THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
Technical Team/Use Cases/2.0/Third party produces bill of materials for software package
From SPDX Wiki
An organization desires to understand the legal obligations associated with their intended use of a software package. To gain insight the organization requests a third party to audit their entire codebase to determine all rights holders and licenses for every file in the codebase.
Stackholders and Interests
- Auditee
- The organization in possession of the code that wants to understand the licensing and rights holders of that code.
- Auditor
- Third party that need to analyze the codebase and inform the auditee of what the licensing is and who the rights holders are.
Main Success Scenario
- Auditee delivers code to auditor
- Auditor extracts licensing and copyright information from files
- Auditor determines the following for every file in code base:
- Rights holders
- Licensing terms
- membership in a package/component which is included in the codebase
- Auditor provides above data to auditee
- Legal staff at auditee looks at concluded licensing and right holder and take any necessary actions to comply with the licenses