https://wiki.spdx.org/index.php?title=Technical_Team/Use_Cases/2.0/Collecting_enough_information_to_allow_auditor_to_make_recommendations_to_remove_or_not_a_component&feed=atom&action=historyTechnical Team/Use Cases/2.0/Collecting enough information to allow auditor to make recommendations to remove or not a component - Revision history2024-03-28T18:54:01ZRevision history for this page on the wikiMediaWiki 1.23.13https://wiki.spdx.org/index.php?title=Technical_Team/Use_Cases/2.0/Collecting_enough_information_to_allow_auditor_to_make_recommendations_to_remove_or_not_a_component&diff=1768&oldid=prevMartinMichlmayr: Convert to MediaWiki syntax2013-03-07T13:16:55Z<p>Convert to MediaWiki syntax</p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 13:16, 7 March 2013</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"><ol><li><strong></del>Title:<del class="diffchange diffchange-inline"></strong> </del>Collecting enough information to allow auditor to make recommendations to remove or not a component<del class="diffchange diffchange-inline"></li><li><strong></del>Primary Actor:<del class="diffchange diffchange-inline"></strong> </del>Auditor of open source code<del class="diffchange diffchange-inline"></li><li><strong></del>Goal in Context:<del class="diffchange diffchange-inline"></strong> </del>To provide the consumer of the code audit sufficient information to make changes to the copyrighted materials in order to comply with the consumers policies regarding open source compliance.<del class="diffchange diffchange-inline"></li><li><strong></del>Stakeholders and Interests: <del class="diffchange diffchange-inline"></strong></li><ol><li><p><strong></del>Consumer of the audit: <del class="diffchange diffchange-inline"></strong></p></li><ol><li></del>Organization which has an interest in the license obligations of the copyrighted materials<del class="diffchange diffchange-inline"></li><li></del>Will typically have policies (either formal or informal) on the use of open source<del class="diffchange diffchange-inline"></li></ol></ol><li><strong></del>Preconditions:<del class="diffchange diffchange-inline"></strong></li><ol><li></del>Access to souce code tree by auditor<del class="diffchange diffchange-inline"></li></ol><li><strong></del>Main Success Scenario:<del class="diffchange diffchange-inline"></strong></li><ol><li></del>Source code is analyzed by the auditor and the origin for code and associated license is created<del class="diffchange diffchange-inline"></li><li></del>Policy violations are identified to the file (at least) level<del class="diffchange diffchange-inline"></li><li></del>Information on the audit is provided in an SPDX file + additional information (e.g. report) [the additional, external report would for example be able to reference items in the SPDX file, and externally capture which company policy is being violated and how]<del class="diffchange diffchange-inline"></li><li></del>Remediations are made to the source to comply with the policy<del class="diffchange diffchange-inline"></li><li></del>Source code is re-analyzed and an SPDX file describing the compliant code is produced<del class="diffchange diffchange-inline"></li></ol><li><strong></del>Failed End Condition:<del class="diffchange diffchange-inline"></strong></li><li><strong></del>Trigger:<del class="diffchange diffchange-inline"></strong></del>Audit<del class="diffchange diffchange-inline"></li><li><strong></del>Notes:<del class="diffchange diffchange-inline"></strong>&nbsp;</del>A data element missing from SPDX 1.x which may be generally needed to establish policy violations is "Code Usage information (e.g. statically vs. dynamically linked)"<del class="diffchange diffchange-inline"></li><li><strong></del>Example:<del class="diffchange diffchange-inline"></strong> </del>Company has a policy not to deploy any GPL code compiled into their proprietary commercial software.<del class="diffchange diffchange-inline">&nbsp; </del>Audit is performed to identify any GPL code and comply with the policy prior to a product release.<del class="diffchange diffchange-inline"></li></ol></del></div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline"># '''</ins>Title:<ins class="diffchange diffchange-inline">''' </ins>Collecting enough information to allow auditor to make recommendations to remove or not a component</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline"># '''</ins>Primary Actor:<ins class="diffchange diffchange-inline">''' </ins>Auditor of open source code</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline"># '''</ins>Goal in Context:<ins class="diffchange diffchange-inline">''' </ins>To provide the consumer of the code audit sufficient information to make changes to the copyrighted materials in order to comply with the consumers policies regarding open source compliance.</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline"># '''</ins>Stakeholders and Interests: <ins class="diffchange diffchange-inline">'''</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">## '''</ins>Consumer of the audit: <ins class="diffchange diffchange-inline">'''</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">### </ins>Organization which has an interest in the license obligations of the copyrighted materials</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">### </ins>Will typically have policies (either formal or informal) on the use of open source</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline"># '''</ins>Preconditions:<ins class="diffchange diffchange-inline">'''</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">## </ins>Access to souce code tree by auditor</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline"># '''</ins>Main Success Scenario:<ins class="diffchange diffchange-inline">'''</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">## </ins>Source code is analyzed by the auditor and the origin for code and associated license is created</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">## </ins>Policy violations are identified to the file (at least) level</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">## </ins>Information on the audit is provided in an SPDX file + additional information (e.g. report) [the additional, external report would for example be able to reference items in the SPDX file, and externally capture which company policy is being violated and how]</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">## </ins>Remediations are made to the source to comply with the policy</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">## </ins>Source code is re-analyzed and an SPDX file describing the compliant code is produced</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline"># '''</ins>Failed End Condition:<ins class="diffchange diffchange-inline">'''</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline"># '''</ins>Trigger:<ins class="diffchange diffchange-inline">'''</ins>Audit</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline"># '''</ins>Notes:<ins class="diffchange diffchange-inline">''' </ins>A data element missing from SPDX 1.x which may be generally needed to establish policy violations is "Code Usage information (e.g. statically vs. dynamically linked)"</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline"># '''</ins>Example:<ins class="diffchange diffchange-inline">''' </ins>Company has a policy not to deploy any GPL code compiled into their proprietary commercial software. Audit is performed to identify any GPL code and comply with the policy prior to a product release.</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">[[Category:Technical]]</ins></div></td></tr>
</table>MartinMichlmayrhttps://wiki.spdx.org/index.php?title=Technical_Team/Use_Cases/2.0/Collecting_enough_information_to_allow_auditor_to_make_recommendations_to_remove_or_not_a_component&diff=1767&oldid=prevBschineller at 18:20, 9 October 20122012-10-09T18:20:02Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 18:20, 9 October 2012</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><ol><li><strong>Title:</strong> Collecting enough information to allow auditor to make recommendations to remove or not a component</li><li><strong>Primary Actor:</strong> Auditor of open source code</li><li><strong>Goal in Context:</strong> To provide the consumer of the code audit sufficient information to make changes to the copyrighted materials in order to comply with the consumers policies regarding open source compliance.</li><li><strong>Stakeholders and Interests: </strong></li><ol><li><p><strong>Consumer of the audit: </strong></p></li><ol><li>Organization which has an interest in the license obligations of the copyrighted materials</li><li>Will typically have policies (either formal or informal) on the use of open source</li></ol></ol><li><strong>Preconditions:</strong></li><ol><li>Access to souce code tree by auditor</li></ol><li><strong>Main Success Scenario:</strong></li><ol><li>Source code is analyzed by the auditor and the origin for code and associated license is created</li><li>Policy violations are identified to the file (at least) level</li><li>Information on the audit is provided in an SPDX file + additional information (e.g. report) [<del class="diffchange diffchange-inline">PLEASE BE MORE SPECIFIC WITH EXAMPLE OF TYPE OF ADDITIONAL INFO</del>]</li><li>Remediations are made to the source to comply with the policy</li><li>Source code is re-analyzed and an SPDX file describing the compliant code is produced</li></ol><li><strong>Failed End Condition:</strong></li><li><strong>Trigger:</strong>Audit</li><li><strong>Notes:</strong>&nbsp;</li><li><strong>Example:</strong> Company has a policy not to deploy any GPL code compiled into their proprietary commercial software.&nbsp; Audit is performed to identify any GPL code and comply with the policy prior to a product release.</li></ol></div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ol><li><strong>Title:</strong> Collecting enough information to allow auditor to make recommendations to remove or not a component</li><li><strong>Primary Actor:</strong> Auditor of open source code</li><li><strong>Goal in Context:</strong> To provide the consumer of the code audit sufficient information to make changes to the copyrighted materials in order to comply with the consumers policies regarding open source compliance.</li><li><strong>Stakeholders and Interests: </strong></li><ol><li><p><strong>Consumer of the audit: </strong></p></li><ol><li>Organization which has an interest in the license obligations of the copyrighted materials</li><li>Will typically have policies (either formal or informal) on the use of open source</li></ol></ol><li><strong>Preconditions:</strong></li><ol><li>Access to souce code tree by auditor</li></ol><li><strong>Main Success Scenario:</strong></li><ol><li>Source code is analyzed by the auditor and the origin for code and associated license is created</li><li>Policy violations are identified to the file (at least) level</li><li>Information on the audit is provided in an SPDX file + additional information (e.g. report) [<ins class="diffchange diffchange-inline">the additional, external report would for example be able to reference items in the SPDX file, and externally capture which company policy is being violated and how</ins>]</li><li>Remediations are made to the source to comply with the policy</li><li>Source code is re-analyzed and an SPDX file describing the compliant code is produced</li></ol><li><strong>Failed End Condition:</strong></li><li><strong>Trigger:</strong>Audit</li><li><strong>Notes:</strong>&nbsp;<ins class="diffchange diffchange-inline">A data element missing from SPDX 1.x which may be generally needed to establish policy violations is "Code Usage information (e.g. statically vs. dynamically linked)"</ins></li><li><strong>Example:</strong> Company has a policy not to deploy any GPL code compiled into their proprietary commercial software.&nbsp; Audit is performed to identify any GPL code and comply with the policy prior to a product release.</li></ol></div></td></tr>
</table>Bschinellerhttps://wiki.spdx.org/index.php?title=Technical_Team/Use_Cases/2.0/Collecting_enough_information_to_allow_auditor_to_make_recommendations_to_remove_or_not_a_component&diff=1766&oldid=prevBschineller at 18:16, 2 October 20122012-10-02T18:16:33Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 18:16, 2 October 2012</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><ol><li><strong>Title:</strong> Collecting enough information to allow auditor to make recommendations to remove or not a component</li><li><strong>Primary Actor:</strong> Auditor of open source code</li><li><strong>Goal in Context:</strong> To provide the consumer of the code audit sufficient information to make changes to the copyrighted materials in order to comply with the consumers policies regarding open source compliance.</li><li><strong>Stakeholders and Interests: </strong></li><ol><li><p><strong>Consumer of the audit: </strong></p></li><ol><li>Organization which has an interest in the license obligations of the copyrighted materials</li><li>Will typically have policies (either formal or informal) on the use of open source</li></ol></ol><li><strong>Preconditions:</strong></li><ol><li>Access to souce code tree by auditor</li></ol><li><strong>Main Success Scenario:</strong></li><ol><li>Source code is analyzed by the auditor and the origin for code and associated license is created</li><li>Policy violations are identified to the file (at least) level</li><li>Information on the audit is provided in an SPDX file + additional information (e.g. report)</li><li>Remediations are made to the source to comply with the policy</li><li>Source code is re-analyzed and an SPDX file describing the compliant code is produced</li></ol><li><strong>Failed End Condition:</strong></li><li><strong>Trigger:</strong>Audit</li><li><strong>Notes:</strong>&nbsp;</li><li><strong>Example:</strong> Company has a policy not to deploy any GPL code compiled into their proprietary commercial software.&nbsp; Audit is performed to identify any GPL code and comply with the policy prior to a product release.</li></ol></div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ol><li><strong>Title:</strong> Collecting enough information to allow auditor to make recommendations to remove or not a component</li><li><strong>Primary Actor:</strong> Auditor of open source code</li><li><strong>Goal in Context:</strong> To provide the consumer of the code audit sufficient information to make changes to the copyrighted materials in order to comply with the consumers policies regarding open source compliance.</li><li><strong>Stakeholders and Interests: </strong></li><ol><li><p><strong>Consumer of the audit: </strong></p></li><ol><li>Organization which has an interest in the license obligations of the copyrighted materials</li><li>Will typically have policies (either formal or informal) on the use of open source</li></ol></ol><li><strong>Preconditions:</strong></li><ol><li>Access to souce code tree by auditor</li></ol><li><strong>Main Success Scenario:</strong></li><ol><li>Source code is analyzed by the auditor and the origin for code and associated license is created</li><li>Policy violations are identified to the file (at least) level</li><li>Information on the audit is provided in an SPDX file + additional information (e.g. report) <ins class="diffchange diffchange-inline">[PLEASE BE MORE SPECIFIC WITH EXAMPLE OF TYPE OF ADDITIONAL INFO]</ins></li><li>Remediations are made to the source to comply with the policy</li><li>Source code is re-analyzed and an SPDX file describing the compliant code is produced</li></ol><li><strong>Failed End Condition:</strong></li><li><strong>Trigger:</strong>Audit</li><li><strong>Notes:</strong>&nbsp;</li><li><strong>Example:</strong> Company has a policy not to deploy any GPL code compiled into their proprietary commercial software.&nbsp; Audit is performed to identify any GPL code and comply with the policy prior to a product release.</li></ol></div></td></tr>
</table>Bschinellerhttps://wiki.spdx.org/index.php?title=Technical_Team/Use_Cases/2.0/Collecting_enough_information_to_allow_auditor_to_make_recommendations_to_remove_or_not_a_component&diff=1765&oldid=prevGoneall at 16:23, 6 April 20122012-04-06T16:23:09Z<p></p>
<p><b>New page</b></p><div><ol><li><strong>Title:</strong> Collecting enough information to allow auditor to make recommendations to remove or not a component</li><li><strong>Primary Actor:</strong> Auditor of open source code</li><li><strong>Goal in Context:</strong> To provide the consumer of the code audit sufficient information to make changes to the copyrighted materials in order to comply with the consumers policies regarding open source compliance.</li><li><strong>Stakeholders and Interests: </strong></li><ol><li><p><strong>Consumer of the audit: </strong></p></li><ol><li>Organization which has an interest in the license obligations of the copyrighted materials</li><li>Will typically have policies (either formal or informal) on the use of open source</li></ol></ol><li><strong>Preconditions:</strong></li><ol><li>Access to souce code tree by auditor</li></ol><li><strong>Main Success Scenario:</strong></li><ol><li>Source code is analyzed by the auditor and the origin for code and associated license is created</li><li>Policy violations are identified to the file (at least) level</li><li>Information on the audit is provided in an SPDX file + additional information (e.g. report)</li><li>Remediations are made to the source to comply with the policy</li><li>Source code is re-analyzed and an SPDX file describing the compliant code is produced</li></ol><li><strong>Failed End Condition:</strong></li><li><strong>Trigger:</strong>Audit</li><li><strong>Notes:</strong>&nbsp;</li><li><strong>Example:</strong> Company has a policy not to deploy any GPL code compiled into their proprietary commercial software.&nbsp; Audit is performed to identify any GPL code and comply with the policy prior to a product release.</li></ol></div>Goneall