Dependency Analysis

Dependency Analysis is a procedure to identify Open Source and Licenses for Software included when building in the development environment that supports Package Manager such as Gradle, Maven, and Npm.

How to analysis dependency

1. Run Dependency Scanner

FOSSLight Dependency Scanner automatically detects the manifest file in the package manager, analyzes the dependency, and extracts the OSS information (OSS name, OSS Version, License, Download Location) to generate an OSS report.

Install and run it according to the FOSSLight Dependency Scanner guide.

(Info) For package manager not supported by FOSSLight Dependency Scanner, you can check other tools that support dependency analysis on the Tool page.

2. Supplement Open Source and License information

If the data in the meta file of the package is incorrect or missing, the wrong OSS information can be filled in or even it cannot be filled in the Dependency Analysis report.

Therefore, it It is necessary to supplement an OSS report by referring to the following.

• If the exact version of the license is not filled in.

  • BSD → BSD-2-Clause or BSD-3-Clause or BSD-4-Clause

  • CDDL → CDDL-1.1 or CDDL-1.0

  • GPL → GPL-2.0 or GPL-3.0

• If the license information is incorrect and needs to be checked.

  • E.g.) Instead of License information, blanks, unknowns, copyright, etc. has filled in.

  • Check the license directly through the package source code.

    ※ Use the source code anaylsis tool to check the license.

• If the multiple licenses are filled in.

  • In case of Multi License : Fill in multiple licenses actually used by separating them with ','.

  • In case of Dual License : Select a license with relatively few obligations and fill in only one license.