chore(licenses):SP-4223 add is_spdx_approved and url fields to licenses/components and licenses/component responses

Author: agustingroh

CHANGELOG.md

@@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added `error_message` and `error_code` fields to `ComponentLicenseInfo` message in license responses for error handling at the individual component level
 - Added error response example to license API README.md documentation
 - Added `component_url` field to `ComponentLicenseInfo` message providing a URL linking to the component's source or repository page
+- Added `is_spdx_approved` and `url` fields to `LicenseInfo` message indicating SPDX approval status and linking to the license reference page
 
 ## [0.33.0] - 2026-03-26
 ### Added

api/licensesv2/scanoss-licenses.pb.go

@@ -24,7 +24,11 @@ The method returns license information in two complementary formats:
 
 The response includes these fields:
 - `purl` field: the requested component
-- `licenses` array: Always contains individual license objects found in the component
+- `licenses` array: Always contains individual license objects found in the component. Each license object includes:
+  - `id`: SPDX identifier or licenseRef
+  - `full_name`: Human-readable license name
+  - `is_spdx_approved`: Whether the license is approved by the SPDX License List
+  - `url`: URL to the license text or reference page
 - `statement` field: Contains SPDX expression when licensing terms are clearly determinable from source analysis
 - `version` field: Shows the specific version that was analyzed  
 - `component_url` field: URL linking to the component's source or repository page
@@ -53,11 +57,15 @@ This allows consumers to understand all licensing obligations present in the com
     "licenses": [
       {
         "id": "LGPL-2.1-or-later",
-        "full_name": "GNU Lesser General Public License v2.1 or later"
+        "full_name": "GNU Lesser General Public License v2.1 or later",
+        "is_spdx_approved": true,
+        "url": "https://spdx.org/licenses/LGPL-2.1-or-later.html"
       },
       {
         "id": "GPL-2.0-or-later",
-        "full_name": "GNU General Public License v2.0 or later"
+        "full_name": "GNU General Public License v2.0 or later",
+        "is_spdx_approved": true,
+        "url": "https://spdx.org/licenses/GPL-2.0-or-later.html"
       }
     ]
   },
@@ -89,8 +97,8 @@ Individual license objects are also provided for detailed analysis.
     "version": "1.5.0",
     "statement": "EPL-1.0 OR LGPL-2.1-only",
     "licenses": [
-      {"id": "EPL-1.0", "full_name": "Eclipse Public License 1.0"},
-      {"id": "LGPL-2.1-only", "full_name": "GNU Lesser General Public License v2.1 only"}
+      {"id": "EPL-1.0", "full_name": "Eclipse Public License 1.0", "is_spdx_approved": true, "url": "https://spdx.org/licenses/EPL-1.0.html"},
+      {"id": "LGPL-2.1-only", "full_name": "GNU Lesser General Public License v2.1 only", "is_spdx_approved": true, "url": "https://spdx.org/licenses/LGPL-2.1-only.html"}
     ]
   },
   "status": {
@@ -118,8 +126,8 @@ This indicates users must comply with both licenses, generating the SPDX express
     "version": "1.1.1n",
     "statement": "OpenSSL AND SSLeay",
     "licenses": [
-      {"id": "OpenSSL", "full_name": "OpenSSL License"},
-      {"id": "SSLeay", "full_name": "Original SSLeay License"}
+      {"id": "OpenSSL", "full_name": "OpenSSL License", "is_spdx_approved": false, "url": "https://www.openssl.org/source/license-openssl-ssleay.txt"},
+      {"id": "SSLeay", "full_name": "Original SSLeay License", "is_spdx_approved": false, "url": "https://www.openssl.org/source/license-openssl-ssleay.txt"}
     ]
   },
   "status": {

protobuf/scanoss/api/licenses/v2/README.md

@@ -128,8 +128,8 @@ service License {
 message ComponentLicenseResponse {
   option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
     json_schema: {
-      example: "{\"component\":{\"purl\": \"pkg:github/scanoss/engine@1.0.0\", \"requirement\": \"\", \"version\": \"1.0.0\", \"statement\": \"GPL-2.0\", \"licenses\": [{\"id\": \"GPL-2.0\", \"full_name\": \"GNU General Public License v2.0 only\"}]}, \"status\": {\"status\": \"SUCCESS\", \"message\": \"Licenses Successfully retrieved\"}}";
-      description: "Success example. For error cases, the component block includes error_message and error_code fields, e.g.: {\\\"component\\\":{\\\"purl\\\":\\\"pkg:github/scanoss/unknown-component\\\",\\\"requirement\\\":\\\"\\\",\\\"version\\\":\\\"\\\",\\\"statement\\\":\\\"\\\",\\\"licenses\\\":[],\\\"error_message\\\":\\\"Component version not found\\\",\\\"error_code\\\":\\\"VERSION_NOT_FOUND\\\"},\\\"status\\\":{\\\"status\\\":\\\"SUCCESS\\\",\\\"message\\\":\\\"Success\\\"}}";
+      example: "{\"component\":{\"purl\": \"pkg:github/scanoss/engine@1.0.0\", \"requirement\": \"\", \"version\": \"1.0.0\", \"statement\": \"GPL-2.0\", \"licenses\": [{\"id\": \"GPL-2.0\", \"full_name\": \"GNU General Public License v2.0 only\", \"is_spdx_approved\": true, \"url\": \"https://spdx.org/licenses/GPL-2.0-only.html\"}], \"component_url\": \"https://github.com/scanoss/engine\"}, \"status\": {\"status\": \"SUCCESS\", \"message\": \"Licenses Successfully retrieved\"}}";
+      description: "Success example. For error cases, the component block includes error_message and error_code fields, e.g.: {\\\"component\\\":{\\\"purl\\\":\\\"pkg:github/scanoss/unknown-component\\\",\\\"requirement\\\":\\\"\\\",\\\"version\\\":\\\"\\\",\\\"statement\\\":\\\"\\\",\\\"licenses\\\":[],\\\"component_url\\\":\\\"\\\",\\\"error_message\\\":\\\"Component version not found\\\",\\\"error_code\\\":\\\"VERSION_NOT_FOUND\\\"},\\\"status\\\":{\\\"status\\\":\\\"SUCCESS\\\",\\\"message\\\":\\\"Success\\\"}}";
     }
   };
   // License info for the component
@@ -146,8 +146,8 @@ message ComponentLicenseResponse {
 message ComponentsLicenseResponse {
   option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
     json_schema: {
-      example: "{\"components\":[{\"purl\": \"pkg:github/scanoss/engine@1.0.0\", \"requirement\": \"\", \"version\": \"1.0.0\", \"statement\": \"GPL-2.0\", \"licenses\": [{\"id\": \"GPL-2.0\", \"full_name\": \"GNU General Public License v2.0 only\"}]}, {\"purl\": \"pkg:github/scanoss/scanoss.py@v1.30.0\",\"requirement\": \"\",\"version\": \"v1.30.0\",\"statement\": \"MIT\", \"licenses\": [{\"id\": \"MIT\",\"full_name\": \"MIT License\"}]}  ], \"status\": {\"status\": \"SUCCESS\", \"message\": \"Licenses Successfully retrieved\"}}";
-      description: "Success example. For error cases, the component block includes error_message and error_code fields, e.g.: {\\\"components\\\":[{\\\"purl\\\":\\\"pkg:github/scanoss/unknown-component\\\",\\\"requirement\\\":\\\"\\\",\\\"version\\\":\\\"\\\",\\\"statement\\\":\\\"\\\",\\\"licenses\\\":[],\\\"error_message\\\":\\\"Component version not found\\\",\\\"error_code\\\":\\\"VERSION_NOT_FOUND\\\"}],\\\"status\\\":{\\\"status\\\":\\\"SUCCESS\\\",\\\"message\\\":\\\"Success\\\"}}";
+      example: "{\"components\":[{\"purl\": \"pkg:github/scanoss/engine@1.0.0\", \"requirement\": \"\", \"version\": \"1.0.0\", \"statement\": \"GPL-2.0\", \"licenses\": [{\"id\": \"GPL-2.0\", \"full_name\": \"GNU General Public License v2.0 only\", \"is_spdx_approved\": true, \"url\": \"https://spdx.org/licenses/GPL-2.0-only.html\"}], \"component_url\": \"https://github.com/scanoss/engine\"}, {\"purl\": \"pkg:github/scanoss/scanoss.py@v1.30.0\",\"requirement\": \"\",\"version\": \"v1.30.0\",\"statement\": \"MIT\", \"licenses\": [{\"id\": \"MIT\",\"full_name\": \"MIT License\", \"is_spdx_approved\": true, \"url\": \"https://spdx.org/licenses/MIT.html\"}], \"component_url\": \"https://github.com/scanoss/scanoss.py\"}], \"status\": {\"status\": \"SUCCESS\", \"message\": \"Licenses Successfully retrieved\"}}";
+      description: "Success example. For error cases, the component block includes error_message and error_code fields, e.g.: {\\\"components\\\":[{\\\"purl\\\":\\\"pkg:github/scanoss/unknown-component\\\",\\\"requirement\\\":\\\"\\\",\\\"version\\\":\\\"\\\",\\\"statement\\\":\\\"\\\",\\\"licenses\\\":[],\\\"component_url\\\":\\\"\\\",\\\"error_message\\\":\\\"Component version not found\\\",\\\"error_code\\\":\\\"VERSION_NOT_FOUND\\\"}],\\\"status\\\":{\\\"status\\\":\\\"SUCCESS\\\",\\\"message\\\":\\\"Success\\\"}}";
     }
   };
   // License info for each component in the batch
@@ -311,7 +311,7 @@ message OSADL {
 message LicenseInfo {
   option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
     json_schema: {
-      example: "{\"id\": \"GPL-2.0\", \"full_name\": \"GNU General Public License v2.0 only\"}"
+      example: "{\"id\": \"GPL-2.0\", \"full_name\": \"GNU General Public License v2.0 only\", \"is_spdx_approved\": true, \"url\": \"https://spdx.org/licenses/GPL-2.0-only.html\"}"
     }
   };
 
@@ -324,6 +324,11 @@ message LicenseInfo {
   // - For SPDX licenses: Official SPDX name (e.g., "MIT License", "GNU General Public License v2.0 only")
   // - For non SPDX licenses: Best normalized name from SCANOSS database or original statement
   string full_name = 2 [json_name = "full_name"];
+
+  // Indicates whether the license is approved by the SPDX License List
+  bool is_spdx_approved = 3 [json_name = "is_spdx_approved"];
+  // URL to the license text or reference page (e.g., SPDX license page or original license source)
+  string url = 4;
 }
 
 /*