Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Third-party dependency licence reporting and validation #30

Open
4 tasks
nikitawootten-nist opened this issue Sep 9, 2022 · 1 comment
Open
4 tasks
Assignees
Labels
devex devops enhancement New feature or request

Comments

@nikitawootten-nist
Copy link
Collaborator

User Story:

As a metaschema-node maintainer, I need to provide attribution for external licenses, as well as checking that only allowed licenses are used within the project's bundled dependencies.

Consumers of metaschema-node desire confidence that they can use this software without fear of transitive dependencies that have licenses disallowed by their organization.

This issue is required for #16

Goals:

  • Provide a script that generates license reports for all sub-projects
  • Create an action that validates licenses for pull requests.

Dependencies:

{Describe any previous issues or related work that must be completed to start or complete this issue.}

Acceptance Criteria

  • A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
  • The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.

{The items above are general acceptance criteria for all User Stories. Please describe anything else that must be completed for this issue to be considered resolved.}

@nikitawootten-nist
Copy link
Collaborator Author

The first goal of providing a license report can be satisfied using the approach taken by OSCAL-deep-diff: https://github.com/usnistgov/oscal-deep-diff/blob/7209d1afb3544c62a95816020a648c60071b74a1/package.json#L23

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
devex devops enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

1 participant