feat: licenses acknowledgement SHOULD be unique

schema/bom-1.7.proto

@@ -122,7 +122,8 @@ message Component {
   optional Scope scope = 11;
   // The hashes of the component.
   repeated Hash hashes = 12;
-  // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)
+  // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression).
+  // There should be no more than one per license acknowledgement.
   repeated LicenseChoice licenses = 13;
   // An optional copyright notice informing users of the underlying claims to copyright ownership in a published work.
   optional string copyright = 14;
@@ -520,7 +521,7 @@ message Metadata {
   // The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager.
   optional OrganizationalEntity supplier = 6;
   // The license information for the BOM document. This may be different from the license(s) of the component(s) that the BOM describes.
-  // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)
+  // There should be no more than one per license acknowledgement.
   repeated LicenseChoice licenses = 7;
   // Specifies optional, custom, properties
   repeated Property properties = 8;
@@ -655,7 +656,8 @@ message Service {
   optional bool x_trust_boundary = 9;
   // Specifies information about the data including the directional flow of data and the data classification.
   repeated DataFlow data = 10;
-  // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)
+  // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression).
+  // There should be no more than one per license acknowledgement.
   repeated LicenseChoice licenses = 11;
   // Provides the ability to document external references related to the service.
   repeated ExternalReference external_references = 12;
@@ -759,7 +761,8 @@ message EvidenceCopyright {
 
 // Provides the ability to document evidence collected through various forms of extraction or analysis.
 message Evidence {
-  // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)
+  // EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression).
+  // There should be no license acknowledgement assigned to any of these.
   repeated LicenseChoice licenses = 1;
   // Copyright evidence captures intellectual property assertions, providing evidence of possible ownership and legal protection.
   repeated EvidenceCopyright copyright = 2;

schema/bom-1.7.schema.json

@@ -704,7 +704,7 @@
         },
         "licenses": {
           "title": "BOM License(s)",
-          "description": "The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.",
+          "description": "The license information for the BOM document. This may be different from the license(s) of the component(s) that the BOM describes.\nThere should be no more than one per license acknowledgement.",
           "$ref": "#/definitions/licenseChoice"
         },
         "properties": {
@@ -965,7 +965,8 @@
         },
         "licenses": {
           "$ref": "#/definitions/licenseChoice",
-          "title": "Component License(s)"
+          "title": "Component License(s)",
+          "description": "EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression).\nThere should be no more than one per license acknowledgement."
         },
         "copyright": {
           "type": "string",
@@ -1968,7 +1969,8 @@
         },
         "licenses": {
           "$ref": "#/definitions/licenseChoice",
-          "title": "Service License(s)"
+          "title": "Service License(s)",
+          "description": "EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression).\nThere should be no more than one per license acknowledgement."
         },
         "externalReferences": {
           "type": "array",
@@ -2242,7 +2244,8 @@
         },
         "licenses": {
           "$ref": "#/definitions/licenseChoice",
-          "title": "License Evidence"
+          "title": "License Evidence",
+          "description": "EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression).\nThere should be no license acknowledgement assigned to any of these."
         },
         "copyright": {
           "type": "array",

schema/bom-1.7.xsd

@@ -243,6 +243,7 @@ limitations under the License.
                     <xs:documentation>
                         The license information for the BOM document.
                         This may be different from the license(s) of the component(s) that the BOM describes.
+                        There should be no more than one per license acknowledgement.
                     </xs:documentation>
                 </xs:annotation>
             </xs:element>
@@ -595,7 +596,14 @@ limitations under the License.
                     </xs:sequence>
                 </xs:complexType>
             </xs:element>
-            <xs:element name="licenses" type="bom:licenseChoiceType" minOccurs="0" maxOccurs="1"/>
+            <xs:element name="licenses" type="bom:licenseChoiceType" minOccurs="0" maxOccurs="1">
+                <xs:annotation>
+                    <xs:documentation>
+                        "EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression).
+                        There should be no more than one per license acknowledgement.
+                    </xs:documentation>
+                </xs:annotation>
+            </xs:element>
             <xs:element name="copyright" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
                 <xs:annotation>
                     <xs:documentation>A copyright notice informing users of the underlying claims to copyright ownership in a published work.</xs:documentation>
@@ -2214,7 +2222,14 @@ limitations under the License.
                     </xs:choice>
                 </xs:complexType>
             </xs:element>
-            <xs:element name="licenses" type="bom:licenseChoiceType" minOccurs="0" maxOccurs="1"/>
+            <xs:element name="licenses" type="bom:licenseChoiceType" minOccurs="0" maxOccurs="1">
+                <xs:annotation>
+                    <xs:documentation>
+                        "EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression).
+                        There should be no more than one per license acknowledgement.
+                    </xs:documentation>
+                </xs:annotation>
+            </xs:element>
             <xs:element name="externalReferences" type="bom:externalReferences" minOccurs="0" maxOccurs="1">
                 <xs:annotation>
                     <xs:documentation>Provides the ability to document external references related to the service.</xs:documentation>
@@ -2701,7 +2716,14 @@ limitations under the License.
                     </xs:sequence>
                 </xs:complexType>
             </xs:element>
-            <xs:element name="licenses" type="bom:licenseChoiceType" minOccurs="0" maxOccurs="1"/>
+            <xs:element name="licenses" type="bom:licenseChoiceType" minOccurs="0" maxOccurs="1">
+                <xs:annotation>
+                    <xs:documentation>
+                        EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression).
+                        There should be no license acknowledgement assigned to any of these.
+                    </xs:documentation>
+                </xs:annotation>
+            </xs:element>
             <xs:element name="copyright" type="bom:copyrightsType" minOccurs="0" maxOccurs="1">
                 <xs:annotation>
                     <xs:documentation>