Skip to content

Latest commit

 

History

History
 
 

oss-compliance

Open Source Software Compliance

Overview

The package contains tools & processes to:

  • generate our open source Bill Of Materials
  • validate the open source licenses are in line with the permitted ones
  • [todo] validate the open source libraries are part of a

The tools ingest license information generated by language specific tools (e.g. mvn & scala) to produce a consistent report covering on all the open source libraries used.

Details about language specifics tools used as inputs:

JDK

To retrieve JDK dependencies we are using the license maven plugin:

mvn license:aggregate-download-licenses

generating an xml file containing all the relevant licenses extracted from the maven poms.

Haskell

The Haskell licensing checks are now done in ../../da-docs-daml-user-guide/licenses/extract.py

OSS Compliance in Action

The logical steps are the following:

  • generate a list of dependencies for both haskell and java (and javascript in the future)
  • for each single dependency, check:
  • any dependency whose license or package is not whitelisted is then considered non compliant

Licenses

We use a white list approach: explicitly defining which licenses are allowed.

The white listed licenses are defined in LICENSES_WHITE_LIST.csv

As you can see the file is grouped by license group (e.g. EPL, Eclipse Public License).

The license group is a logical constructor and it's only used to group similar licenses in the csv file.

Especially in the maven world, there are many variants on how a an underlying open source license is defined that makes sense to group them together.

Packages

PACKAGES_WHITE_LIST.csv is a way to filter packages created internally.

What if the check fails?

Failure due to a non white-listed dependency

Please coordinate with the SPG group to ensure the offending license is reviewed with CTO / General Counselor.

It may be a variation of an already approved license. If that's the case, once approved, it can be added to the white listed licenses.

TODO: provide a link to a list of approved licenses

How to invoke the compliance check

To invoke the oss compliance check, invoke:

make oss-compliance

This will then trigger the following:

check_oss_license.sh