Skip to content

feat: Alias Bouncy Castle Licence to MIT#674

Open
jakub-bochenski wants to merge 1 commit intoCycloneDX:masterfrom
jakub-bochenski:patch-2
Open

feat: Alias Bouncy Castle Licence to MIT#674
jakub-bochenski wants to merge 1 commit intoCycloneDX:masterfrom
jakub-bochenski:patch-2

Conversation

@jakub-bochenski
Copy link
Contributor

@jakub-bochenski jakub-bochenski commented Jul 25, 2025

Per SPDX the license is equivalent to MIT: spdx/license-list-XML#910 (comment)

Fixes #643

@jakub-bochenski
feat: Alias Bouncy Castle Licence to MIT
7e18d1d 
Per SPDX the license is equivalent to MIT: spdx/license-list-XML#910 (comment)

Signed-off-by: jakub-bochenski <kuba.bochenski@gmail.com>
@jakub-bochenski jakub-bochenski requested a review from a team as a code owner July 25, 2025 14:32
@nscuro
Copy link
Member

nscuro commented Jul 29, 2025

I am not 100% confident we can simply resolve Bouncy Castle License to MIT. Even if they are effectively the same, I believe this replacement would qualify as data loss.

@stevespringett @msymons @mr-zepol Any thoughts?

@jakub-bochenski
Copy link
Contributor Author

jakub-bochenski commented Jul 30, 2025

The way I understand it there is no data loss.

Assigning SPDX ID means that the license text matches the license template associated with said SPDX ID.

Above is true for the Bouncycastle License

@stevespringett
Copy link
Member

stevespringett commented Jul 30, 2025

I trust @swinslow's opinion and agree that Bouncy Castle ~= MIT.

However, the project did not declare the license to be MIT. They declared it to be the Bouncy Castle Licence. IMO, the aliasing in this library needs to be expanded to support the difference between declared and concluded licenses.

IMO, what should happen in this scenario is this:

  • Declared license is Bouncy Castle Licence.
  • Concluded license is MIT.

This would result in something like this:

{
  "type": "library",
  "group": "org.bouncycastle"
  "name": "bcprov-jdk18on",
  "version": "1.8.1",
  "purl": "pkg:maven/org.bouncycastle/bcprov-jdk18on@1.8.1",
  "licenses": [
    {
      "license": {
        "name": "Bouncy Castle Licence",
        "acknowledgement": "declared"
      }
    },
    {
      "license": {
        "id": "MIT",
        "acknowledgement": "concluded"
      }
    }
  ]
}

@jakub-bochenski
Copy link
Contributor Author

jakub-bochenski commented Jul 31, 2025
edited
Loading

Given that Dependency-Track only supports 1 license ATM, and uses order to prioritize them it would be better if the concluded license was first.

{
  "type": "library",
  "group": "org.bouncycastle"
  "name": "bcprov-jdk18on",
  "version": "1.8.1",
  "purl": "pkg:maven/org.bouncycastle/bcprov-jdk18on@1.8.1",
  "licenses": [
    {
      "license": {
        "id": "MIT",
        "acknowledgement": "concluded"
      }
    },
    {
      "license": {
        "name": "Bouncy Castle Licence",
        "acknowledgement": "declared"
      }
    }
  ]
}

@jakub-bochenski
Copy link
Contributor Author

jakub-bochenski commented Jul 31, 2025

I see there is already a similiar case - variants of Eclipse Distribution License are resolved to BSD-3-Clause https://github.com/CycloneDX/cyclonedx-core-java/blob/master/src/main/resources/license-mapping.json#L65-L68

@jkowalleck jkowalleck mentioned this pull request Aug 4, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bouncy Castle License

3 participants

@jakub-bochenski @nscuro @stevespringett