There's some work with the model that needs to be done first. The DT component model closely resembles CycloneDX itself. Some of that work is related to a CycloneDX enhancement CycloneDX/specification#43

Once this enhancement is added to the spec, DT can be updated to include an attestation API and report.

AFAICT the CycloneDX specification is enhanced so this would now be possible to be implemented.

Are there currently any plans to target this to an upcoming version?

If not I might be able to do a contribution with the feature. Therefore some guidance would be needed how this should be implemented.

@theobisproject yes, this feature is now possible. However, its not currently being worked on or targeted to any milestone. PRs would be greatly appreciated and likely the quickest way to ensure the feature gets incorporated.

Thanks for the update @stevespringett. I then figure out if there can be made a PR for this.

Does this pull request also handle the topic in #2018 ?

I would be very interested to see that the licenses supplied by the package are also included in the CycloneDX export (https://cyclonedx.org/docs/1.4/json/#components_items_licenses_items_license_text_content)

@andife The pull request does not handle your linked issue. This adds a separate license only export.

@stevespringett Is there any plan to review the change?

We might be able to get this into 4.10. Thoughts @nscuro ?

Since the CycloneDX spec allows for a "licenses" attribute for each component, is there a way to include the component licenses in the BOM export? This would be really helpful instead of having to export a completely different license document.

E.g. -

{
  "version": "1.5",
  "components": [
    {
      "name": "some-software-library",
      "version": "1.0.0",
      "license": [
        "Apache-2.0"
      ]
    }
  ]
}

https://cyclonedx.org/docs/1.5/json/#components_items_licenses

Removing from 4.10 milestone as per #2963 (comment)