stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Refactor code structure and optimize performance across multiple modules

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-26 20:03:22 +02:00
parent c786faae84
commit b4fc66feb6
3353 changed files with 88254 additions and 1590657 deletions
Download Patch File Download Diff File Expand all files Collapse all files

303
docs/legal/LICENSE-COMPATIBILITY.md Normal file
View File

@@ -0,0 +1,303 @@
# License Compatibility Analysis
**Document Version:** 1.0.0
**Last Updated:** 2025-12-26
**StellaOps License:** AGPL-3.0-or-later
This document analyzes the compatibility of third-party licenses with StellaOps' AGPL-3.0-or-later license.
---
## 1. AGPL-3.0-or-later Overview
The GNU Affero General Public License v3.0 or later (AGPL-3.0-or-later) is a strong copyleft license that:
1. **Requires** source code disclosure for modifications
2. **Requires** network use disclosure (Section 13) - users interacting over a network must be able to receive the source code
3. **Allows** linking with permissively-licensed code (MIT, Apache-2.0, BSD)
4. **Prohibits** linking with incompatibly-licensed code (GPL-2.0-only, proprietary)
### Key Compatibility Principle
> Code licensed under permissive licenses (MIT, Apache-2.0, BSD, ISC) can be incorporated into AGPL projects. The combined work is distributed under AGPL terms.
---
## 2. License Compatibility Matrix
### 2.1 Fully Compatible (Inbound)
These licenses are fully compatible with AGPL-3.0-or-later. Code under these licenses can be incorporated into StellaOps.
| License | SPDX | Compatibility | Rationale |
|---------|------|---------------|-----------|
| MIT | MIT | **Yes** | Permissive, no copyleft restrictions |
| Apache-2.0 | Apache-2.0 | **Yes** | Permissive, patent grant included |
| BSD-2-Clause | BSD-2-Clause | **Yes** | Permissive, minimal restrictions |
| BSD-3-Clause | BSD-3-Clause | **Yes** | Permissive, no-endorsement clause only |
| ISC | ISC | **Yes** | Functionally equivalent to MIT |
| 0BSD | 0BSD | **Yes** | Public domain equivalent |
| CC0-1.0 | CC0-1.0 | **Yes** | Public domain dedication |
| Unlicense | Unlicense | **Yes** | Public domain dedication |
| PostgreSQL | PostgreSQL | **Yes** | Permissive, similar to MIT/BSD |
| Zlib | Zlib | **Yes** | Permissive |
| WTFPL | WTFPL | **Yes** | Do what you want |
### 2.2 Compatible with Conditions
| License | SPDX | Compatibility | Conditions |
|---------|------|---------------|------------|
| LGPL-2.1-or-later | LGPL-2.1-or-later | **Yes** | Must allow relinking |
| LGPL-3.0-or-later | LGPL-3.0-or-later | **Yes** | Must allow relinking |
| MPL-2.0 | MPL-2.0 | **Yes** | File-level copyleft; MPL code must remain in separate files |
| GPL-3.0-or-later | GPL-3.0-or-later | **Yes** | Combined work is AGPL-3.0+ |
| AGPL-3.0-or-later | AGPL-3.0-or-later | **Yes** | Same license |
### 2.3 Incompatible
These licenses are **NOT** compatible with AGPL-3.0-or-later:
| License | SPDX | Issue |
|---------|------|-------|
| GPL-2.0-only | GPL-2.0-only | Version lock conflicts with AGPL-3.0 |
| SSPL-1.0 | SSPL-1.0 | Additional restrictions |
| Proprietary | LicenseRef-Proprietary | No redistribution rights |
| Commons Clause | LicenseRef-Commons-Clause | Commercial use restrictions |
| BUSL-1.1 | BUSL-1.1 | Production use restrictions |
---
## 3. Distribution Models
### 3.1 Source Distribution (AGPL Compliant)
When distributing StellaOps source code:
```
StellaOps (AGPL-3.0-or-later)
├── StellaOps code (AGPL-3.0-or-later)
├── MIT-licensed deps (retain copyright notices)
├── Apache-2.0 deps (retain NOTICE files)
└── BSD deps (retain copyright notices)
```
**Requirements:**
- Include full AGPL-3.0-or-later license text
- Preserve all third-party copyright notices
- Preserve all NOTICE files from Apache-2.0 dependencies
- Provide complete corresponding source
### 3.2 Binary Distribution (AGPL Compliant)
When distributing StellaOps binaries (containers, packages):
```
StellaOps Binary
├── LICENSE (AGPL-3.0-or-later)
├── NOTICE.md (all attributions)
├── third-party-licenses/ (full license texts)
└── Source availability: git.stella-ops.org
```
**Requirements:**
- Include AGPL-3.0-or-later license
- Include NOTICE file with all attributions
- Provide mechanism to obtain source code
- For network services: provide source access per Section 13
### 3.3 Network Service (Section 13)
StellaOps is primarily deployed as network services. AGPL Section 13 requires:
> If you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network [...] an opportunity to receive the Corresponding Source of your version.
**StellaOps Compliance:**
- Source code is available at `https://git.stella-ops.org`
- Web UI includes "Source" link in footer/about page
- API responses include `X-Source-URL` header option
- Documentation includes source availability notice
### 3.4 Aggregation (Not Derivation)
The following are considered **aggregation**, not derivation:
| Scenario | Classification | AGPL Impact |
|----------|---------------|-------------|
| PostgreSQL database | Aggregation | PostgreSQL stays PostgreSQL-licensed |
| RabbitMQ message broker | Aggregation | RabbitMQ stays MPL-2.0 |
| Docker containers | Aggregation | Base image licenses unaffected |
| Kubernetes orchestration | Aggregation | K8s stays Apache-2.0 |
| Hardware (HSM) | Interface only | HSM license unaffected |
**Rationale:** These components communicate via network protocols, APIs, or standard interfaces. They are not linked into StellaOps binaries.
---
## 4. Specific Dependency Analysis
### 4.1 BouncyCastle Cryptography (MIT)
| Aspect | Status |
|--------|--------|
| License | MIT |
| Compatibility | Full |
| Usage | Linked into binaries |
| Requirement | Include copyright notice in NOTICE.md |
### 4.2 Npgsql/PostgreSQL (PostgreSQL License)
| Aspect | Status |
|--------|--------|
| License | PostgreSQL (permissive) |
| Compatibility | Full |
| Usage | NuGet package (linked) |
| Requirement | Include copyright notice in NOTICE.md |
### 4.3 Polly (BSD-3-Clause)
| Aspect | Status |
|--------|--------|
| License | BSD-3-Clause |
| Compatibility | Full |
| Usage | NuGet package (linked) |
| Requirement | Include copyright notice; no endorsement claims |
### 4.4 RxJS (Apache-2.0)
| Aspect | Status |
|--------|--------|
| License | Apache-2.0 |
| Compatibility | Full |
| Usage | npm package (bundled in frontend) |
| Requirement | Preserve NOTICE file |
### 4.5 CryptoPro CSP (Commercial)
| Aspect | Status |
|--------|--------|
| License | Commercial (LicenseRef-CryptoPro) |
| Compatibility | N/A - Not distributed |
| Usage | PKCS#11 interface only |
| Requirement | Customer obtains own license |
**Analysis:** StellaOps provides only the integration code (AGPL-3.0-or-later). CryptoPro CSP binaries are never distributed by StellaOps. This is a clean separation:
```
StellaOps Ships:
├── PKCS#11 interface code (AGPL-3.0-or-later)
├── Configuration documentation
└── Integration tests (mock only)
Customer Provides:
├── CryptoPro CSP license
├── CryptoPro CSP binaries
└── Hardware tokens (optional)
```
### 4.6 AlexMAS.GostCryptography (MIT)
| Aspect | Status |
|--------|--------|
| License | MIT |
| Compatibility | Full |
| Usage | Source vendored |
| Requirement | Include copyright notice; license file preserved |
**Analysis:** The fork is MIT-licensed and compatible with AGPL-3.0-or-later. The combined work (StellaOps + fork) is distributed under AGPL-3.0-or-later terms.
### 4.7 axe-core/Playwright (@axe-core/playwright - MPL-2.0)
| Aspect | Status |
|--------|--------|
| License | MPL-2.0 |
| Compatibility | Yes (with conditions) |
| Usage | Dev dependency only |
| Requirement | MPL files stay in separate files |
**Analysis:** MPL-2.0 is file-level copyleft. Since this is a dev dependency used only for accessibility testing (not distributed in production), there are no special requirements for end-user distribution.
---
## 5. Outbound Licensing
### 5.1 StellaOps Core
All StellaOps-authored code is licensed under AGPL-3.0-or-later:
```
SPDX-License-Identifier: AGPL-3.0-or-later
Copyright (C) 2025 stella-ops.org
```
### 5.2 Documentation
Documentation is licensed under:
- Code examples: AGPL-3.0-or-later (same as source)
- Prose content: CC-BY-4.0 (where specified)
- API specifications: AGPL-3.0-or-later
### 5.3 Configuration Samples
Sample configuration files (`etc/*.yaml.sample`) are:
- Licensed under: AGPL-3.0-or-later
- Derived configurations by users: User's choice (no copyleft propagation for configuration)
---
## 6. Compliance Checklist
### 6.1 For StellaOps Maintainers
- [ ] All new dependencies checked against allowlist
- [ ] NOTICE.md updated for new MIT/Apache-2.0/BSD dependencies
- [ ] third-party-licenses/ includes texts for vendored code
- [ ] No GPL-2.0-only or incompatible licenses introduced
- [ ] Source remains available at documented URL
### 6.2 For StellaOps Operators (Self-Hosted)
- [ ] Source code available to network users (link in UI/docs)
- [ ] Modifications (if any) made available under AGPL-3.0-or-later
- [ ] Commercial components (CryptoPro, HSM) separately licensed
- [ ] NOTICE file preserved in deployment
### 6.3 For Contributors
- [ ] New code contributed under AGPL-3.0-or-later
- [ ] No proprietary code introduced
- [ ] Third-party code properly attributed
- [ ] License headers in new files
---
## 7. FAQ
### Q: Can I use StellaOps commercially?
**A:** Yes. AGPL-3.0-or-later permits commercial use. You must provide source code access to users interacting with your deployment over a network.
### Q: Can I modify StellaOps for internal use?
**A:** Yes. If modifications are internal only (not exposed to network users), no disclosure required.
### Q: Does using StellaOps make my data AGPL-licensed?
**A:** No. AGPL applies to software, not data processed by the software. Your SBOMs, vulnerability data, and configurations remain yours.
### Q: Can I integrate StellaOps with proprietary systems?
**A:** Yes, via API/network interfaces. This is aggregation, not derivation. Your proprietary systems retain their licenses.
### Q: Do I need to disclose my CryptoPro CSP license?
**A:** CryptoPro CSP is customer-provided. StellaOps only ships integration code. Your CSP license is between you and CryptoPro.
---
## 8. References
- [GNU AGPL-3.0 FAQ](https://www.gnu.org/licenses/gpl-faq.html)
- [FSF License Compatibility](https://www.gnu.org/licenses/license-list.html)
- [SPDX License List](https://spdx.org/licenses/)
- [Apache-2.0/GPL Compatibility](https://www.apache.org/licenses/GPL-compatibility.html)
- [REUSE Best Practices](https://reuse.software/tutorial/)
---
*Document maintained by: Legal + Security Guild*
*Last review: 2025-12-26*

434
docs/legal/THIRD-PARTY-DEPENDENCIES.md Normal file
View File

@@ -0,0 +1,434 @@
# Third-Party Dependencies
**Document Version:** 1.0.0
**Last Updated:** 2025-12-26
**SPDX License Identifier:** AGPL-3.0-or-later (StellaOps)
This document provides a comprehensive inventory of all third-party dependencies used in StellaOps, their licenses, and AGPL-3.0-or-later compatibility status.
---
## Summary
| Category | Count | License Types |
|----------|-------|---------------|
| Vendored/Bundled | 4 | MIT, Commercial |
| NuGet (Runtime) | ~100+ | MIT, Apache-2.0, BSD-3-Clause, PostgreSQL |
| NuGet (Dev/Test) | ~50+ | MIT, Apache-2.0 |
| npm (Runtime) | ~15 | MIT, Apache-2.0, ISC, 0BSD |
| npm (Dev) | ~30+ | MIT, Apache-2.0 |
| Infrastructure | 6 | PostgreSQL, MPL-2.0, BSD-3-Clause, Apache-2.0 |
### License Compatibility with AGPL-3.0-or-later
| License | SPDX | Compatible | Notes |
|---------|------|------------|-------|
| MIT | MIT | Yes | Permissive, no restrictions |
| Apache-2.0 | Apache-2.0 | Yes | Permissive, patent grant |
| BSD-2-Clause | BSD-2-Clause | Yes | Permissive |
| BSD-3-Clause | BSD-3-Clause | Yes | Permissive |
| ISC | ISC | Yes | Functionally equivalent to MIT |
| 0BSD | 0BSD | Yes | Public domain equivalent |
| PostgreSQL | PostgreSQL | Yes | Permissive, similar to MIT/BSD |
| MPL-2.0 | MPL-2.0 | Yes | File-level copyleft, compatible via aggregation |
| LGPL-2.1+ | LGPL-2.1-or-later | Yes | Library linking allowed |
| Commercial | LicenseRef-* | N/A | Customer-provided, not distributed |
---
## 1. Vendored/Bundled Components
Components included directly in the StellaOps source tree.
| Component | Version | License | SPDX | Location | Notes |
|-----------|---------|---------|------|----------|-------|
| tree-sitter | - | MIT | MIT | Native bindings | Parser generator for reachability analysis |
| tree-sitter-ruby | - | MIT | MIT | Native bindings | Ruby language parser |
| AlexMAS.GostCryptography | fork | MIT | MIT | `src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/third_party/` | GOST R 34.10/34.11 implementation |
| CryptoPro CSP | N/A | Commercial | LicenseRef-CryptoPro | Integration only | **Not distributed**; customer-provided |
### License Files
Full license texts are available in `/third-party-licenses/`:
- `tree-sitter-MIT.txt`
- `tree-sitter-ruby-MIT.txt`
- `AlexMAS.GostCryptography-MIT.txt`
---
## 2. NuGet Dependencies (Runtime)
Primary runtime dependencies for .NET 10 modules. Extracted via `dotnet list package --include-transitive`.
### 2.1 Core Framework & ASP.NET
| Package | Version | License | SPDX | Compatible |
|---------|---------|---------|------|------------|
| Microsoft.AspNetCore.* | 10.0.x | MIT | MIT | Yes |
| Microsoft.EntityFrameworkCore | 10.0.0 | MIT | MIT | Yes |
| Microsoft.EntityFrameworkCore.Relational | 10.0.0 | MIT | MIT | Yes |
| Microsoft.Extensions.* | 10.0.x | MIT | MIT | Yes |
| Microsoft.IdentityModel.* | 8.x | MIT | MIT | Yes |
| System.IdentityModel.Tokens.Jwt | 8.0.1 | MIT | MIT | Yes |
### 2.2 Serialization & Data
| Package | Version | License | SPDX | Compatible |
|---------|---------|---------|------|------------|
| Newtonsoft.Json | 13.0.3 | MIT | MIT | Yes |
| YamlDotNet | 16.3.0 | MIT | MIT | Yes |
| protobuf-net | 3.2.45 | Apache-2.0 | Apache-2.0 | Yes |
| Google.Protobuf | 3.31.1 | BSD-3-Clause | BSD-3-Clause | Yes |
| Json.More.Net | 2.1.1 | MIT | MIT | Yes |
| JsonPointer.Net | 5.3.1 | MIT | MIT | Yes |
| JsonSchema.Net | 7.3.4 | MIT | MIT | Yes |
| AngleSharp | 1.2.0 | MIT | MIT | Yes |
### 2.3 Database & Caching
| Package | Version | License | SPDX | Compatible |
|---------|---------|---------|------|------------|
| Npgsql | 10.0.0 | PostgreSQL | PostgreSQL | Yes |
| Npgsql.EntityFrameworkCore.PostgreSQL | 10.0.0 | PostgreSQL | PostgreSQL | Yes |
| Dapper | 2.1.35 | Apache-2.0 | Apache-2.0 | Yes |
| StackExchange.Redis | 2.8.37 | MIT | MIT | Yes |
### 2.4 Cryptography & Security
| Package | Version | License | SPDX | Compatible |
|---------|---------|---------|------|------------|
| BouncyCastle.Cryptography | 2.6.2 | MIT | MIT | Yes |
| Pkcs11Interop | 5.1.2 | Apache-2.0 | Apache-2.0 | Yes |
| Blake3 | 1.1.0 | Apache-2.0 OR CC0-1.0 | Apache-2.0 | Yes |
| System.Security.Cryptography.Pkcs | 7.0.2 | MIT | MIT | Yes |
| System.Security.Cryptography.ProtectedData | 9.0.0 | MIT | MIT | Yes |
### 2.5 Cloud Providers
| Package | Version | License | SPDX | Compatible |
|---------|---------|---------|------|------------|
| AWSSDK.Core | 4.0.1.3 | Apache-2.0 | Apache-2.0 | Yes |
| AWSSDK.S3 | 4.0.6 | Apache-2.0 | Apache-2.0 | Yes |
| AWSSDK.KeyManagementService | 4.0.6 | Apache-2.0 | Apache-2.0 | Yes |
| Google.Cloud.Kms.V1 | 3.19.0 | Apache-2.0 | Apache-2.0 | Yes |
| Google.Api.Gax | 4.11.0 | Apache-2.0 | Apache-2.0 | Yes |
### 2.6 gRPC & Networking
| Package | Version | License | SPDX | Compatible |
|---------|---------|---------|------|------------|
| Grpc.Net.Client | 2.71.0 | Apache-2.0 | Apache-2.0 | Yes |
| Grpc.Core.Api | 2.71.0 | Apache-2.0 | Apache-2.0 | Yes |
| Grpc.Auth | 2.71.0 | Apache-2.0 | Apache-2.0 | Yes |
### 2.7 Observability & Logging
| Package | Version | License | SPDX | Compatible |
|---------|---------|---------|------|------------|
| Serilog | 3.1.1 | Apache-2.0 | Apache-2.0 | Yes |
| Serilog.AspNetCore | 8.0.1 | Apache-2.0 | Apache-2.0 | Yes |
| Serilog.Extensions.Hosting | 8.0.0 | Apache-2.0 | Apache-2.0 | Yes |
| Serilog.Sinks.Console | 5.0.1 | Apache-2.0 | Apache-2.0 | Yes |
| Serilog.Sinks.File | 5.0.0 | Apache-2.0 | Apache-2.0 | Yes |
### 2.8 SBOM & Security Scanning
| Package | Version | License | SPDX | Compatible |
|---------|---------|---------|------|------------|
| CycloneDX.Core | 10.0.2 | Apache-2.0 | Apache-2.0 | Yes |
| NuGet.Versioning | 6.13.2 | Apache-2.0 | Apache-2.0 | Yes |
| Semver | 2.3.0 | MIT | MIT | Yes |
### 2.9 Code Analysis & Build
| Package | Version | License | SPDX | Compatible |
|---------|---------|---------|------|------------|
| Microsoft.CodeAnalysis.Common | 4.14.0 | MIT | MIT | Yes |
| Microsoft.CodeAnalysis.CSharp | 4.14.0 | MIT | MIT | Yes |
| Microsoft.CodeAnalysis.Workspaces.MSBuild | 4.14.0 | MIT | MIT | Yes |
| Microsoft.Build | 17.7.2 | MIT | MIT | Yes |
| Microsoft.Build.Locator | 1.10.2 | MIT | MIT | Yes |
### 2.10 Binary Analysis
| Package | Version | License | SPDX | Compatible |
|---------|---------|---------|------|------------|
| Iced | 1.21.0 | MIT | MIT | Yes |
| Gee.External.Capstone | 2.3.0 | BSD-3-Clause | BSD-3-Clause | Yes |
| PdfPig | 0.1.12 | Apache-2.0 | Apache-2.0 | Yes |
### 2.11 Compression & Archives
| Package | Version | License | SPDX | Compatible |
|---------|---------|---------|------|------------|
| SharpCompress | 0.41.0 | MIT | MIT | Yes |
| ZstdSharp.Port | 0.8.6 | MIT | MIT | Yes |
### 2.12 Authentication & Authorization
| Package | Version | License | SPDX | Compatible |
|---------|---------|---------|------|------------|
| Microsoft.AspNetCore.Authentication.JwtBearer | 10.0.0 | MIT | MIT | Yes |
| OpenIddict.Abstractions | 6.4.0 | Apache-2.0 | Apache-2.0 | Yes |
### 2.13 Resilience & Scheduling
| Package | Version | License | SPDX | Compatible |
|---------|---------|---------|------|------------|
| Polly.Core | 8.4.2 | BSD-3-Clause | BSD-3-Clause | Yes |
| Polly.Extensions | 8.4.2 | BSD-3-Clause | BSD-3-Clause | Yes |
| Cronos | 0.9.0 | MIT | MIT | Yes |
### 2.14 Utilities
| Package | Version | License | SPDX | Compatible |
|---------|---------|---------|------|------------|
| Humanizer.Core | 2.14.1 | MIT | MIT | Yes |
| System.CommandLine | 2.0.0-beta5 | MIT | MIT | Yes |
| NetEscapades.Configuration.Yaml | 3.1.0 | MIT | MIT | Yes |
| Pipelines.Sockets.Unofficial | 2.2.8 | MIT | MIT | Yes |
---
## 3. NuGet Dependencies (Development/Test)
| Package | Version | License | SPDX | Compatible |
|---------|---------|---------|------|------------|
| xunit | 2.x | Apache-2.0 | Apache-2.0 | Yes |
| xunit.runner.visualstudio | 2.x | Apache-2.0 | Apache-2.0 | Yes |
| Moq | 4.x | BSD-3-Clause | BSD-3-Clause | Yes |
| FluentAssertions | 6.x | Apache-2.0 | Apache-2.0 | Yes |
| Microsoft.AspNetCore.Mvc.Testing | 10.0.x | MIT | MIT | Yes |
| Testcontainers | 3.x | MIT | MIT | Yes |
| Testcontainers.PostgreSql | 3.x | MIT | MIT | Yes |
| coverlet.collector | 6.x | MIT | MIT | Yes |
| BenchmarkDotNet | 0.13.x | MIT | MIT | Yes |
---
## 4. npm Dependencies (Angular Frontend)
### 4.1 Runtime Dependencies
| Package | Version | License | SPDX | Compatible |
|---------|---------|---------|------|------------|
| @angular/animations | ^17.3.0 | MIT | MIT | Yes |
| @angular/cdk | ^17.3.10 | MIT | MIT | Yes |
| @angular/common | ^17.3.0 | MIT | MIT | Yes |
| @angular/compiler | ^17.3.0 | MIT | MIT | Yes |
| @angular/core | ^17.3.0 | MIT | MIT | Yes |
| @angular/forms | ^17.3.0 | MIT | MIT | Yes |
| @angular/material | ^17.3.10 | MIT | MIT | Yes |
| @angular/platform-browser | ^17.3.0 | MIT | MIT | Yes |
| @angular/platform-browser-dynamic | ^17.3.0 | MIT | MIT | Yes |
| @angular/router | ^17.3.0 | MIT | MIT | Yes |
| monaco-editor | 0.52.0 | MIT | MIT | Yes |
| rxjs | ~7.8.0 | Apache-2.0 | Apache-2.0 | Yes |
| tslib | ^2.3.0 | 0BSD | 0BSD | Yes |
| yaml | ^2.4.2 | ISC | ISC | Yes |
| zone.js | ~0.14.3 | MIT | MIT | Yes |
### 4.2 Development Dependencies
| Package | Version | License | SPDX | Compatible |
|---------|---------|---------|------|------------|
| @angular-devkit/build-angular | ^17.3.17 | MIT | MIT | Yes |
| @angular/cli | ^17.3.17 | MIT | MIT | Yes |
| @angular/compiler-cli | ^17.3.0 | MIT | MIT | Yes |
| @axe-core/playwright | 4.8.4 | MPL-2.0 | MPL-2.0 | Yes |
| @playwright/test | ^1.47.2 | Apache-2.0 | Apache-2.0 | Yes |
| @storybook/angular | 8.1.0 | MIT | MIT | Yes |
| @storybook/addon-* | 8.1.0 | MIT | MIT | Yes |
| jasmine-core | ~5.1.0 | MIT | MIT | Yes |
| karma | ~6.4.0 | MIT | MIT | Yes |
| karma-chrome-launcher | ~3.2.0 | MIT | MIT | Yes |
| karma-coverage | ~2.2.0 | MIT | MIT | Yes |
| karma-jasmine | ~5.1.0 | MIT | MIT | Yes |
| storybook | ^8.1.0 | MIT | MIT | Yes |
| typescript | ~5.4.2 | Apache-2.0 | Apache-2.0 | Yes |
### 4.3 DevPortal (Astro) Dependencies
| Package | Version | License | SPDX | Compatible |
|---------|---------|---------|------|------------|
| astro | 5.16.0 | MIT | MIT | Yes |
| @astrojs/mdx | 4.3.12 | MIT | MIT | Yes |
| @astrojs/starlight | 0.36.2 | MIT | MIT | Yes |
| rapidoc | 9.3.8 | MIT | MIT | Yes |
| linkinator | 6.1.2 | Apache-2.0 | Apache-2.0 | Yes |
---
## 5. Infrastructure Dependencies
Components required for deployment but not bundled with StellaOps source.
| Component | Version | License | SPDX | Distribution | Notes |
|-----------|---------|---------|------|--------------|-------|
| PostgreSQL | ≥16 | PostgreSQL | PostgreSQL | Separate | Required database |
| RabbitMQ | ≥3.12 | MPL-2.0 | MPL-2.0 | Separate | Optional message broker |
| Valkey | ≥7.2 | BSD-3-Clause | BSD-3-Clause | Separate | Optional cache (Redis fork) |
| Docker | ≥24 | Apache-2.0 | Apache-2.0 | Tooling | Container runtime |
| OCI Registry | - | Varies | - | External | Harbor (Apache-2.0), Docker Hub, etc. |
| Kubernetes | ≥1.28 | Apache-2.0 | Apache-2.0 | Orchestration | Optional |
---
## 6. Regional/Optional Components
Components with special licensing or distribution considerations.
### 6.1 Russian Federation (RootPack_RU)
| Component | License | Distribution | Notes |
|-----------|---------|--------------|-------|
| AlexMAS.GostCryptography | MIT | Vendored source | GOST algorithm implementation |
| CryptoPro CSP | Commercial | **Customer-provided** | PKCS#11 interface only |
| CryptoPro wrapper | AGPL-3.0-or-later | StellaOps code | Integration bindings |
### 6.2 China (RootPack_CN) - Planned
| Component | License | Distribution | Notes |
|-----------|---------|--------------|-------|
| SM2/SM3/SM4 implementation | TBD | TBD | Chinese national standards |
| HSM integration | Commercial | **Customer-provided** | PKCS#11 interface only |
### 6.3 eIDAS (EU Qualified Signatures)
| Component | License | Distribution | Notes |
|-----------|---------|--------------|-------|
| BouncyCastle | MIT | NuGet | eIDAS-compatible algorithms |
| HSM integration | Commercial | **Customer-provided** | PKCS#11/CKM interface |
---
## 7. Known Restrictions & Requirements
### 7.1 Commercial Components (Not Distributed)
| Component | Vendor | Requirement |
|-----------|--------|-------------|
| CryptoPro CSP | CryptoPro LLC | Customer must obtain license from crypto-pro.ru |
| Hardware Security Modules | Various | Customer-provided with PKCS#11 drivers |
### 7.2 Export Control Considerations
| Algorithm | Regulation | Notes |
|-----------|------------|-------|
| GOST R 34.10-2012 | Russian national | Recommended for RootPack_RU only |
| SM2/SM3/SM4 | Chinese national | Recommended for RootPack_CN only |
| Standard (ECDSA/RSA/EdDSA) | Mass-market exempt | No restrictions |
See `docs/legal/crypto-compliance-review.md` for detailed export control analysis.
### 7.3 Attribution Requirements
The following licenses require attribution in distributed software:
- **MIT**: Copyright notice in documentation/NOTICE file
- **Apache-2.0**: NOTICE file preservation, license in documentation
- **BSD-3-Clause**: Copyright notice in documentation
All required attributions are maintained in `/NOTICE.md`.
---
## 8. Automation & Verification
### 8.1 Generating Updated Dependency Lists
```bash
# NuGet dependencies
dotnet list src/<Project>/<Project>.csproj package --include-transitive
# npm dependencies (with licenses)
cd src/Web/StellaOps.Web && npx license-checker --json --production
# Full SBOM with license info
dotnet run --project src/Scanner/StellaOps.Scanner.Cli -- sbom generate \
--format cyclonedx-1.6 \
--include-licenses \
--output stellaops-sbom.json
```
### 8.2 CI License Audit
See `.gitea/workflows/license-audit.yml` for automated license validation.
### 8.3 Allowed Licenses (Allowlist)
```yaml
# SPDX identifiers permitted in StellaOps
allowed_licenses:
# Permissive licenses (fully compatible)
- MIT
- Apache-2.0
- BSD-2-Clause
- BSD-3-Clause
- ISC
- 0BSD
- PostgreSQL
- Zlib
- BlueOak-1.0.0
- Python-2.0
- CC0-1.0
- Unlicense
# Weak copyleft (compatible with conditions)
- MPL-2.0 # File-level copyleft
- LGPL-2.1-or-later # Library linking allowed
- LGPL-3.0-or-later # Library linking allowed
# Data/documentation licenses (for non-code assets)
- CC-BY-3.0 # Attribution license (data only)
- CC-BY-4.0 # Attribution license (data only)
```
### 8.4 Blocked Licenses
These licenses are **NOT compatible** with AGPL-3.0-or-later:
```yaml
blocked_licenses:
- GPL-2.0-only # Version lock incompatible with AGPL-3.0
- SSPL-1.0 # Server Side Public License - additional network restrictions
- BUSL-1.1 # Business Source License - time-delayed commercial restrictions
- Elastic-2.0 # Similar restrictions to SSPL
- Commons-Clause # Commercial use restrictions addon
- LicenseRef-Proprietary
- UNLICENSED
```
### 8.5 Conditional Licenses (Dev Dependencies Only)
The following licenses are used **only in development dependencies** and are not shipped to production:
| Package | License | Usage | Notes |
|---------|---------|-------|-------|
| `@img/sharp-libvips-*` | LGPL-3.0-or-later | DevPortal build (Astro image optimization) | Not in production bundle |
| `axe-core` | MPL-2.0 | Accessibility testing | Dev/test only |
| `spdx-exceptions` | CC-BY-3.0 | License data file | Data, not code |
---
## 9. Document Maintenance
| Action | Trigger | Owner |
|--------|---------|-------|
| Update NuGet deps | Major version bump | Engineering |
| Update npm deps | Major version bump | Frontend team |
| Review new packages | PR review checklist | Security Guild |
| Annual audit | January each year | Legal + Security |
---
## 10. References
- [SPDX License List](https://spdx.org/licenses/)
- [AGPL-3.0-or-later Compatibility](https://www.gnu.org/licenses/gpl-faq.html)
- [REUSE Specification](https://reuse.software/spec/)
- [CycloneDX License Component](https://cyclonedx.org/docs/1.6/json/#components_items_licenses)
---
*Document maintained by: Security Guild*
*Last full audit: 2025-12-26*

6
docs/legal/crypto-compliance-review.md
View File

@@ -9,7 +9,7 @@
This document captures the licensing, export controls, and distribution guidance for cryptographic components in StellaOps, specifically:
1. **GostCryptography Fork** (`third_party/forks/AlexMAS.GostCryptography`)
1. **GostCryptography Fork** (`src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/third_party/AlexMAS.GostCryptography`)
2. **CryptoPro Plugin** (`StellaOps.Cryptography.Plugin.CryptoPro`)
3. **Regional Crypto Providers** (GOST, SM2/SM3, eIDAS)
@@ -21,7 +21,7 @@ This document captures the licensing, export controls, and distribution guidance
|-----------|-------|
| Upstream | https://github.com/AlexMAS/GostCryptography |
| License | MIT |
| StellaOps Usage | Source-vendored in `third_party/forks/` |
| StellaOps Usage | Source-vendored within CryptoPro plugin folder |
| Compatibility | MIT is compatible with AGPL-3.0-or-later |
### 1.2 Attribution Requirements
@@ -30,7 +30,7 @@ The MIT license requires attribution in distributed software:
```
Copyright (c) 2014-2024 AlexMAS
See third_party/forks/AlexMAS.GostCryptography/LICENSE
See src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/third_party/AlexMAS.GostCryptography/LICENSE
```
**Required Actions:**