THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
Technical Team/Use Cases/2.0/Third party produces bill of materials for software package
From SPDX Wiki
An organization desires to understand the legal obligations associated with their intended use of a software package. To gain insight the organization requests a third party to audit their entire codebase to determine all rights holders and licenses for every file in the codebase.
Stackholders and Interests
- Developer
The organization developing (or in possession of) the code that wants to understand the licensing and rights holders of that code.
- Compliance office
The organization that is responsible for ensuring that the licensing of the code is complied with.
- Analyzer
Third party that need to analyze the codebase and inform the auditee of what the licensing is and who the rights holders are.
Main Success Scenario
- Developers delivers code to analyzer
- Analyzer determines membership in sub-packages/components for each file.
- Analyzer imports/embeds existing SPDX data for sub-packages/components.
- Analyzer extracts licensing and copyright information from remaining files.
- Analyzer determines the following for every remaining file in code base:
- Rights holders
- Licensing terms
- Analyzer provides above data to Compliance office.
- Compliance office looks at concluded licensing and right holder and take any necessary actions to comply with the licenses
Alternate Scenario A
- Developers delivers code to analyzer
- Analyzer determines membership in sub-packages/components for each file.
- Analyzer imports/embeds existing SPDX data for sub-packages/components.
- Analyzer extracts licensing and copyright information from remaining files.
- Analyzer determines the following for every remaining file in code base:
- Rights holders
- Licensing terms
- Analyzer provides above data to Compliance office.
- Compliance office looks at concluded licensing and right holder and determines that certain sub-packages/components are unacceptable.
- Developer removes the offending sub-components.
- Developer delivers modified code to analyzer.
- Analyzer redoes analysis and provide new SPDX data to Compliance office.
- Compliance office looks at concluded licensing and right holder and take any necessary actions to comply with the licenses