# Java License Metadata with SPDX Normalization

## Module
Scanner

## Status
VERIFIED

## Description
Extracts license metadata from Maven POM license blocks, Gradle metadata, and JAR META-INF/LICENSE files, normalizing free-text license names to SPDX expression identifiers.

## Implementation Details
- **License Detection**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/License/JavaLicenseDetector.cs` - Detects licenses from POM, Gradle metadata, and META-INF/LICENSE files
- **SPDX Normalization**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/License/SpdxLicenseNormalizer.cs` - Normalizes free-text license names to SPDX expression identifiers

## E2E Test Plan
- [ ] Scan a Maven project and verify license metadata is extracted from POM `<licenses>` blocks
- [ ] Verify free-text license names (e.g., "The Apache License, Version 2.0") are normalized to SPDX identifiers (e.g., "Apache-2.0")
- [ ] Verify JAR META-INF/LICENSE file content is analyzed for license detection
- [ ] Verify license information appears in the generated SBOM
- [ ] Verify multi-license components produce valid SPDX expressions (e.g., "MIT OR Apache-2.0")

---

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |