# Third-Party Dependencies **Document Version:** 1.0.0 **Last Updated:** 2025-12-26 **SPDX License Identifier:** AGPL-3.0-or-later (StellaOps) This document provides a comprehensive inventory of all third-party dependencies used in StellaOps, their licenses, and AGPL-3.0-or-later compatibility status. --- ## Summary | Category | Count | License Types | |----------|-------|---------------| | Vendored/Bundled | 4 | MIT, Commercial | | NuGet (Runtime) | ~100+ | MIT, Apache-2.0, BSD-3-Clause, PostgreSQL | | NuGet (Dev/Test) | ~50+ | MIT, Apache-2.0 | | npm (Runtime) | ~15 | MIT, Apache-2.0, ISC, 0BSD | | npm (Dev) | ~30+ | MIT, Apache-2.0 | | Infrastructure | 6 | PostgreSQL, MPL-2.0, BSD-3-Clause, Apache-2.0 | ### License Compatibility with AGPL-3.0-or-later | License | SPDX | Compatible | Notes | |---------|------|------------|-------| | MIT | MIT | Yes | Permissive, no restrictions | | Apache-2.0 | Apache-2.0 | Yes | Permissive, patent grant | | BSD-2-Clause | BSD-2-Clause | Yes | Permissive | | BSD-3-Clause | BSD-3-Clause | Yes | Permissive | | ISC | ISC | Yes | Functionally equivalent to MIT | | 0BSD | 0BSD | Yes | Public domain equivalent | | PostgreSQL | PostgreSQL | Yes | Permissive, similar to MIT/BSD | | MPL-2.0 | MPL-2.0 | Yes | File-level copyleft, compatible via aggregation | | LGPL-2.1+ | LGPL-2.1-or-later | Yes | Library linking allowed | | Commercial | LicenseRef-* | N/A | Customer-provided, not distributed | --- ## 1. Vendored/Bundled Components Components included directly in the StellaOps source tree. | Component | Version | License | SPDX | Location | Notes | |-----------|---------|---------|------|----------|-------| | tree-sitter | - | MIT | MIT | Native bindings | Parser generator for reachability analysis | | tree-sitter-ruby | - | MIT | MIT | Native bindings | Ruby language parser | | AlexMAS.GostCryptography | fork | MIT | MIT | `src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/third_party/` | GOST R 34.10/34.11 implementation | | CryptoPro CSP | N/A | Commercial | LicenseRef-CryptoPro | Integration only | **Not distributed**; customer-provided | ### License Files Full license texts are available in `/third-party-licenses/`: - `tree-sitter-MIT.txt` - `tree-sitter-ruby-MIT.txt` - `AlexMAS.GostCryptography-MIT.txt` --- ## 2. NuGet Dependencies (Runtime) Primary runtime dependencies for .NET 10 modules. Extracted via `dotnet list package --include-transitive`. ### 2.1 Core Framework & ASP.NET | Package | Version | License | SPDX | Compatible | |---------|---------|---------|------|------------| | Microsoft.AspNetCore.* | 10.0.x | MIT | MIT | Yes | | Microsoft.EntityFrameworkCore | 10.0.0 | MIT | MIT | Yes | | Microsoft.EntityFrameworkCore.Relational | 10.0.0 | MIT | MIT | Yes | | Microsoft.Extensions.* | 10.0.x | MIT | MIT | Yes | | Microsoft.IdentityModel.* | 8.x | MIT | MIT | Yes | | System.IdentityModel.Tokens.Jwt | 8.0.1 | MIT | MIT | Yes | ### 2.2 Serialization & Data | Package | Version | License | SPDX | Compatible | |---------|---------|---------|------|------------| | Newtonsoft.Json | 13.0.3 | MIT | MIT | Yes | | YamlDotNet | 16.3.0 | MIT | MIT | Yes | | protobuf-net | 3.2.45 | Apache-2.0 | Apache-2.0 | Yes | | Google.Protobuf | 3.31.1 | BSD-3-Clause | BSD-3-Clause | Yes | | Json.More.Net | 2.1.1 | MIT | MIT | Yes | | JsonPointer.Net | 5.3.1 | MIT | MIT | Yes | | JsonSchema.Net | 7.3.4 | MIT | MIT | Yes | | AngleSharp | 1.2.0 | MIT | MIT | Yes | ### 2.3 Database & Caching | Package | Version | License | SPDX | Compatible | |---------|---------|---------|------|------------| | Npgsql | 10.0.0 | PostgreSQL | PostgreSQL | Yes | | Npgsql.EntityFrameworkCore.PostgreSQL | 10.0.0 | PostgreSQL | PostgreSQL | Yes | | Dapper | 2.1.35 | Apache-2.0 | Apache-2.0 | Yes | | StackExchange.Redis | 2.8.37 | MIT | MIT | Yes | ### 2.4 Cryptography & Security | Package | Version | License | SPDX | Compatible | |---------|---------|---------|------|------------| | BouncyCastle.Cryptography | 2.6.2 | MIT | MIT | Yes | | Pkcs11Interop | 5.1.2 | Apache-2.0 | Apache-2.0 | Yes | | Blake3 | 1.1.0 | Apache-2.0 OR CC0-1.0 | Apache-2.0 | Yes | | System.Security.Cryptography.Pkcs | 7.0.2 | MIT | MIT | Yes | | System.Security.Cryptography.ProtectedData | 9.0.0 | MIT | MIT | Yes | ### 2.5 Cloud Providers | Package | Version | License | SPDX | Compatible | |---------|---------|---------|------|------------| | AWSSDK.Core | 4.0.1.3 | Apache-2.0 | Apache-2.0 | Yes | | AWSSDK.S3 | 4.0.6 | Apache-2.0 | Apache-2.0 | Yes | | AWSSDK.KeyManagementService | 4.0.6 | Apache-2.0 | Apache-2.0 | Yes | | Google.Cloud.Kms.V1 | 3.19.0 | Apache-2.0 | Apache-2.0 | Yes | | Google.Api.Gax | 4.11.0 | Apache-2.0 | Apache-2.0 | Yes | ### 2.6 gRPC & Networking | Package | Version | License | SPDX | Compatible | |---------|---------|---------|------|------------| | Grpc.Net.Client | 2.71.0 | Apache-2.0 | Apache-2.0 | Yes | | Grpc.Core.Api | 2.71.0 | Apache-2.0 | Apache-2.0 | Yes | | Grpc.Auth | 2.71.0 | Apache-2.0 | Apache-2.0 | Yes | ### 2.7 Observability & Logging | Package | Version | License | SPDX | Compatible | |---------|---------|---------|------|------------| | Serilog | 3.1.1 | Apache-2.0 | Apache-2.0 | Yes | | Serilog.AspNetCore | 8.0.1 | Apache-2.0 | Apache-2.0 | Yes | | Serilog.Extensions.Hosting | 8.0.0 | Apache-2.0 | Apache-2.0 | Yes | | Serilog.Sinks.Console | 5.0.1 | Apache-2.0 | Apache-2.0 | Yes | | Serilog.Sinks.File | 5.0.0 | Apache-2.0 | Apache-2.0 | Yes | ### 2.8 SBOM & Security Scanning | Package | Version | License | SPDX | Compatible | |---------|---------|---------|------|------------| | CycloneDX.Core | 10.0.2 | Apache-2.0 | Apache-2.0 | Yes | | NuGet.Versioning | 6.13.2 | Apache-2.0 | Apache-2.0 | Yes | | Semver | 2.3.0 | MIT | MIT | Yes | ### 2.9 Code Analysis & Build | Package | Version | License | SPDX | Compatible | |---------|---------|---------|------|------------| | Microsoft.CodeAnalysis.Common | 4.14.0 | MIT | MIT | Yes | | Microsoft.CodeAnalysis.CSharp | 4.14.0 | MIT | MIT | Yes | | Microsoft.CodeAnalysis.Workspaces.MSBuild | 4.14.0 | MIT | MIT | Yes | | Microsoft.Build | 17.7.2 | MIT | MIT | Yes | | Microsoft.Build.Locator | 1.10.2 | MIT | MIT | Yes | ### 2.10 Binary Analysis | Package | Version | License | SPDX | Compatible | |---------|---------|---------|------|------------| | Iced | 1.21.0 | MIT | MIT | Yes | | Gee.External.Capstone | 2.3.0 | BSD-3-Clause | BSD-3-Clause | Yes | | PdfPig | 0.1.12 | Apache-2.0 | Apache-2.0 | Yes | ### 2.11 Compression & Archives | Package | Version | License | SPDX | Compatible | |---------|---------|---------|------|------------| | SharpCompress | 0.41.0 | MIT | MIT | Yes | | ZstdSharp.Port | 0.8.6 | MIT | MIT | Yes | ### 2.12 Authentication & Authorization | Package | Version | License | SPDX | Compatible | |---------|---------|---------|------|------------| | Microsoft.AspNetCore.Authentication.JwtBearer | 10.0.0 | MIT | MIT | Yes | | OpenIddict.Abstractions | 6.4.0 | Apache-2.0 | Apache-2.0 | Yes | ### 2.13 Resilience & Scheduling | Package | Version | License | SPDX | Compatible | |---------|---------|---------|------|------------| | Polly.Core | 8.4.2 | BSD-3-Clause | BSD-3-Clause | Yes | | Polly.Extensions | 8.4.2 | BSD-3-Clause | BSD-3-Clause | Yes | | Cronos | 0.9.0 | MIT | MIT | Yes | ### 2.14 Utilities | Package | Version | License | SPDX | Compatible | |---------|---------|---------|------|------------| | Humanizer.Core | 2.14.1 | MIT | MIT | Yes | | System.CommandLine | 2.0.0-beta5 | MIT | MIT | Yes | | NetEscapades.Configuration.Yaml | 3.1.0 | MIT | MIT | Yes | | Pipelines.Sockets.Unofficial | 2.2.8 | MIT | MIT | Yes | --- ## 3. NuGet Dependencies (Development/Test) | Package | Version | License | SPDX | Compatible | |---------|---------|---------|------|------------| | xunit | 2.x | Apache-2.0 | Apache-2.0 | Yes | | xunit.runner.visualstudio | 2.x | Apache-2.0 | Apache-2.0 | Yes | | Moq | 4.x | BSD-3-Clause | BSD-3-Clause | Yes | | FluentAssertions | 6.x | Apache-2.0 | Apache-2.0 | Yes | | Microsoft.AspNetCore.Mvc.Testing | 10.0.x | MIT | MIT | Yes | | Testcontainers | 3.x | MIT | MIT | Yes | | Testcontainers.PostgreSql | 3.x | MIT | MIT | Yes | | coverlet.collector | 6.x | MIT | MIT | Yes | | BenchmarkDotNet | 0.13.x | MIT | MIT | Yes | --- ## 4. npm Dependencies (Angular Frontend) ### 4.1 Runtime Dependencies | Package | Version | License | SPDX | Compatible | |---------|---------|---------|------|------------| | @angular/animations | ^17.3.0 | MIT | MIT | Yes | | @angular/cdk | ^17.3.10 | MIT | MIT | Yes | | @angular/common | ^17.3.0 | MIT | MIT | Yes | | @angular/compiler | ^17.3.0 | MIT | MIT | Yes | | @angular/core | ^17.3.0 | MIT | MIT | Yes | | @angular/forms | ^17.3.0 | MIT | MIT | Yes | | @angular/material | ^17.3.10 | MIT | MIT | Yes | | @angular/platform-browser | ^17.3.0 | MIT | MIT | Yes | | @angular/platform-browser-dynamic | ^17.3.0 | MIT | MIT | Yes | | @angular/router | ^17.3.0 | MIT | MIT | Yes | | monaco-editor | 0.52.0 | MIT | MIT | Yes | | rxjs | ~7.8.0 | Apache-2.0 | Apache-2.0 | Yes | | tslib | ^2.3.0 | 0BSD | 0BSD | Yes | | yaml | ^2.4.2 | ISC | ISC | Yes | | zone.js | ~0.14.3 | MIT | MIT | Yes | ### 4.2 Development Dependencies | Package | Version | License | SPDX | Compatible | |---------|---------|---------|------|------------| | @angular-devkit/build-angular | ^17.3.17 | MIT | MIT | Yes | | @angular/cli | ^17.3.17 | MIT | MIT | Yes | | @angular/compiler-cli | ^17.3.0 | MIT | MIT | Yes | | @axe-core/playwright | 4.8.4 | MPL-2.0 | MPL-2.0 | Yes | | @playwright/test | ^1.47.2 | Apache-2.0 | Apache-2.0 | Yes | | @storybook/angular | 8.1.0 | MIT | MIT | Yes | | @storybook/addon-* | 8.1.0 | MIT | MIT | Yes | | jasmine-core | ~5.1.0 | MIT | MIT | Yes | | karma | ~6.4.0 | MIT | MIT | Yes | | karma-chrome-launcher | ~3.2.0 | MIT | MIT | Yes | | karma-coverage | ~2.2.0 | MIT | MIT | Yes | | karma-jasmine | ~5.1.0 | MIT | MIT | Yes | | storybook | ^8.1.0 | MIT | MIT | Yes | | typescript | ~5.4.2 | Apache-2.0 | Apache-2.0 | Yes | ### 4.3 DevPortal (Astro) Dependencies | Package | Version | License | SPDX | Compatible | |---------|---------|---------|------|------------| | astro | 5.16.0 | MIT | MIT | Yes | | @astrojs/mdx | 4.3.12 | MIT | MIT | Yes | | @astrojs/starlight | 0.36.2 | MIT | MIT | Yes | | rapidoc | 9.3.8 | MIT | MIT | Yes | | linkinator | 6.1.2 | Apache-2.0 | Apache-2.0 | Yes | --- ## 5. Infrastructure Dependencies Components required for deployment but not bundled with StellaOps source. | Component | Version | License | SPDX | Distribution | Notes | |-----------|---------|---------|------|--------------|-------| | PostgreSQL | ≥16 | PostgreSQL | PostgreSQL | Separate | Required database | | RabbitMQ | ≥3.12 | MPL-2.0 | MPL-2.0 | Separate | Optional message broker | | Valkey | ≥7.2 | BSD-3-Clause | BSD-3-Clause | Separate | Optional cache (Redis fork) | | Docker | ≥24 | Apache-2.0 | Apache-2.0 | Tooling | Container runtime | | OCI Registry | - | Varies | - | External | Harbor (Apache-2.0), Docker Hub, etc. | | Kubernetes | ≥1.28 | Apache-2.0 | Apache-2.0 | Orchestration | Optional | --- ## 6. Regional/Optional Components Components with special licensing or distribution considerations. ### 6.1 Russian Federation (RootPack_RU) | Component | License | Distribution | Notes | |-----------|---------|--------------|-------| | AlexMAS.GostCryptography | MIT | Vendored source | GOST algorithm implementation | | CryptoPro CSP | Commercial | **Customer-provided** | PKCS#11 interface only | | CryptoPro wrapper | AGPL-3.0-or-later | StellaOps code | Integration bindings | ### 6.2 China (RootPack_CN) - Planned | Component | License | Distribution | Notes | |-----------|---------|--------------|-------| | SM2/SM3/SM4 implementation | TBD | TBD | Chinese national standards | | HSM integration | Commercial | **Customer-provided** | PKCS#11 interface only | ### 6.3 eIDAS (EU Qualified Signatures) | Component | License | Distribution | Notes | |-----------|---------|--------------|-------| | BouncyCastle | MIT | NuGet | eIDAS-compatible algorithms | | HSM integration | Commercial | **Customer-provided** | PKCS#11/CKM interface | --- ## 7. Known Restrictions & Requirements ### 7.1 Commercial Components (Not Distributed) | Component | Vendor | Requirement | |-----------|--------|-------------| | CryptoPro CSP | CryptoPro LLC | Customer must obtain license from crypto-pro.ru | | Hardware Security Modules | Various | Customer-provided with PKCS#11 drivers | ### 7.2 Export Control Considerations | Algorithm | Regulation | Notes | |-----------|------------|-------| | GOST R 34.10-2012 | Russian national | Recommended for RootPack_RU only | | SM2/SM3/SM4 | Chinese national | Recommended for RootPack_CN only | | Standard (ECDSA/RSA/EdDSA) | Mass-market exempt | No restrictions | See `docs/legal/crypto-compliance-review.md` for detailed export control analysis. ### 7.3 Attribution Requirements The following licenses require attribution in distributed software: - **MIT**: Copyright notice in documentation/NOTICE file - **Apache-2.0**: NOTICE file preservation, license in documentation - **BSD-3-Clause**: Copyright notice in documentation All required attributions are maintained in `/NOTICE.md`. --- ## 8. Automation & Verification ### 8.1 Generating Updated Dependency Lists ```bash # NuGet dependencies dotnet list src//.csproj package --include-transitive # npm dependencies (with licenses) cd src/Web/StellaOps.Web && npx license-checker --json --production # Full SBOM with license info dotnet run --project src/Scanner/StellaOps.Scanner.Cli -- sbom generate \ --format cyclonedx-1.6 \ --include-licenses \ --output stellaops-sbom.json ``` ### 8.2 CI License Audit See `.gitea/workflows/license-audit.yml` for automated license validation. ### 8.3 Allowed Licenses (Allowlist) ```yaml # SPDX identifiers permitted in StellaOps allowed_licenses: # Permissive licenses (fully compatible) - MIT - Apache-2.0 - BSD-2-Clause - BSD-3-Clause - ISC - 0BSD - PostgreSQL - Zlib - BlueOak-1.0.0 - Python-2.0 - CC0-1.0 - Unlicense # Weak copyleft (compatible with conditions) - MPL-2.0 # File-level copyleft - LGPL-2.1-or-later # Library linking allowed - LGPL-3.0-or-later # Library linking allowed # Data/documentation licenses (for non-code assets) - CC-BY-3.0 # Attribution license (data only) - CC-BY-4.0 # Attribution license (data only) ``` ### 8.4 Blocked Licenses These licenses are **NOT compatible** with AGPL-3.0-or-later: ```yaml blocked_licenses: - GPL-2.0-only # Version lock incompatible with AGPL-3.0 - SSPL-1.0 # Server Side Public License - additional network restrictions - BUSL-1.1 # Business Source License - time-delayed commercial restrictions - Elastic-2.0 # Similar restrictions to SSPL - Commons-Clause # Commercial use restrictions addon - LicenseRef-Proprietary - UNLICENSED ``` ### 8.5 Conditional Licenses (Dev Dependencies Only) The following licenses are used **only in development dependencies** and are not shipped to production: | Package | License | Usage | Notes | |---------|---------|-------|-------| | `@img/sharp-libvips-*` | LGPL-3.0-or-later | DevPortal build (Astro image optimization) | Not in production bundle | | `axe-core` | MPL-2.0 | Accessibility testing | Dev/test only | | `spdx-exceptions` | CC-BY-3.0 | License data file | Data, not code | --- ## 9. Document Maintenance | Action | Trigger | Owner | |--------|---------|-------| | Update NuGet deps | Major version bump | Engineering | | Update npm deps | Major version bump | Frontend team | | Review new packages | PR review checklist | Security Guild | | Annual audit | January each year | Legal + Security | --- ## 10. References - [SPDX License List](https://spdx.org/licenses/) - [AGPL-3.0-or-later Compatibility](https://www.gnu.org/licenses/gpl-faq.html) - [REUSE Specification](https://reuse.software/spec/) - [CycloneDX License Component](https://cyclonedx.org/docs/1.6/json/#components_items_licenses) --- *Document maintained by: Security Guild* *Last full audit: 2025-12-26*