CycloneDX · jkowalleck · Feb 26, 2025
diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json
@@ -1494,25 +1494,20 @@
               },
               "expressionDetails": {
                 "title": "Expression Details",
-                "description": "Details for parts of the `expression`.",
-                "type": "array",
-                "items": {
+                "description": "Details for parts of the `expression`.\n(An SPDX expression may be a compound of license identifiers.)",
+                "$comment": "Property keys are valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.",
+                "type": "object",
+                "examples": [
+                  {
+                    "Apache-2.0": { "text":  "..." },
+                    "GPL-3.0-only WITH Classpath-exception-2.0": { "text": "..." },
+                    "LicenseRef-my-custom-license": { "text":  "..." }
+                  }
+                ],
+                "additionalProperties": {
                   "type": "object",
-                  "description": "Specifies the details and attributes related to a software license identifier.\n(An SPDX expression may be a compound of license identifiers.)",
-                  "required": [
-                    "licenseIdentifier"
-                  ],
+                  "description": "Specifies the details and attributes related to a software license identifier.",
                   "properties": {
-                    "licenseIdentifier": {
-                      "title": "License Identifier",
-                      "description": "The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.",
-                      "type": "string",
-                      "examples": [
-                        "Apache-2.0",
-                        "GPL-3.0-only WITH Classpath-exception-2.0",
-                        "LicenseRef-my-custom-license"
-                      ]
-                    },
                     "text": {
                       "title": "License texts",
                       "description": "An optional way to include the textual content of the license.",

diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd
@@ -2388,7 +2388,18 @@ limitations under the License.
         <xs:choice>
             <xs:element name="license" type="bom:licenseType" minOccurs="0" maxOccurs="unbounded"/>
             <xs:element name="expression" type="bom:expressionType" minOccurs="0" maxOccurs="1" />
-            <xs:element name="expression-detailed" type="bom:expressionDetailedType" minOccurs="0" maxOccurs="1" />
+            <xs:element name="expression-detailed" type="bom:expressionDetailedType" minOccurs="0" maxOccurs="1">
+                <xs:unique name="expression-detailed_details_unique_license-identifier">
+                    <xs:annotation>
+                        <xs:documentation>
+                            The attribute `license-identifier` serves as the primary key, which uniquely identifies each record.
+                            Therefore, it must be unique.
+                        </xs:documentation>
+                    </xs:annotation>
+                    <xs:selector xpath="./bom:details"/>
+                    <xs:field xpath="@license-identifier"/>
+                </xs:unique>
+            </xs:element>
         </xs:choice>
     </xs:complexType>
 

diff --git a/tools/src/test/resources/1.7/invalid-license-expression-with-text-1.7.xml b/tools/src/test/resources/1.7/invalid-license-expression-with-text-1.7.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0"?>
+<bom serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1" xmlns="http://cyclonedx.org/schema/bom/1.7">
+    <components>
+        <component type="application">
+            <publisher>Acme Inc</publisher>
+            <group>com.acme</group>
+            <name>tomcat-catalina</name>
+            <version>9.0.14</version>
+            <description>Modified version of Apache Catalina</description>
+            <scope>required</scope>
+            <licenses>
+                <expression-detailed bom-ref="my-license" acknowledgement="declared"
+                                     expression="EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0"
+                >
+                    <details license-identifier="EPL-2.0">
+                        <text><![CDATA[Eclipse Public License - v 2.0
+
+    THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE
+    PUBLIC LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION
+    OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT...]]]></text>
+                    </details>
+                    <details license-identifier="EPL-2.0">
+                        <text>duplicate license-identifier</text>
+                    </details>
+                </expression-detailed>
+            </licenses>
+            <purl>pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar</purl>
+        </component>
+    </components>
+</bom>
diff --git a/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json b/tools/src/test/resources/1.7/valid-license-expression-with-text-1.7.json
@@ -18,21 +18,19 @@
           "bom-ref": "my-license",
           "acknowledgement": "declared",
           "expression": "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0",
-          "expressionDetails": [
-            {
-              "licenseIdentifier": "EPL-2.0",
+          "expressionDetails": {
+            "EPL-2.0": {
               "text": {
                 "content": "Eclipse Public License - v 2.0\n\n    THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE\n    PUBLIC LICENSE (\"AGREEMENT\"). ANY USE, REPRODUCTION OR DISTRIBUTION\n    OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT..."
               }
             },
-            {
-              "licenseIdentifier": "GPL-2.0 WITH Classpath-exception-2.0",
+            "GPL-2.0 WITH Classpath-exception-2.0": {
               "text": {
                 "contentType": "text/plain",
                 "content": "                    GNU GENERAL PUBLIC LICENSE\n                       Version 2, June 1991\n\n Copyright (C) 1989, 1991 Free Software Foundation, Inc.,\n <https://fsf.org/>\n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed...\n\n...\n\nLinking this library statically or dynamically with other modules is making a combined work based on this library..."
               }
             }
-          ]
+          }
         }
       ],
       "purl": "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar"