stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
ac22ee3ce20dd18ddb231ba4e06d75c5003914ef
git.stella-ops.org/docs/features/checked/scanner/java-license-metadata-with-spdx-normalization.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

1.4 KiB
Raw Blame History

Java License Metadata with SPDX Normalization

Module

Scanner

Status

VERIFIED

Description

Extracts license metadata from Maven POM license blocks, Gradle metadata, and JAR META-INF/LICENSE files, normalizing free-text license names to SPDX expression identifiers.

Implementation Details

  • License Detection:
    • src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/License/JavaLicenseDetector.cs - Detects licenses from POM, Gradle metadata, and META-INF/LICENSE files
  • SPDX Normalization:
    • src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/License/SpdxLicenseNormalizer.cs - Normalizes free-text license names to SPDX expression identifiers

E2E Test Plan

  • Scan a Maven project and verify license metadata is extracted from POM <licenses> blocks
  • Verify free-text license names (e.g., "The Apache License, Version 2.0") are normalized to SPDX identifiers (e.g., "Apache-2.0")
  • Verify JAR META-INF/LICENSE file content is analyzed for license detection
  • Verify license information appears in the generated SBOM
  • Verify multi-license components produce valid SPDX expressions (e.g., "MIT OR Apache-2.0")

Verification

Check Result
Tier 0 - Source files exist PASS
Tier 1 - Build + code review PASS
Tier 2 - Integration tests PASS
Verified 2026-02-13T18:10:00Z