Skip to content

Latest commit

 

History

History
39 lines (26 loc) · 3.11 KB

license-declared.md

File metadata and controls

39 lines (26 loc) · 3.11 KB
Raw

License Declared

Question: What are the declared software package licenses?

Description

The total number and specific licenses declared in a software package. This can include both software and documentation source files. This metric is an enumeration of licenses, and the number of files with that particular license declaration. For Example:

License types with number of files

Objectives

The total number and specific licenses declared is critical in several cases:

  1. A software package invariability carries for multiple software licenses and it is critical in the acquisition of software packages to be aware of the declared licenses for compliance reasons. Licenses Declared can provide transparency for license compliance efforts.
  2. Licenses can create conflicts such that not all obligations can be fulfilled across all licenses in a software package. Licenses Declared can provide transparency on potential license conflicts present in software packages.

Implementation

Filters

  • Time: Licenses declared in a repository can change over time as the dependencies of the repository change. One of the principle motivations for tracking license presence, aside from basic awareness, is to draw attention to any unexpected new license introduction.
  • Declared and Undeclared: Separate enumeration of files that have license declarations and files that do not.

Tools Providing the Metric

  1. Augur

Licenses Declared can be found on any Augur risk page under the section "License Declared".

  1. Augur-SPDX

The Augur-SPDX package is implemented as an Augur Plugin, and uses this data model for storing file level license information. Specifically:

  • Each package (repository) can have a declared and an undeclared license, as determined by the scan of all the files in the repository.
  • Each package can also have a number of different non-code documents, which are SPDX license declarations.
  • Each file can be associated with one or more packages_files. Through the relationship between files and packages_files, Augur-SPDX allows for the possibility that one file in a large collection of repositories could be part of more than one package, although in practice this seems unlikely.
  • packages and packages_files have a one to many relationship in both directions. Essentially, this is a reinforcement of the possibility that each file can be part of more than one package, though it is, again, typical that each package will contain many package_files.
  • licenses are associated with files and packages_files. Each file could possibly have more than one licenses reference, which is possible under the condition that the license declaration changed between Augur-SPDX scans of the repository. Each package is stored in its most recent form, and each packages_file can have one license declaration.

References