Description
Describe the feature
Currently there is no possibility to record the license selected (associated) by the user of a component from a selection of possible (declared) licenses of the component in CycloneDX.
The Technical Guideline BSI TR-03183-2 v2.0.0 states the following:
A special case is that the primary licensee is forced by the component creator to choose from different sets
of licences which are mutually exclusive. A classic example is Qt where the primary licensee has to decide
between GPL and a proprietary licence; only the made choice can be handed further down the supply chain.
Hence the associated licences can differ from the declared licences.Declared licences are all licences that have been declared by the creator of a component.
Associated licences are all licences under which a component can be used by the licensee.
Concluded licences are determined by the licensee that is the component creator of the primary component
of the current SBOM.
Possible solutions
I'd like to propose adding "associated" in addition to "declared" and "concluded" to licenseAcknowledgementEnumeration
associated: "Associated licenses rare all licences under which a component can be used by the licensee."
Additional context
One idea for the next version of BSI TR-03183-2 is to recommend how the data fields stated in the Technical Guideline should be mapped to CycloneDX. We are also trying to minimise the use of the BSI CycloneDX Property Taxonomy.