You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I think it would be valuable for Graal to be able to analyse the (open source) software licenses of dependencies of my software.
Rationale
People and organisations generally want to adhere to the licenses under which software is made available to them. Nowadays this has become so difficult that tooling is needed to help. Take for example the Javascript/nodejs ecosystem. When you develop even a simple client-server application, you easily end up using hundreds and hundreds of open source packages, either directly or through transitive dependencies. It's virtually impossible to collect and verify all this manually for every release of every product.
Feature Request
I envision a component of Graal that can create a "bill of materials" of my software. A table containing all dependencies of my software, both directly and indirectly. The table should have columns for:
Name of the dependency
Version of the dependency
Where the dependency can be found (could be a link to a package manager repository such as maven / npm / etc; or a link to the source code archive)
Software license(s) of the dependency; normalised somehow to easily search and filter
Furthermore, a view where the dependency tree is visualised seems useful, but that is probably more of a V2 feature / nice-to-have.
Notes
Please note that a package can have multiple licenses, e.g. dual licensed BSD and GPLv2, meaning that you (as a user of the package) can choose which you want to apply (example)
A colleague mentioned that https://spdx.org has a good chance of becoming the standard.
TL/DR
I think it would be valuable for Graal to be able to analyse the (open source) software licenses of dependencies of my software.
Rationale
People and organisations generally want to adhere to the licenses under which software is made available to them. Nowadays this has become so difficult that tooling is needed to help. Take for example the Javascript/nodejs ecosystem. When you develop even a simple client-server application, you easily end up using hundreds and hundreds of open source packages, either directly or through transitive dependencies. It's virtually impossible to collect and verify all this manually for every release of every product.
Feature Request
I envision a component of Graal that can create a "bill of materials" of my software. A table containing all dependencies of my software, both directly and indirectly. The table should have columns for:
Furthermore, a view where the dependency tree is visualised seems useful, but that is probably more of a V2 feature / nice-to-have.
Notes
Thanks for your consideration and this great software!
The text was updated successfully, but these errors were encountered: