Question: What are the declared software package licenses?
The total number and specific licenses declared in a software package. This can include both software and documentation source files. This metric is an enumeration of licenses, and the number of files with that particular license declaration. For Example:
The total number and specific licenses declared is critical in several cases:
- A software package invariability carries for multiple software licenses and it is critical in the acquisition of software packages to be aware of the declared licenses for compliance reasons. Licenses Declared can provide transparency for license compliance efforts.
- Licenses can create conflicts such that not all obligations can be fulfilled across all licenses in a software package. Licenses Declared can provide transparency on potential license conflicts present in software packages.
- Time: Licenses declared in a repository can change over time as the dependencies of the repository change. One of the principle motivations for tracking license presence, aside from basic awareness, is to draw attention to any unexpected new license introduction.
- Declared and Undeclared: Separate enumeration of files that have license declarations and files that do not.
Licenses Declared can be found on any Augur risk page under the section "License Declared".
The Augur-SPDX package is implemented as an Augur Plugin, and uses this data model for storing file level license information. Specifically:
- Each
package(repository) can have a declared and an undeclared license, as determined by the scan of all the files in the repository. - Each
packagecan also have a number of different non-codedocuments, which are SPDX license declarations. - Each
filecan be associated with one or morepackages_files. Through the relationship betweenfilesandpackages_files, Augur-SPDX allows for the possibility that one file in a large collection of repositories could be part of more than one package, although in practice this seems unlikely. packagesandpackages_fileshave a one to many relationship in both directions. Essentially, this is a reinforcement of the possibility that eachfilecan be part of more than onepackage, though it is, again, typical that eachpackagewill contain manypackage_files.licensesare associated withfilesandpackages_files. Eachfilecould possibly have more than onelicensesreference, which is possible under the condition that thelicensedeclaration changed betweenAugur-SPDXscans of the repository. Eachpackageis stored in its most recent form, and eachpackages_filecan have onelicensedeclaration.