License issue GPL dependency rfc3987

[kdekker-kdr4]

cyclonedx-python (cyclonedx-bom==4.1.2) depends via cyclonedx-python-lib==6.4.3 on the package jsonschema, but with the special option format (jsonschema[format]).
This introduces the GPL dependency of package rfc3987, which I think is not the intention.

How to reproduce:

1. Install Python 3.10.11
2. In cmd call: pip install cyclonedx-bom

Prove:

Potential solution:

• Depend on jsonschema[format-nongpl]

Temporary user solution:

• Downgrade cyclonedx-bom to a version without the dependency such as 3.11.7.

[jkowalleck]

This introduces the GPL dependency of package rfc3987, which I think is not the intention.

some background: we are not shipping any assembly, nor bundle. Therefore, we never mix any licenses.
Neither do users of this package generate any bundle/assembly when installing it. All they do is putting certain packages somewhere on their machine, so that python can find and run them.
This means, at no point, a mix of licenses exists.
This means, no license issues exist.

Is that not true, @kdekker-private ?

Anyway, I will check whether a non-gpl package can do the job.

[jkowalleck]

The rfc3987 is used to validate iri-reference in JSON - which is widely used in CycloneDX.
Therefore, schema validation would not be complete without it.

[jkowalleck]

@kdekker-private could you elaborate how the current situation affects you?
What does it prevent you from doing/achieving?

[kdekker-kdr4]

At the current stage it does not prevent us anymore from doing/achieving anything. We accidently added your package in distribution. But removed it and are happy to use it outside of that.

However, I think it would be good for transparency to at least notify the user in the readme that a GPL licensed package is used under the hood. The MIT license of your package might mask this a bit. Ideal would be to remove the dependency on the GPL package, if it is possible. Thanks for the quick response.

[jkowalleck]

re: #568 (comment)

sounds reasonable. 👍
Would you open a pull request that improves the documentation in a way that suites your needs? Thank you in advance

[kdekker-kdr4]

@jkowalleck please reopen this issue. With the environment subcommand, you first need to install cyclonedx-py and therefore it is included together with also rfc3987 in the dependencies. Using option environment triggers a GPL notification.

[jkowalleck]

not gonna reopen it. Situation was settled.
if you have any new points to the argument, please open a new issue and tell what differs from this one.

[jkowalleck]

With the environment subcommand, you first need to install cyclonedx-py

That is the usual with python packages: you have to install them. And you will automatically pull the dependencies. You then end up with a python (virtual) environment where a lot of packages all sit next to each other, none of them are bundled nor assembled. That is all completely legal, even under GPL2, afaik.

Using option environment triggers a GPL notification.

What does "triggers a GPL notification"? Which system does that?

---

the usual: if you are running an analysis of a python (virtual) environment, and you want to exclude your dev-tools - like cyclonedx-py - from it,
then you should install the dev-tools in a different venv than the system you are analysing with your dev tools.
To make this possible, cyclonedx-py environment ... knows an optional parameter that allows to select the environment to analyse.
See some examples in the docs: https://cyclonedx-bom-tool.readthedocs.io/en/latest/usage.html#examples-for-macos-linux-and-alike

[kdekker-kdr4]

Yes that solved my case. Was overlooking this options. Thanks for explaining it for me.

[jkowalleck]

I am glad we had this conversation. 🥇
This will be a go-to showcase for everybody facing the same problems you had. I hope this will help many users.

[pombredanne]

This is still an issue IMHO as I explained in @Adeline-Toader discussion at #658 (comment)