diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto
index a618b926..9a989fc2 100644
--- a/schema/bom-1.7.proto
+++ b/schema/bom-1.7.proto
@@ -127,6 +127,7 @@ message Component {
// The hashes of the component.
repeated Hash hashes = 12;
// A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
+ // There should be no more than one per license acknowledgement.
repeated LicenseChoice licenses = 13;
// An copyright notice informing users of the underlying claims to copyright ownership in a published work.
optional string copyright = 14;
@@ -585,6 +586,7 @@ message Metadata {
optional OrganizationalEntity supplier = 6;
// The license information for the BOM document. This may be different from the license(s) of the component(s) that the BOM describes.
// A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
+ // There should be no more than one per license acknowledgement.
repeated LicenseChoice licenses = 7;
// Specifies custom properties.
repeated Property properties = 8;
@@ -722,6 +724,7 @@ message Service {
// Specifies information about the data including the directional flow of data and the data classification.
repeated DataFlow data = 10;
// A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
+ // There should be no more than one per license acknowledgement.
repeated LicenseChoice licenses = 11;
// Provides the ability to document external references related to the service.
repeated ExternalReference external_references = 12;
@@ -848,6 +851,7 @@ message EvidenceCopyright {
// Provides the ability to document evidence collected through various forms of extraction or analysis.
message Evidence {
// A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
+ // There should be no license acknowledgement assigned to any of these.
repeated LicenseChoice licenses = 1;
// Copyright evidence captures intellectual property assertions, providing evidence of possible ownership and legal protection.
repeated EvidenceCopyright copyright = 2;
diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json
index 1ca17a2e..53e5d183 100644
--- a/schema/bom-1.7.schema.json
+++ b/schema/bom-1.7.schema.json
@@ -725,7 +725,7 @@
},
"licenses": {
"title": "BOM License(s)",
- "description": "The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.",
+ "description": "The license information for the BOM document. This may be different from the license(s) of the component(s) that the BOM describes.\nThere should be no more than one per license acknowledgement.",
"$ref": "#/definitions/licenseChoice"
},
"properties": {
@@ -1018,7 +1018,8 @@
},
"licenses": {
"$ref": "#/definitions/licenseChoice",
- "title": "Component License(s)"
+ "title": "Component License(s)",
+ "description": "A list of SPDX licenses and/or named licenses and/or SPDX License Expression.\nThere should be no more than one per license acknowledgement."
},
"copyright": {
"type": "string",
@@ -2093,7 +2094,8 @@
},
"licenses": {
"$ref": "#/definitions/licenseChoice",
- "title": "Service License(s)"
+ "title": "Service License(s)",
+ "description": "A list of SPDX licenses and/or named licenses and/or SPDX License Expression.\nThere should be no more than one per license acknowledgement."
},
"patentAssertions": {
"$ref": "#/definitions/patentAssertions",
@@ -2371,7 +2373,8 @@
},
"licenses": {
"$ref": "#/definitions/licenseChoice",
- "title": "License Evidence"
+ "title": "License Evidence",
+ "description": "A list of SPDX licenses and/or named licenses and/or SPDX License Expression.\nThere should be no license acknowledgement assigned to any of these."
},
"copyright": {
"type": "array",
diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd
index c2c725ef..2448a5ea 100644
--- a/schema/bom-1.7.xsd
+++ b/schema/bom-1.7.xsd
@@ -243,6 +243,7 @@ limitations under the License.
The license information for the BOM document.
This may be different from the license(s) of the component(s) that the BOM describes.
+ There should be no more than one per license acknowledgement.
@@ -661,7 +662,14 @@ limitations under the License.
-
+
+
+
+ A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
+ There should be no more than one per license acknowledgement.
+
+
+
A copyright notice informing users of the underlying claims to copyright ownership in a published work.
@@ -2447,7 +2455,14 @@ limitations under the License.
-
+
+
+
+ A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
+ There should be no more than one per license acknowledgement.
+
+
+
@@ -2909,7 +2924,14 @@ limitations under the License.
-
+
+
+
+ A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
+ There should be no license acknowledgement assigned to any of these.
+
+
+