daml/oss-compliance/README.md

# Open Source Software Compliance

## Overview

The package contains tools & processes to:
* generate our open source Bill Of Materials
* validate the open source licenses are in line with the permitted ones
* [todo] validate the open source libraries are part of a

The tools ingest license information generated by language specific tools (e.g. *mvn* & *scala*) to produce a consistent report covering on all the open source libraries used.

Details about language specifics tools used as inputs:

### JDK

To retrieve JDK dependencies we are using the [license maven plugin](http://www.mojohaus.org/license-maven-plugin/):

`mvn license:aggregate-download-licenses`

generating an xml file containing all the relevant licenses extracted from the maven poms.

### Haskell

The Haskell licensing checks are now done in [../../da-docs-daml-user-guide/licenses/extract.py](compiler/daml-licenses/licenses/extract.py)


## OSS Compliance in Action

The logical steps are the following:

* generate a list of dependencies for both haskell and java (and javascript in the future)
* for each single dependency, check:
  *  the license is whitelisted as per [LICENSES_WHITE_LIST.csv](LICENSES_WHITE_LIST.csv)
  *  the package is whitelisted as per [PACKAGES_WHITE_LIST.csv](PACKAGES_WHITE_LIST.csv)
* any dependency whose license or package is not whitelisted is then considered **non compliant**

### Licenses

We use a *white list* approach: explicitly defining which licenses are allowed.

The white listed licenses are defined in [LICENSES_WHITE_LIST.csv](LICENSES_WHITE_LIST.csv)

As you can see the file is grouped by *license group* (e.g. EPL, *Eclipse Public License*).

The *license group* is a logical constructor and it's only used to group similar licenses in the csv file.

Especially in the maven world, there are many variants on how a an underlying open source license is defined that makes sense to group them together.

### Packages

[PACKAGES_WHITE_LIST.csv](PACKAGES_WHITE_LIST.csv) is a way to filter packages created internally.


### What if the check fails?

#### Failure due to a non white-listed dependency

Please coordinate with the SPG group to ensure the offending license is reviewed with CTO / General Counselor.

It may be a variation of an already approved license. If that's the case, once approved, it can be added to the white listed licenses.

TODO: provide a link to a list of approved licenses

### How to invoke the compliance check

To invoke the oss compliance check, invoke:

`make oss-compliance`

This will then trigger the following:

[check_oss_license.sh](check_oss_license.sh)
open-sourcing daml 2019-04-04 11:33:38 +03:00			`# Open Source Software Compliance`

			`## Overview`

			`The package contains tools & processes to:`
			`* generate our open source Bill Of Materials`
			`* validate the open source licenses are in line with the permitted ones`
			`* [todo] validate the open source libraries are part of a`

			`The tools ingest license information generated by language specific tools (e.g. mvn & scala) to produce a consistent report covering on all the open source libraries used.`

			`Details about language specifics tools used as inputs:`

			`### JDK`

			`To retrieve JDK dependencies we are using the [license maven plugin](http://www.mojohaus.org/license-maven-plugin/):`

			`mvn license:aggregate-download-licenses`

			`generating an xml file containing all the relevant licenses extracted from the maven poms.`

			`### Haskell`

Move code in daml-tools outside of daml-foundations (#2033) 2019-07-08 12:40:48 +03:00			`The Haskell licensing checks are now done in [../../da-docs-daml-user-guide/licenses/extract.py](compiler/daml-licenses/licenses/extract.py)`
open-sourcing daml 2019-04-04 11:33:38 +03:00

			`## OSS Compliance in Action`

			`The logical steps are the following:`

			`* generate a list of dependencies for both haskell and java (and javascript in the future)`
			`* for each single dependency, check:`
			`* the license is whitelisted as per [LICENSES_WHITE_LIST.csv](LICENSES_WHITE_LIST.csv)`
			`* the package is whitelisted as per [PACKAGES_WHITE_LIST.csv](PACKAGES_WHITE_LIST.csv)`
			`* any dependency whose license or package is not whitelisted is then considered non compliant`

			`### Licenses`

			`We use a white list approach: explicitly defining which licenses are allowed.`

			`The white listed licenses are defined in [LICENSES_WHITE_LIST.csv](LICENSES_WHITE_LIST.csv)`

			`As you can see the file is grouped by license group (e.g. EPL, Eclipse Public License).`

			`The license group is a logical constructor and it's only used to group similar licenses in the csv file.`

			`Especially in the maven world, there are many variants on how a an underlying open source license is defined that makes sense to group them together.`

			`### Packages`

			`[PACKAGES_WHITE_LIST.csv](PACKAGES_WHITE_LIST.csv) is a way to filter packages created internally.`


			`### What if the check fails?`

			`#### Failure due to a non white-listed dependency`

			`Please coordinate with the SPG group to ensure the offending license is reviewed with CTO / General Counselor.`

			`It may be a variation of an already approved license. If that's the case, once approved, it can be added to the white listed licenses.`

			`TODO: provide a link to a list of approved licenses`

			`### How to invoke the compliance check`

			`To invoke the oss compliance check, invoke:`

			`make oss-compliance`

			`This will then trigger the following:`

			`[check_oss_license.sh](check_oss_license.sh)`