Dependency License Gathering

[Gankra]

Something Something Software Build Of Materials Something Something Summary File? Not sure if there's a Good tool for this yet we should just use. Not sure if there's a Standard Format to produce (iirc linux distros have some tooling around this we should interop with).

[ashleygwilliams]

https://github.com/opensbom-generator/spdx-sbom-generator exists and supports cargo, is probably the most mature tool. is written in go. but they do produce binaries so we may be able to install and orchestrate

[Shnatsel]

cargo spdx exists, but the README advises that it's not yet ready for general use.

It could be used as a starting point if for some reason you need a tool written in Rust. You might also be able to crib some code from cargo auditable - it does things like deduplication and dependency type resolution internally.

But that stuff is quite the rabbit hole that even the official cargo metadata doesn't quite handle correctly, see e.g. rust-lang/cargo#7754 and rust-lang/cargo#10718

[jonathanpallant]

The MIT License says that:

"The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software."

If I'm publishing the binary on my Github releases area, does the binary I built count as a "copy or substantial portion" of each dependency I use? If so, how do I scrape all the relevant "above copyright notice" lines from each MIT licensed dependency?