Eclipse Dash License Tool and Package Lock Files

One of the benefits of hosting your open source project at the Eclipse Foundation is the Eclipse Foundation’s Intellectual Property (IP) Policy and the IP Due Diligence Process that supports it. Eclipse project team are responsible for tracking their own IP and for ensuring that all third-party content is compatible with the the project licenses.

When the licensing of third-party content isn’t understood, the Eclipse IP Team is at the ready to assist with the process of vetting content.

The Eclipse Foundation currently has two trusted sources of license information for third-party content: The Eclipse Foundation’s IPZilla and ClearlyDefined. The IPZilla database has been painstakingly built over most of the lifespan of the Eclipse Foundation; it contains a vast wealth of deeply vetted information about many versions of many third party libraries. ClearlyDefined is an OSI project that combines automated harvesting of software repositories and curation by trusted members of the community to produce a massive database of license (and other) information about content. The Eclipse Foundation’s IP Team has been working closely with the ClearlyDefined team, providing input into their processes and helping to curate their data.

The Eclipse Dash License Tool provides a command line interface that takes a list of dependencies as input and generates output that identifies the content that needs further scrutiny (i.e., it lists all content for which license information cannot be found in one of the trusted sources). The tool can directly pull dependencies out of a package lock (package-lock.json) file.

A package lock file describes–among other things–the dependencies of a component. The basic idea of a package lock file is to provide a means of capturing the configuration of an NPM component following installation.

For example, here’s the top of the file from Eclipse Vorto’s Git repository:

{
  "name": "vorto-mapper",
  "version": "0.11.0",
  "lockfileVersion": 1,
  "requires": true,
  "dependencies": {
    "fontoxpath": {
      "version": "3.3.0",
      "resolved": "https://registry.npmjs.org/fontoxpath/-/fontoxpath-3.3.0.tgz",
    },
    "slimdom-sax-parser": {
      "version": "1.1.3",
      "resolved": "https://registry.npmjs.org/slimdom-sax-parser/-/slimdom-sax-parser-1.1.3.tgz",
      "requires": {
        "saxes": "3.1.1",
        "slimdom": "2.1.0"
      }
    },
...

In this truncated (and slightly abridged) example, we see a component that has dependencies, each with their own dependencies (effectively forming a tree):

vorto-mapper@0.11.0
+-- fontoxpath@3.3.0
+-- simdom-sax-parser@1.1.3
|   +-- saxes@3.1.1
|   +-- slimdom@2.1.0
+-- ...

The Dash License Tool can directly take the package-lock.json file as a parameter, pull the dependencies out of it and determine their license state.

$ java -jar org.eclipse.dash.licenses.jar ./mapping-engine-nodejs/package-lock.json

INFO: Querying Eclipse Foundation for license data for 10 items.
INFO: Found 2 items.
INFO: Querying ClearlyDefined for license data for 8 items.
INFO: Found 6 items.

License information could not be automatically verified for the following content:

https://clearlydefined.io/definitions/npm/npmjs/-/xpath/0.0.27
https://clearlydefined.io/definitions/npm/npmjs/-/loglevel/1.6.1

Please create contribution questionnaires for this content.
$ _

Based on the log, the tool was able to identify ten libraries in the file, two of which were mapped to IPZilla data, six of which were found in ClearlyDefined, and two which could not be automatically verified.

From this output, it looks like the project team will need to engage with the Eclipse IP Team to resolve and validate the licensing those two outstanding libraries.