48 lines
4.3 KiB
Markdown
48 lines
4.3 KiB
Markdown
# License Compliance Evaluation Engine
|
|
|
|
## Module
|
|
Policy
|
|
|
|
## Status
|
|
IMPLEMENTED
|
|
|
|
## Description
|
|
Full license compliance evaluation with SPDX expression parsing, license compatibility matrix checking against configurable allow/deny/copyleft lists, attribution report generation, and policy engine integration. While the known list has SPDX license expression parsers in the Attestor writers, this is a distinct policy-engine-integrated compliance evaluator with attribution generation capabilities.
|
|
|
|
## Implementation Details
|
|
- **LicenseComplianceEvaluator**: `src/Policy/__Libraries/StellaOps.Policy/Licensing/LicenseComplianceEvaluator.cs` (sealed class implements `ILicenseComplianceEvaluator`)
|
|
- `EvaluateAsync(components, policy)` evaluates license compliance for all components
|
|
- SPDX expression parsing via `SpdxLicenseExpressionParser.Parse()`
|
|
- License expression evaluation via `LicenseExpressionEvaluator` with compatibility checking
|
|
- Exemption support: per-component pattern-based license exemptions
|
|
- Obligation tracking: Attribution, SourceDisclosure, PatentGrant, TrademarkNotice
|
|
- Overall status: Pass (no issues), Warn (missing/unknown licenses, obligations), Fail (prohibited, copyleft conflict, commercial restriction)
|
|
- **LicenseComplianceReport**: `src/Policy/__Libraries/StellaOps.Policy/Licensing/LicenseComplianceModels.cs`
|
|
- Inventory: LicenseUsage records with LicenseId, Expression, Category, Components list, Count; ByCategory counts; UnknownLicenseCount; NoLicenseCount
|
|
- Findings: LicenseFinding records with Type, LicenseId, ComponentName, ComponentPurl, Category, Message
|
|
- Conflicts: LicenseConflict records with conflicting LicenseIds and Reason
|
|
- AttributionRequirements: ComponentName, LicenseId, Notices, IncludeLicenseText flag
|
|
- **LicenseFindingType enum**: ProhibitedLicense, CopyleftInProprietaryContext, LicenseConflict, UnknownLicense, MissingLicense, AttributionRequired, SourceDisclosureRequired, PatentClauseRisk, CommercialRestriction, ConditionalLicenseViolation
|
|
- **LicenseCategory enum**: Unknown, Permissive, WeakCopyleft, StrongCopyleft, Proprietary, PublicDomain
|
|
- **Supporting classes**:
|
|
- `LicenseKnowledgeBase`: `src/Policy/__Libraries/StellaOps.Policy/Licensing/LicenseKnowledgeBase.cs` -- license metadata database
|
|
- `LicenseCompatibilityChecker`: `src/Policy/__Libraries/StellaOps.Policy/Licensing/LicenseCompatibilityChecker.cs` -- compatibility matrix
|
|
- `LicenseExpressionEvaluator`: `src/Policy/__Libraries/StellaOps.Policy/Licensing/LicenseExpressionEvaluator.cs` -- evaluates parsed expressions
|
|
- `ProjectContextAnalyzer`: `src/Policy/__Libraries/StellaOps.Policy/Licensing/ProjectContextAnalyzer.cs` -- project context for compatibility
|
|
- `LicensePolicy` / `LicensePolicyLoader`: `src/Policy/__Libraries/StellaOps.Policy/Licensing/LicensePolicy.cs` / `LicensePolicyLoader.cs` -- policy configuration
|
|
- `AttributionGenerator`: `src/Policy/__Libraries/StellaOps.Policy/Licensing/AttributionGenerator.cs` -- NOTICE file generation
|
|
- `SpdxLicenseExpressionParser`: `src/Policy/__Libraries/StellaOps.Policy/Licensing/SpdxLicenseExpressionParser.cs` -- SPDX expression parsing
|
|
|
|
## E2E Test Plan
|
|
- [ ] Evaluate component with "MIT" license; verify OverallStatus=Pass, Category=Permissive
|
|
- [ ] Evaluate component with "GPL-3.0-only" in proprietary context; verify finding type CopyleftInProprietaryContext, OverallStatus=Fail
|
|
- [ ] Evaluate component with prohibited license (in deny list); verify finding type ProhibitedLicense, OverallStatus=Fail
|
|
- [ ] Evaluate component with no license data; verify finding type MissingLicense, OverallStatus=Warn
|
|
- [ ] Evaluate component with unparseable license expression; verify finding type UnknownLicense
|
|
- [ ] Evaluate component with "Apache-2.0 OR MIT" dual license; verify parser resolves expression, one license selected
|
|
- [ ] Evaluate 3 components: MIT, GPL-3.0, Apache-2.0; verify Inventory contains all 3 with correct categories and ByCategory counts
|
|
- [ ] Evaluate with license requiring attribution; verify AttributionRequirements populated with ComponentName and Notices
|
|
- [ ] Configure exemption for component pattern "internal-*" allowing GPL-3.0; verify ProhibitedLicense finding suppressed
|
|
- [ ] Evaluate with UnknownLicenseHandling=Deny in policy; verify unknown licenses produce OverallStatus=Fail
|
|
- [ ] Evaluate component with conflicting dual licenses; verify LicenseConflict finding with reason
|