diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto
index 6541354e..2988ea02 100644
--- a/schema/bom-1.7.proto
+++ b/schema/bom-1.7.proto
@@ -124,6 +124,7 @@ message Component {
// The hashes of the component.
repeated Hash hashes = 12;
// A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
+ // There should be no more than one per license acknowledgement.
repeated LicenseChoice licenses = 13;
// An optional copyright notice informing users of the underlying claims to copyright ownership in a published work.
optional string copyright = 14;
@@ -574,6 +575,7 @@ message Metadata {
optional OrganizationalEntity supplier = 6;
// The license information for the BOM document. This may be different from the license(s) of the component(s) that the BOM describes.
// A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
+ // There should be no more than one per license acknowledgement.
repeated LicenseChoice licenses = 7;
// Specifies optional, custom, properties
repeated Property properties = 8;
@@ -711,6 +713,7 @@ message Service {
// Specifies information about the data including the directional flow of data and the data classification.
repeated DataFlow data = 10;
// A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
+ // There should be no more than one per license acknowledgement.
repeated LicenseChoice licenses = 11;
// Provides the ability to document external references related to the service.
repeated ExternalReference external_references = 12;
@@ -833,6 +836,7 @@ message EvidenceCopyright {
// Provides the ability to document evidence collected through various forms of extraction or analysis.
message Evidence {
// A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
+ // There should be no license acknowledgement assigned to any of these.
repeated LicenseChoice licenses = 1;
// Copyright evidence captures intellectual property assertions, providing evidence of possible ownership and legal protection.
repeated EvidenceCopyright copyright = 2;
diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json
index af102f0b..7f7c1a0a 100644
--- a/schema/bom-1.7.schema.json
+++ b/schema/bom-1.7.schema.json
@@ -714,7 +714,7 @@
},
"licenses": {
"title": "BOM License(s)",
- "description": "The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.",
+ "description": "The license information for the BOM document. This may be different from the license(s) of the component(s) that the BOM describes.\nThere should be no more than one per license acknowledgement.",
"$ref": "#/definitions/licenseChoice"
},
"properties": {
@@ -1000,7 +1000,8 @@
},
"licenses": {
"$ref": "#/definitions/licenseChoice",
- "title": "Component License(s)"
+ "title": "Component License(s)",
+ "description": "A list of SPDX licenses and/or named licenses and/or SPDX License Expression.\nThere should be no more than one per license acknowledgement."
},
"copyright": {
"type": "string",
@@ -2072,7 +2073,8 @@
},
"licenses": {
"$ref": "#/definitions/licenseChoice",
- "title": "Service License(s)"
+ "title": "Service License(s)",
+ "description": "A list of SPDX licenses and/or named licenses and/or SPDX License Expression.\nThere should be no more than one per license acknowledgement."
},
"patentAssertions": {
"$ref": "#/definitions/patentAssertions",
@@ -2350,7 +2352,8 @@
},
"licenses": {
"$ref": "#/definitions/licenseChoice",
- "title": "License Evidence"
+ "title": "License Evidence",
+ "description": "A list of SPDX licenses and/or named licenses and/or SPDX License Expression.\nThere should be no license acknowledgement assigned to any of these."
},
"copyright": {
"type": "array",
diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd
index ae0112a2..011c0b4f 100644
--- a/schema/bom-1.7.xsd
+++ b/schema/bom-1.7.xsd
@@ -243,6 +243,7 @@ limitations under the License.
The license information for the BOM document.
This may be different from the license(s) of the component(s) that the BOM describes.
+ There should be no more than one per license acknowledgement.
@@ -647,7 +648,14 @@ limitations under the License.
-
+
+
+
+ A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
+ There should be no more than one per license acknowledgement.
+
+
+
A copyright notice informing users of the underlying claims to copyright ownership in a published work.
@@ -2428,7 +2436,14 @@ limitations under the License.
-
+
+
+
+ A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
+ There should be no more than one per license acknowledgement.
+
+
+
@@ -2890,7 +2905,14 @@ limitations under the License.
-
+
+
+
+ A list of SPDX licenses and/or named licenses and/or SPDX License Expression.
+ There should be no license acknowledgement assigned to any of these.
+
+
+