eclipse-score
diff --git a/‎sbom/BUILD.bazel‎
Lines changed: 0 additions & 2 deletions b/‎sbom/BUILD.bazel‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎sbom/SBOM_Readme.md‎
Lines changed: 118 additions & 104 deletions b/‎sbom/SBOM_Readme.md‎
Lines changed: 118 additions & 104 deletions
diff --git a/‎sbom/defs.bzl‎
Lines changed: 4 additions & 4 deletions b/‎sbom/defs.bzl‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎sbom/internal/generator/BUILD‎
Lines changed: 0 additions & 4 deletions b/‎sbom/internal/generator/BUILD‎
Lines changed: 0 additions & 4 deletions
diff --git a/‎sbom/internal/generator/cyclonedx_formatter.py‎
Lines changed: 10 additions & 7 deletions b/‎sbom/internal/generator/cyclonedx_formatter.py‎
Lines changed: 10 additions & 7 deletions
@@ -14,8 +14,6 @@ package(default_visibility = ["//visibility:public"])
 exports_files([
     "defs.bzl",
     "extensions.bzl",
-    "crates_metadata.json",
-    "cpp_metadata.json",
 ])
 
 # Filegroup for all SBOM-related bzl files
 
@@ -26,7 +26,7 @@ def sbom(
         cdxgen_sbom = None,
         auto_cdxgen = False,
         cargo_lockfile = None,
-        module_lockfile = None,
+        module_lockfiles = None,
         auto_crates_cache = True,
         output_formats = ["spdx", "cyclonedx"],
         producer_name = "Eclipse Foundation",
@@ -65,8 +65,8 @@ def sbom(
         cdxgen_sbom: Optional label to CycloneDX JSON from cdxgen for C++ enrichment
         auto_cdxgen: Run cdxgen automatically when no cdxgen_sbom is provided
         cargo_lockfile: Optional Cargo.lock for crates metadata cache generation
-        module_lockfile: Optional MODULE.bazel.lock for additional crates (e.g., from score_crates)
-        auto_crates_cache: Run crates metadata cache generation when cargo_lockfile or module_lockfile is provided
+        module_lockfiles: MODULE.bazel.lock files for crate metadata extraction (e.g., from score_crates and workspace)
+        auto_crates_cache: Run crates metadata cache generation when cargo_lockfile or module_lockfiles is provided
         output_formats: List of formats to generate ("spdx", "cyclonedx")
         producer_name: SBOM producer organization name
         producer_url: SBOM producer URL
@@ -120,7 +120,7 @@ def sbom(
         cdxgen_sbom = cdxgen_sbom,
         auto_cdxgen = auto_cdxgen,
         cargo_lockfile = cargo_lockfile,
-        module_lockfile = module_lockfile,
+        module_lockfiles = module_lockfiles if module_lockfiles else [],
         auto_crates_cache = auto_crates_cache,
         output_formats = output_formats,
         producer_name = producer_name,
 
@@ -10,10 +10,6 @@ package(default_visibility = ["//sbom:__subpackages__"])
 py_binary(
     name = "sbom_generator",
     srcs = ["sbom_generator.py"],
-    data = [
-        "//sbom:cpp_metadata.json",
-        "//sbom:crates_metadata.json",
-    ],
     main = "sbom_generator.py",
     deps = [
         ":cyclonedx_formatter",
 
@@ -158,6 +158,7 @@ def _create_cdx_component(component: dict[str, Any]) -> dict[str, Any]:
     version = component.get("version", "unknown")
     purl = component.get("purl", "")
     license_id = component.get("license", "")
+    description = component.get("description", "")
     supplier = component.get("supplier", "")
     comp_type = component.get("type", "library")
     source = component.get("source", "")
@@ -177,19 +178,21 @@ def _create_cdx_component(component: dict[str, Any]) -> dict[str, Any]:
         "bom-ref": _generate_bom_ref(name, version),
     }
 
+    # Add description
+    if description:
+        cdx_comp["description"] = description
+
     # Add PURL
     if purl:
         cdx_comp["purl"] = purl
 
     # Add license
     if license_id:
-        cdx_comp["licenses"] = [
-            {
-                "license": {
-                    "id": license_id,
-                }
-            }
-        ]
+        if " AND " in license_id or " OR " in license_id:
+            # Compound SPDX expression must use "expression", not "license.id"
+            cdx_comp["licenses"] = [{"expression": license_id}]
+        else:
+            cdx_comp["licenses"] = [{"license": {"id": license_id}}]
 
     # Add supplier
     if supplier: