Per Dependency License Compliance
Problem to solve
I know that the following is a use case: Manually acknowledging the correctness of a license of a reported dependency. Just because some tool reports that a dependency has the license MIT, doesn't mean that the code is licensed under that license. In the Node world, examples would be:
-
package.json
reportsMIT
and aLICENSE.md
in the repo saysAPACHE-2.0
(see e.g.: https://github.com/BerkeleyTrue/warning/issues/8) -
package.json
reportsMIT and GPL-3.0-or-later
(adhere both) while theLICENSE.md
file actually says: Choose one (MIT OR GPL-3.0-or-later
) -
package.json
reportsMIT
, but there are actually files in the repository which have a different license header, e.g.GPL-3.0-or-later
I already had to solve the problem and did it basically by adding a license-report.yml
to the repository. I then created a CI job that would fail, every time the version of a reported dependency changed or a new dependency was added. If that happened I ran a small tool which assisted me in approving the new dependencies.
Proposal
It would be good to have dependency management on a group level to approve new dependencies and their licenses, so that you don't have to repeat this tedious process for each project.
MR Widget Mockup | Approval Wizard Modal |
---|---|
How a dependency reports could look like returned from the API (rough draft). Most fields are mappable to fields in SPDX. It would be so great to generate SPDX reports. SPDX also gives a framework how to define licenses uniquely and even define own licenses.
name: react
version: 0.14.0
homepageUrl: https://reactjs.org/
sourceUrl: https://github.com/facebook/react
packageManager: npm
packageManagerUrl: http://npmjs.com/package/react
downloadUrl: https://registry.npmjs.org/react/-/react-0.14.0.tgz
checksum: 72e7c69233b082e37e1bbd3674a943db72d8f407
declaredLicense: http://spdx.org/licenses/BSD-2-Clause
declaredLicenseSource:
- package.json
- License.md
concludedLicense: http://spdx.org/licenses/BSD-2-Clause
concludedBy: '@leipert'
concludedOn: '2018-07-03'
comment: 'They seem to have a typo in the License.md'
What does success look like, and how can we measure that?
TODO: (If no way to measure success, link to an issue that will implement a way to measure this)