stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/scanner/java-license-metadata-with-spdx-normalization.md

1.2 KiB
Raw Blame History

Java License Metadata with SPDX Normalization

Module

Scanner

Status

IMPLEMENTED

Description

Extracts license metadata from Maven POM license blocks, Gradle metadata, and JAR META-INF/LICENSE files, normalizing free-text license names to SPDX expression identifiers.

Implementation Details

  • License Detection:
    • src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/License/JavaLicenseDetector.cs - Detects licenses from POM, Gradle metadata, and META-INF/LICENSE files
  • SPDX Normalization:
    • src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/License/SpdxLicenseNormalizer.cs - Normalizes free-text license names to SPDX expression identifiers

E2E Test Plan

  • Scan a Maven project and verify license metadata is extracted from POM <licenses> blocks
  • Verify free-text license names (e.g., "The Apache License, Version 2.0") are normalized to SPDX identifiers (e.g., "Apache-2.0")
  • Verify JAR META-INF/LICENSE file content is analyzed for license detection
  • Verify license information appears in the generated SBOM
  • Verify multi-license components produce valid SPDX expressions (e.g., "MIT OR Apache-2.0")