stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/policy/license-compliance-evaluation-engine.md

4.3 KiB
Raw Blame History

License Compliance Evaluation Engine

Module

Policy

Status

IMPLEMENTED

Description

Full license compliance evaluation with SPDX expression parsing, license compatibility matrix checking against configurable allow/deny/copyleft lists, attribution report generation, and policy engine integration. While the known list has SPDX license expression parsers in the Attestor writers, this is a distinct policy-engine-integrated compliance evaluator with attribution generation capabilities.

Implementation Details

  • LicenseComplianceEvaluator: src/Policy/__Libraries/StellaOps.Policy/Licensing/LicenseComplianceEvaluator.cs (sealed class implements ILicenseComplianceEvaluator)
    • EvaluateAsync(components, policy) evaluates license compliance for all components
    • SPDX expression parsing via SpdxLicenseExpressionParser.Parse()
    • License expression evaluation via LicenseExpressionEvaluator with compatibility checking
    • Exemption support: per-component pattern-based license exemptions
    • Obligation tracking: Attribution, SourceDisclosure, PatentGrant, TrademarkNotice
    • Overall status: Pass (no issues), Warn (missing/unknown licenses, obligations), Fail (prohibited, copyleft conflict, commercial restriction)
  • LicenseComplianceReport: src/Policy/__Libraries/StellaOps.Policy/Licensing/LicenseComplianceModels.cs
    • Inventory: LicenseUsage records with LicenseId, Expression, Category, Components list, Count; ByCategory counts; UnknownLicenseCount; NoLicenseCount
    • Findings: LicenseFinding records with Type, LicenseId, ComponentName, ComponentPurl, Category, Message
    • Conflicts: LicenseConflict records with conflicting LicenseIds and Reason
    • AttributionRequirements: ComponentName, LicenseId, Notices, IncludeLicenseText flag
  • LicenseFindingType enum: ProhibitedLicense, CopyleftInProprietaryContext, LicenseConflict, UnknownLicense, MissingLicense, AttributionRequired, SourceDisclosureRequired, PatentClauseRisk, CommercialRestriction, ConditionalLicenseViolation
  • LicenseCategory enum: Unknown, Permissive, WeakCopyleft, StrongCopyleft, Proprietary, PublicDomain
  • Supporting classes:
    • LicenseKnowledgeBase: src/Policy/__Libraries/StellaOps.Policy/Licensing/LicenseKnowledgeBase.cs -- license metadata database
    • LicenseCompatibilityChecker: src/Policy/__Libraries/StellaOps.Policy/Licensing/LicenseCompatibilityChecker.cs -- compatibility matrix
    • LicenseExpressionEvaluator: src/Policy/__Libraries/StellaOps.Policy/Licensing/LicenseExpressionEvaluator.cs -- evaluates parsed expressions
    • ProjectContextAnalyzer: src/Policy/__Libraries/StellaOps.Policy/Licensing/ProjectContextAnalyzer.cs -- project context for compatibility
    • LicensePolicy / LicensePolicyLoader: src/Policy/__Libraries/StellaOps.Policy/Licensing/LicensePolicy.cs / LicensePolicyLoader.cs -- policy configuration
    • AttributionGenerator: src/Policy/__Libraries/StellaOps.Policy/Licensing/AttributionGenerator.cs -- NOTICE file generation
    • SpdxLicenseExpressionParser: src/Policy/__Libraries/StellaOps.Policy/Licensing/SpdxLicenseExpressionParser.cs -- SPDX expression parsing

E2E Test Plan

  • Evaluate component with "MIT" license; verify OverallStatus=Pass, Category=Permissive
  • Evaluate component with "GPL-3.0-only" in proprietary context; verify finding type CopyleftInProprietaryContext, OverallStatus=Fail
  • Evaluate component with prohibited license (in deny list); verify finding type ProhibitedLicense, OverallStatus=Fail
  • Evaluate component with no license data; verify finding type MissingLicense, OverallStatus=Warn
  • Evaluate component with unparseable license expression; verify finding type UnknownLicense
  • Evaluate component with "Apache-2.0 OR MIT" dual license; verify parser resolves expression, one license selected
  • Evaluate 3 components: MIT, GPL-3.0, Apache-2.0; verify Inventory contains all 3 with correct categories and ByCategory counts
  • Evaluate with license requiring attribution; verify AttributionRequirements populated with ComponentName and Notices
  • Configure exemption for component pattern "internal-*" allowing GPL-3.0; verify ProhibitedLicense finding suppressed
  • Evaluate with UnknownLicenseHandling=Deny in policy; verify unknown licenses produce OverallStatus=Fail
  • Evaluate component with conflicting dual licenses; verify LicenseConflict finding with reason