OSS license analysis in an SPDX file generated by FOSSology
reported by Yuki Machida (translated by Hiro Fukuchi)
original (in Japanese): https://qiita.com/machida-yuki/items/8738961fa3133296d4c7
About this report
Open Source Software (OSS) is one of the most important things in developing large systems. Therefore, to understand OSS and liceses is critical.
OpenChain project hosted by the Linux Foundation is one of the OSS compliance activities to build trust over software supply chain.
SPDX(Software Package Data Exchane) is an open standard for communicating software bill of material infomation (including components, licenses, copyrights, and security references). FOSSology is a tool for scanning software source code and generating SPDX.
This report gives an example procedure to analyze licenses in an SPDX file generated by FOSSology.
Note: Only the following environment has been used.
|SPDX License List||2.6|
Prerequisite: Ubuntu Desktop Japanese Remix is installed. Basic setting of enviroment is completed.
license-converage-grader is a tool to calcurate the "grade score" how accurate the SPDX file gives license information for included files.
If you need more information, please refer to the folloeing URL.
- GitHub - license-coverage-grader
Installing git and pip, using apt command.
$ sudo apt update $ sudo apt install git python-pip $ sudo -EH pip install --upgrade pip
Cloning license-coverage-grader.git from GitHub repository, installing python module.
$ git clone https://github.com/spdx/license-coverage-grader.git $ cd license-coverage-grader/ $ sudo -EH pip install --editable .
Analyzing source code, generating SDPX file
In this report, FOSSology demo server is used.
- FOSSology demo server
This report chooses "findutils" as input source code.
Access the FOSSology demo server via web browser.
Username: testuser , Password: test
After successful login, the following screen image will appear.
Note: The uploaded file name in "test-incoming" may differ from this image.
Select source code file for uploading.
"Upload" -> "From URL"
The following screen image will apear.
Enter the URL at "Enter the URL to the file or directory: "
Push the "upload" button at the bottom of the page.
Analysis will automatically start, after uploading the source code file.
Generating SPDX file.
Select "Browse" tab.
"Upload Name and Description"
From "-- select action --" section, select "Export SPDX tag value".
SPDX file will be generated, and file download will automatically start.
The downloaded file has the name "SPDX2TV_findutils-4.2.31.tar.gz_1541999637.spdx". In this report, to simplify, the file name is changed to "findutils-4.2.31.spdx".
Generating license list for each file
Convert SPDX file into CSV format using "license-coverage-grader".
$ python -s <path to the directory of license-coverage-grader>/license-coverage-grader/spdx_scanner.py findutils-4.2.31.spdx > findutils-4.2.31.csv
Open "findutils-4.2.31.csv" using "LibreOffice". When "LibreOffice" asks the format, the default setting can be used. Push "OK" button.
To analyze CSV file, we use filter.
"Data" -> "Auto filter"
In the first example, we verify the license in "COPYING" file in "findutils-4.2.31.csv". Push "▼" in the collumn A. Enter "COPYING" in the search window of the standard filter. "GPL-2.0" appears in the collumn B. We can verify the license as "GPL-2.0".
In the second example, we verify the license of "find.c" file. Push "▼" in the collumn A. Enter "find.c" in the search window of the standard filter. "GPL-2.0+" appears in the collumn B. We can verify the license as "GPL-2.0+".
The collumn B expresses section 4.6 "License Information in File" of the SPDX specification. This is the license information found in a file.
"GPL-2.0" and "GPL-2.0+" are the "SPDX short identifiers", which is the expression defined in "SPDX License List" of SPDX specification.
If you want to know the SPDX specification, and the SPDX License List, please refer to the following URLs.
The author provides "ASIS" information and no warranty for trying the content of this report.
This report uses FOSSology demo server, for beginners can try easily. Input files are transfered outside organization, so that files contain internal informaion or have large file size are not adequate for this test. In such cases, it is better to build an internal environment.
If you need more detail information about FOSSology environment, please visit FOSSology site.
- FOSSology environment
GitHub - license-coverage-grader
SPDX 2.1 Specification
SPDX License List