Difference between revisions of "Technical Team/Use Cases/2.0/Collecting enough information to allow auditor to make recommendations to remove or not a component"

<ol><li><strong>Title:</strong> Collecting enough information to allow auditor to make recommendations to remove or not a component</li><li><strong>Primary Actor:</strong> Auditor of open source code</li><li><strong>Goal in Context:</strong> To provide the consumer of the code audit sufficient information to make changes to the copyrighted materials in order to comply with the consumers policies regarding open source compliance.</li><li><strong>Stakeholders and Interests: </strong></li><ol><li><p><strong>Consumer of the audit: </strong></p></li><ol><li>Organization which has an interest in the license obligations of the copyrighted materials</li><li>Will typically have policies (either formal or informal) on the use of open source</li></ol></ol><li><strong>Preconditions:</strong></li><ol><li>Access to souce code tree by auditor</li></ol><li><strong>Main Success Scenario:</strong></li><ol><li>Source code is analyzed by the auditor and the origin for code and associated license is created</li><li>Policy violations are identified to the file (at least) level</li><li>Information on the audit is provided in an SPDX file + additional information (e.g. report) [PLEASE BE MORE SPECIFIC WITH EXAMPLE OF TYPE OF ADDITIONAL INFO]</li><li>Remediations are made to the source to comply with the policy</li><li>Source code is re-analyzed and an SPDX file describing the compliant code is produced</li></ol><li><strong>Failed End Condition:</strong></li><li><strong>Trigger:</strong>Audit</li><li><strong>Notes:</strong>&nbsp;</li><li><strong>Example:</strong> Company has a policy not to deploy any GPL code compiled into their proprietary commercial software.&nbsp; Audit is performed to identify any GPL code and comply with the policy prior to a product release.</li></ol>