal of deprecating current license structures, while enhancing others is free to do so - I have no problem with that. It all starts with creating a ticket for that and championing/driving the topic. Go ahead. :-)

re topic 2

Add explicit support for scancode LicenseRef

license-refs are anything the SPDX ID is not assigned, right?
this is what named licenses are for.

re topic 3

Add support for tracking the actual license text and notices which is missing today and needed for local LicenseRef

when used in an SPDX expression: this is #554 what is about.
Otherwise: this is what named licenses are for - they have an attachment already

re topic 4:

completely different topic.

PS: feel free to open separate tickets for all the things you mentioned. I will not work on them in this very ticket due to ticket scope.

Add explicit support for scancode LicenseRef

license-refs are anything the SPDX ID is not assigned, right? this is what named licenses are for.

This is confusing for me. The "name" (also considering the example in the CycloneDX definition) is a human readable title (-> see SPDX). I could print it together with the license text in an attribution report for a customer.