BSI TR-03183-2 associated license reported incorrect in SBOM Quality report

[robin-s-007]

Hello,

I using sbomqs to validate an SBOM template (CycloneDX v1.6 JSON) against the BSI v2.1.0 standard.
While sbomqs only supports BSI v2.0 the changelog in v2.1.0 does not list anything significant differences.

When I run a sbomqs quality report, then it reports that I am missing 3 associated license references for 6 components.
In the test SBOM all components have the associated license information, according to BSI, CycloneDX standards and SPDX format.
However when I run a sbomqs Compliance Report, then it reports for each component that the associated license is compliant.

Why do two different reports generate different output on the same item for the same input file ?
Seems like the Quality report mis-interprets something here.
Could you please check ?

Best Regards,

Robin

C project SBOM example-v3_issuereport -BSi tests.json

SBOM_v3_issue_compliance_bsi.txt

[viveksahu26]

Yeah @robin-s-007 , it's bug in the compliance report then. Do you have any examples where associated license are shown ? Currently we assume concluded license as the associated license.

[robin-s-007]

Hi Vivek,

In my post I attached an SBOM with associated license information, and well as a txt file with the sbomqs Quality and Compliance report outputs.
Are you able to use these?

Regarding the concluded and declared licenses, I did also notice some strange things there, but did not report an issue yet.
It seems that sbomqs Quality report only counts concluded licenses, not declared. Why?
Both are reported licenses, but the declared is not the final license situation.
To my knowlegde (but could be mistaken);
A project can have several files with multiple license types, however the final product, which the SBOM describes will need to have a final (concluded) license type.
The project files can have declared licenses, and the product which the SBOM describes will need to have a concluded license. This license type (associated license) can be different than the project file licenses.

For me the associated license is the type of license reported (LGPL, apache etc), which needs to be one for SPDX types. https://spdx.org/licenses/
Both declared and concluded licenses will need to have an valid associate license in the https://spdx.org/licenses/ format.

I also noticed that the Compliance report handles concluded and declared licenses separately, which could be convenient for clarity. But also validates and counts them separately in the metrics. Which would mean that for fully compliant metrics, and compliancy, one will need to have both a declared and concluded license for each file.
But one would only have only one, either declared or concluded.

Best Regards,

Robin