Hi,
I noticed that when converting SPDX to CycloneDX, the field licenseConcluded from SPDX packages is not used. Only licenseDeclared seems to be mapped to component.licenses.
This causes problems when uploading SBOMs to tools like Dependency-Track, which expect at least a license expression or ID — and licenseConcluded is supposed to be the final license decision in SPDX.
Is there a reason this field is not currently used in the conversion?
Also, I saw that there is a big PR in progress by @CarolinaOliiveira #353 with SPDX support improvements. Do you plan to merge that soon? And does it fix this issue?
To give more context: I'm extracting SBOMs from the GitHub Dependency Graph API (which returns SPDX 2.3), converting them to CycloneDX using cyclonedx-cli, and uploading them to Dependency-Track as part of a pipeline. Without licenseConcluded, the conversion results in a CycloneDX documents without the license values.
Thanks for the great work!
Hi,
I noticed that when converting SPDX to CycloneDX, the field licenseConcluded from SPDX packages is not used. Only
licenseDeclaredseems to be mapped tocomponent.licenses.This causes problems when uploading SBOMs to tools like Dependency-Track, which expect at least a license expression or ID — and
licenseConcludedis supposed to be the final license decision in SPDX.Is there a reason this field is not currently used in the conversion?
Also, I saw that there is a big PR in progress by @CarolinaOliiveira #353 with SPDX support improvements. Do you plan to merge that soon? And does it fix this issue?
To give more context: I'm extracting SBOMs from the GitHub Dependency Graph API (which returns SPDX 2.3), converting them to CycloneDX using
cyclonedx-cli, and uploading them to Dependency-Track as part of a pipeline. WithoutlicenseConcluded, the conversion results in a CycloneDX documents without thelicensevalues.Thanks for the great work!