THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx

Difference between revisions of "Technical Team/Use Cases/2.0/Third party produces bill of materials for software package"

From SPDX Wiki
Jump to: navigation, search
Line 3: Line 3:
 
<h3>Stackholders and Interests</h3>
 
<h3>Stackholders and Interests</h3>
  
<dl>
+
<ul>
<dt>Auditee</dt>
+
<li><strong>Developer</strong>
<dd>The organization in possession of the code that wants to understand the licensing and rights holders of that code.</dd>
+
<p>The organization developing (or in possession of) the code that wants to understand the licensing and rights holders of that code.</p></li>
  
<dt>Auditor</dt>
+
<li><strong>Compliance office</strong>
<dd>Third party that need to analyze the codebase and inform the auditee of what the licensing is and who the rights holders are.</dd>
+
<p>The organization that is responsible for ensuring that the licensing of the code is complied with.</p></li>
  
</dl>
+
<li><strong>Analyzer</strong>
 +
<p>Third party that need to analyze the codebase and inform the auditee of what the licensing is and who the rights holders are.</p></li>
 +
 
 +
</ul>
  
 
<h2>Main Success Scenario</h2>
 
<h2>Main Success Scenario</h2>
  
 
<ol>
 
<ol>
<li>Auditee delivers code to auditor</li>
+
<li>Developers delivers code to analyzer</li>
<li>Auditor extracts licensing and copyright information from files</li>
+
<li>Analyzer extracts licensing and copyright information from files</li>
<li>Auditor determines the following for every file in code base:
+
<li>Analyzer identifies sub-components for which SPDX files already exists</li>
 +
<li>Analyzer imports/embeds SPDX data for pre-analyized sub-components</li>
 +
<li>Analyzer determines the following for every remaining file in code base:
 +
  <ul>
 +
    <li>Rights holders</li>
 +
    <li>Licensing terms</li>
 +
    <li>membership in a package/component which is included in the codebase</li>
 +
  </ul>
 +
</li>
 +
<li>Analyzer provides above data to auditee</li>
 +
<li>Compliance office looks at concluded licensing and right holder and take any necessary actions to comply with the licenses</li>
 +
</ol>
 +
 
 +
<h2>Alternate Scenario A</h2>
 +
 
 +
<ol>
 +
<li>Developer delivers code to analyzer</li>
 +
<li>Analyzer extracts licensing and copyright information from files</li>
 +
<li>Analyzer identifies sub-components for which SPDX files already exists</li>
 +
<li>Analyzer imports/embeds SPDX data for pre-analyized sub-components</li>
 +
<li>Analyzer determines the following for every remaining file in code base:
 
   <ul>
 
   <ul>
 
     <li>Rights holders</li>  
 
     <li>Rights holders</li>  
Line 24: Line 47:
 
   </ul>
 
   </ul>
 
</li>
 
</li>
<li>Auditor provides above data to auditee</li>
+
<li>Analyzer provides above data to Compliance office.</li>
<li>Legal staff at auditee looks at concluded licensing and right holder and take any necessary actions to comply with the licenses</li>
+
<li>Compliance office looks at concluded licensing and right holder and determines that certain sub-components are unacceptable.</li>
 +
<li>Developer removes the offending sub-components.</li>
 +
<li>Developer delivers modified code to analyzer.</li>
 +
<li>Analyzer redoes analysis and provide new SPDX data to Compliance office.</li>
 +
<li>Compliance office looks at concluded licensing and right holder and take any necessary actions to comply with the licenses</li>
 
</ol>
 
</ol>

Revision as of 18:19, 25 May 2012

An organization desires to understand the legal obligations associated with their intended use of a software package. To gain insight the organization requests a third party to audit their entire codebase to determine all rights holders and licenses for every file in the codebase.

Stackholders and Interests

  • Developer

    The organization developing (or in possession of) the code that wants to understand the licensing and rights holders of that code.

  • Compliance office

    The organization that is responsible for ensuring that the licensing of the code is complied with.

  • Analyzer

    Third party that need to analyze the codebase and inform the auditee of what the licensing is and who the rights holders are.

Main Success Scenario

  1. Developers delivers code to analyzer
  2. Analyzer extracts licensing and copyright information from files
  3. Analyzer identifies sub-components for which SPDX files already exists
  4. Analyzer imports/embeds SPDX data for pre-analyized sub-components
  5. Analyzer determines the following for every remaining file in code base:
    • Rights holders
    • Licensing terms
    • membership in a package/component which is included in the codebase
  6. Analyzer provides above data to auditee
  7. Compliance office looks at concluded licensing and right holder and take any necessary actions to comply with the licenses

Alternate Scenario A

  1. Developer delivers code to analyzer
  2. Analyzer extracts licensing and copyright information from files
  3. Analyzer identifies sub-components for which SPDX files already exists
  4. Analyzer imports/embeds SPDX data for pre-analyized sub-components
  5. Analyzer determines the following for every remaining file in code base:
    • Rights holders
    • Licensing terms
    • membership in a package/component which is included in the codebase
  6. Analyzer provides above data to Compliance office.
  7. Compliance office looks at concluded licensing and right holder and determines that certain sub-components are unacceptable.
  8. Developer removes the offending sub-components.
  9. Developer delivers modified code to analyzer.
  10. Analyzer redoes analysis and provide new SPDX data to Compliance office.
  11. Compliance office looks at concluded licensing and right holder and take any necessary actions to comply with the licenses
Retrieved from "https://wiki.spdx.org/index.php?title=Technical_Team/Use_Cases/2.0/Third_party_produces_bill_of_materials_for_software_package&oldid=1753"