THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
Difference between revisions of "Technical Team/Use Cases/2.0/Collecting enough information to allow auditor to make recommendations to remove or not a component"
From SPDX Wiki
Bschineller (Talk | contribs) |
|||
Line 1: | Line 1: | ||
− | <ol><li><strong>Title:</strong> Collecting enough information to allow auditor to make recommendations to remove or not a component</li><li><strong>Primary Actor:</strong> Auditor of open source code</li><li><strong>Goal in Context:</strong> To provide the consumer of the code audit sufficient information to make changes to the copyrighted materials in order to comply with the consumers policies regarding open source compliance.</li><li><strong>Stakeholders and Interests: </strong></li><ol><li><p><strong>Consumer of the audit: </strong></p></li><ol><li>Organization which has an interest in the license obligations of the copyrighted materials</li><li>Will typically have policies (either formal or informal) on the use of open source</li></ol></ol><li><strong>Preconditions:</strong></li><ol><li>Access to souce code tree by auditor</li></ol><li><strong>Main Success Scenario:</strong></li><ol><li>Source code is analyzed by the auditor and the origin for code and associated license is created</li><li>Policy violations are identified to the file (at least) level</li><li>Information on the audit is provided in an SPDX file + additional information (e.g. report)</li><li>Remediations are made to the source to comply with the policy</li><li>Source code is re-analyzed and an SPDX file describing the compliant code is produced</li></ol><li><strong>Failed End Condition:</strong></li><li><strong>Trigger:</strong>Audit</li><li><strong>Notes:</strong> </li><li><strong>Example:</strong> Company has a policy not to deploy any GPL code compiled into their proprietary commercial software. Audit is performed to identify any GPL code and comply with the policy prior to a product release.</li></ol> | + | <ol><li><strong>Title:</strong> Collecting enough information to allow auditor to make recommendations to remove or not a component</li><li><strong>Primary Actor:</strong> Auditor of open source code</li><li><strong>Goal in Context:</strong> To provide the consumer of the code audit sufficient information to make changes to the copyrighted materials in order to comply with the consumers policies regarding open source compliance.</li><li><strong>Stakeholders and Interests: </strong></li><ol><li><p><strong>Consumer of the audit: </strong></p></li><ol><li>Organization which has an interest in the license obligations of the copyrighted materials</li><li>Will typically have policies (either formal or informal) on the use of open source</li></ol></ol><li><strong>Preconditions:</strong></li><ol><li>Access to souce code tree by auditor</li></ol><li><strong>Main Success Scenario:</strong></li><ol><li>Source code is analyzed by the auditor and the origin for code and associated license is created</li><li>Policy violations are identified to the file (at least) level</li><li>Information on the audit is provided in an SPDX file + additional information (e.g. report) [PLEASE BE MORE SPECIFIC WITH EXAMPLE OF TYPE OF ADDITIONAL INFO]</li><li>Remediations are made to the source to comply with the policy</li><li>Source code is re-analyzed and an SPDX file describing the compliant code is produced</li></ol><li><strong>Failed End Condition:</strong></li><li><strong>Trigger:</strong>Audit</li><li><strong>Notes:</strong> </li><li><strong>Example:</strong> Company has a policy not to deploy any GPL code compiled into their proprietary commercial software. Audit is performed to identify any GPL code and comply with the policy prior to a product release.</li></ol> |
Revision as of 18:16, 2 October 2012
- Title: Collecting enough information to allow auditor to make recommendations to remove or not a component
- Primary Actor: Auditor of open source code
- Goal in Context: To provide the consumer of the code audit sufficient information to make changes to the copyrighted materials in order to comply with the consumers policies regarding open source compliance.
- Stakeholders and Interests:
Consumer of the audit:
- Organization which has an interest in the license obligations of the copyrighted materials
- Will typically have policies (either formal or informal) on the use of open source
- Preconditions:
- Access to souce code tree by auditor
- Main Success Scenario:
- Source code is analyzed by the auditor and the origin for code and associated license is created
- Policy violations are identified to the file (at least) level
- Information on the audit is provided in an SPDX file + additional information (e.g. report) [PLEASE BE MORE SPECIFIC WITH EXAMPLE OF TYPE OF ADDITIONAL INFO]
- Remediations are made to the source to comply with the policy
- Source code is re-analyzed and an SPDX file describing the compliant code is produced
- Failed End Condition:
- Trigger:Audit
- Notes:
- Example: Company has a policy not to deploy any GPL code compiled into their proprietary commercial software. Audit is performed to identify any GPL code and comply with the policy prior to a product release.