Skip to content

feat: Alias Bouncy Castle Licence to MIT #674

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: Alias Bouncy Castle Licence to MIT #674

wants to merge 1 commit into from

Conversation

jakub-bochenski
Copy link
Contributor

Per SPDX the license is equivalent to MIT: spdx/license-list-XML#910 (comment)

Fixes #643

@jakub-bochenski
feat: Alias Bouncy Castle Licence to MIT
7e18d1d 
Per SPDX the license is equivalent to MIT: spdx/license-list-XML#910 (comment)

Signed-off-by: jakub-bochenski <[email protected]>
@jakub-bochenski jakub-bochenski requested a review from a team as a code owner July 25, 2025 14:32
@nscuro
Copy link
Member

nscuro commented Jul 29, 2025

I am not 100% confident we can simply resolve Bouncy Castle License to MIT. Even if they are effectively the same, I believe this replacement would qualify as data loss.

@stevespringett @msymons @mr-zepol Any thoughts?

@jakub-bochenski
Copy link
Contributor Author

The way I understand it there is no data loss.

Assigning SPDX ID means that the license text matches the license template associated with said SPDX ID.

Above is true for the Bouncycastle License

@stevespringett
Copy link
Member

I trust @swinslow's opinion and agree that Bouncy Castle ~= MIT.

However, the project did not declare the license to be MIT. They declared it to be the Bouncy Castle Licence. IMO, the aliasing in this library needs to be expanded to support the difference between declared and concluded licenses.

IMO, what should happen in this scenario is this:

  • Declared license is Bouncy Castle Licence.
  • Concluded license is MIT.

This would result in something like this:

{
  "type": "library",
  "group": "org.bouncycastle"
  "name": "bcprov-jdk18on",
  "version": "1.8.1",
  "purl": "pkg:maven/org.bouncycastle/[email protected]",
  "licenses": [
    {
      "license": {
        "name": "Bouncy Castle Licence",
        "acknowledgement": "declared"
      }
    },
    {
      "license": {
        "id": "MIT",
        "acknowledgement": "concluded"
      }
    }
  ]
}

@jakub-bochenski
Copy link
Contributor Author

jakub-bochenski commented Jul 31, 2025
edited
Loading

Given that Dependency-Track only supports 1 license ATM, and uses order to prioritize them it would be better if the concluded license was first.

{
  "type": "library",
  "group": "org.bouncycastle"
  "name": "bcprov-jdk18on",
  "version": "1.8.1",
  "purl": "pkg:maven/org.bouncycastle/[email protected]",
  "licenses": [
    {
      "license": {
        "id": "MIT",
        "acknowledgement": "concluded"
      }
    },
    {
      "license": {
        "name": "Bouncy Castle Licence",
        "acknowledgement": "declared"
      }
    }
  ]
}

@jakub-bochenski
Copy link
Contributor Author

I see there is already a similiar case - variants of Eclipse Distribution License are resolved to BSD-3-Clause https://github.com/CycloneDX/cyclonedx-core-java/blob/master/src/main/resources/license-mapping.json#L65-L68

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Bouncy Castle License
3 participants
@jakub-bochenski @nscuro @stevespringett