Added support for license acknowledgements

Signed-off-by: Steve Springett <steve@springett.us>

schema/bom-1.6.proto

@@ -366,6 +366,8 @@ message LicenseChoice {
     // A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements
     string expression = 2;
   }
+  // This field must only be used when "expression" is chosen as the License object has its own acknowledgement.
+  optional LicenseAcknowledgementEnumeration acknowledgement = 3;
 }
 
 message License {
@@ -385,6 +387,18 @@ message License {
   optional Licensing licensing = 6;
   // Specifies optional, custom, properties
   repeated Property properties = 7;
+  // Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.
+  optional LicenseAcknowledgementEnumeration acknowledgement = 8;
+}
+
+// Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.
+enum LicenseAcknowledgementEnumeration {
+  // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified`
+  LICENSING_ACK_UNSPECIFIED = 0;
+  // Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.
+  LICENSING_ACK_DECLARED = 1;
+  // Concluded licenses are verified and confirmed.
+  LICENSING_ACK_CONCLUDED = 2;
 }
 
 message Licensing {

schema/bom-1.6.schema.json

@@ -1234,6 +1234,9 @@
           "description": "If SPDX does not define the license used, this field may be used to provide the license name",
           "examples": ["Acme Software License"]
         },
+        "acknowledgement": {
+          "$ref": "#/definitions/licenseAcknowledgementEnumeration"
+        },
         "text": {
           "title": "License text",
           "description": "An optional way to include the textual content of a license.",
@@ -1409,6 +1412,19 @@
         }
       }
     },
+    "licenseAcknowledgementEnumeration": {
+      "title": "License Acknowledgement",
+      "description": "Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.",
+      "type": "string",
+      "enum": [
+        "declared",
+        "concluded"
+      ],
+      "meta:enum": {
+        "declared": "Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.",
+        "concluded": "Concluded licenses are verified and confirmed."
+      }
+    },
     "licenseChoice": {
       "title": "License Choice",
       "description": "EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)",
@@ -1449,6 +1465,9 @@
                   "GPL-3.0-only WITH Classpath-exception-2.0"
                 ]
               },
+              "acknowledgement": {
+                "$ref": "#/definitions/licenseAcknowledgementEnumeration"
+              },
               "bom-ref": {
                 "$ref": "#/definitions/refType",
                 "title": "BOM Reference",

schema/bom-1.6.xsd

@@ -908,6 +908,23 @@ limitations under the License.
                 </xs:documentation>
             </xs:annotation>
         </xs:attribute>
+        <xs:attribute name="acknowledgement" type="bom:licenseAcknowledgementEnumerationType">
+            <xs:annotation>
+                <xs:documentation>
+                    Declared licenses and concluded licenses represent two different stages in the
+                    licensing process within software development. Declared licenses refer to the
+                    initial intention of the software authors regarding the licensing terms under
+                    which their code is released. On the other hand, concluded licenses are the
+                    result of a comprehensive analysis of the project's codebase to identify and
+                    confirm the actual licenses of the components used, which may differ from the
+                    initially declared licenses. While declared licenses provide an upfront indication
+                    of the licensing intentions, concluded licenses offer a more thorough understanding
+                    of the actual licensing within a project, facilitating proper compliance and risk
+                    management. Observed licenses are defined in `evidence.licenses`. Observed licenses
+                    form the evidence necessary to substantiate a concluded license.
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
     </xs:complexType>
 
     <xs:complexType name="attachedTextType">
@@ -2226,13 +2243,50 @@ limitations under the License.
                                     </xs:documentation>
                                 </xs:annotation>
                             </xs:attribute>
+                            <xs:attribute name="acknowledgement" type="bom:licenseAcknowledgementEnumerationType">
+                                <xs:annotation>
+                                    <xs:documentation>
+                                        Declared licenses and concluded licenses represent two different stages in the
+                                        licensing process within software development. Declared licenses refer to the
+                                        initial intention of the software authors regarding the licensing terms under
+                                        which their code is released. On the other hand, concluded licenses are the
+                                        result of a comprehensive analysis of the project's codebase to identify and
+                                        confirm the actual licenses of the components used, which may differ from the
+                                        initially declared licenses. While declared licenses provide an upfront indication
+                                        of the licensing intentions, concluded licenses offer a more thorough understanding
+                                        of the actual licensing within a project, facilitating proper compliance and risk
+                                        management. Observed licenses are defined in `evidence.licenses`. Observed licenses
+                                        form the evidence necessary to substantiate a concluded license.
+                                    </xs:documentation>
+                                </xs:annotation>
+                            </xs:attribute>
                         </xs:extension>
                     </xs:simpleContent>
                 </xs:complexType>
             </xs:element>
         </xs:choice>
     </xs:complexType>
 
+    <xs:simpleType name="licenseAcknowledgementEnumerationType">
+        <xs:restriction base="xs:string">
+            <xs:enumeration value="declared">
+                    <xs:annotation>
+                        <xs:documentation>
+                            Declared licenses represent the initial intentions of authors regarding
+                            the licensing terms of their code.
+                        </xs:documentation>
+                    </xs:annotation>
+            </xs:enumeration>
+            <xs:enumeration value="concluded">
+                <xs:annotation>
+                    <xs:documentation>
+                        Concluded licenses are verified and confirmed.
+                    </xs:documentation>
+                </xs:annotation>
+            </xs:enumeration>
+        </xs:restriction>
+    </xs:simpleType>
+
     <xs:complexType name="copyrightsType">
         <xs:sequence>
             <xs:element name="text" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>

tools/src/test/resources/1.6/valid-license-expression-1.6.json

@@ -13,6 +13,7 @@
       "licenses": [
         {
           "expression": "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0",
+          "acknowledgement": "declared",
           "bom-ref": "my-license"
         }
       ]

tools/src/test/resources/1.6/valid-license-expression-1.6.textproto

@@ -12,5 +12,6 @@ components {
   version: "9.0.14"
   licenses {
     expression: "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0"
+    acknowledgement: LICENSING_ACK_DECLARED
   }
 }

tools/src/test/resources/1.6/valid-license-expression-1.6.xml

@@ -15,7 +15,7 @@
                 <hash alg="SHA-512">e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282</hash>
             </hashes>
             <licenses>
-                <expression bom-ref="my-license">
+                <expression bom-ref="my-license" acknowledgement="declared">
                     EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
                 </expression>
             </licenses>

tools/src/test/resources/1.6/valid-license-id-1.6.json

@@ -14,6 +14,7 @@
         {
           "license": {
             "id": "Apache-2.0",
+            "acknowledgement": "declared",
             "bom-ref": "my-license"
           }
         }

tools/src/test/resources/1.6/valid-license-id-1.6.textproto

@@ -12,7 +12,8 @@ components {
   version: "9.0.14"
   licenses {
     license {
-      id: "Apache-2.0"
+      id: "Apache-2.0",
+      acknowledgement: LICENSING_ACK_DECLARED
     }
   }
 }

tools/src/test/resources/1.6/valid-license-id-1.6.xml

@@ -15,7 +15,7 @@
                 <hash alg="SHA-512">e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282</hash>
             </hashes>
             <licenses>
-                <license bom-ref="my-license">
+                <license bom-ref="my-license" acknowledgement="declared">
                     <id>Apache-2.0</id>
                 </license>
             </licenses>