search

cashapp / licensee

Gradle plugin which validates the licenses of your dependency graph match what you expect
https://cashapp.github.io/licensee/docs/1.x/
Apache License 2.0
614 stars 28 forks source link

Support SPDX json export #204

Open hfhbd opened 1 year ago

hfhbd commented 1 year ago

https://spdx.dev SPDX is a standard for license information of a software product and its dependencies. The current artifacts.json isn't a standard. I have a prototype to generate a spdx.json file and would like to publish it too.

The prototype based on the artifacts.json file, but this file lacks a graph and some properties. Instead, this format needs to use the maven pom files/apis directly.

Needed properties:

JakeWharton commented 1 year ago

Can we still include the extra stuff that's in our JSON today? Or is the format too strict?

hfhbd commented 1 year ago

Do you mean, you want to put the content of the artifacts.json in the spdx.json? The spdx spec is a superset of the current artifacts.json file. It includes everything of the current json, but spdx is more detailed and way more complex. Depending on your use-case (at cash?) and maybe small apps, I would keep the artifacts.json file for easy usages.