This is an automated email from the ASF dual-hosted git repository.
sbp pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
The following commit(s) were added to refs/heads/main by this push:
new 123d46d Generate the third party license list from Markdown
123d46d is described below
commit 123d46d6c295ec0ebad7d93be7193461e08c51f3
Author: Sean B. Palmer <[email protected]>
AuthorDate: Thu Oct 9 11:11:20 2025 +0100
Generate the third party license list from Markdown
---
atr/policy/Makefile | 12 +
atr/policy/third-party-licenses.html | 349 +++++++++++++++++++
.../third-party-licenses.json} | 64 ++--
atr/policy/third-party-licenses.md | 384 +++++++++++++++++++++
atr/sbomtool.py | 65 ++--
scripts/extract_spdx_identifiers.py | 84 +++++
6 files changed, 892 insertions(+), 66 deletions(-)
diff --git a/atr/policy/Makefile b/atr/policy/Makefile
new file mode 100644
index 0000000..f125998
--- /dev/null
+++ b/atr/policy/Makefile
@@ -0,0 +1,12 @@
+.PHONY: all clean
+
+all: third-party-licenses.json
+
+third-party-licenses.html: third-party-licenses.md
+ cmark third-party-licenses.md > third-party-licenses.html
+
+third-party-licenses.json: third-party-licenses.html
+ python3 ../../scripts/extract_spdx_identifiers.py
third-party-licenses.html > third-party-licenses.json
+
+clean:
+ rm -f third-party-licenses.html third-party-licenses.json
diff --git a/atr/policy/third-party-licenses.html
b/atr/policy/third-party-licenses.html
new file mode 100644
index 0000000..12b6099
--- /dev/null
+++ b/atr/policy/third-party-licenses.html
@@ -0,0 +1,349 @@
+<p>Title: ASF 3rd Party License Policy
+license: https://www.apache.org/licenses/LICENSE-2.0</p>
+<p>[TOC]</p>
+<h2>Purpose {#audience}</h2>
+<p>This policy provides licensing guidance to Apache Software Foundation
projects. It identifies the acceptable
+licenses for inclusion of third-party Open Source components in Apache
Software Foundation products.</p>
+<p>Projects can submit licensing questions to the Legal Affairs Committee
+<a href="https://issues.apache.org/jira/browse/LEGAL";>JIRA space</a>.</p>
+<h3>License Criteria {#criteria}</h3>
+<p>The following criteria serve as guidelines for the categories on this
page.</p>
+<ol>
+<li>The license must meet the <a
href="https://opensource.org/osd-annotated";>Open Source Definition</a>.<!-- raw
HTML omitted -->a<!-- raw HTML omitted --></li>
+<li>The license, as applied in practice, must not impose significant
restrictions beyond those imposed by the Apache License 2.0.</li>
+</ol>
+<p><!-- raw HTML omitted --><em>a. (reviewed: 2019-02-16)</em><!-- raw HTML
omitted --></p>
+<h3>High Level {#highlevel}</h3>
+<p>At a high level this policy separates licenses into three categories.</p>
+<ul>
+<li><strong>Category A</strong>: Licenses in Category A may be included in
Apache Software Foundation products. They are said to be
"Apache-like".</li>
+<li><strong>Category B</strong>: Licenses in Category B may be, under certain
conditions, included in Apache Software Foundation products. They 'may Be'
included.</li>
+<li><strong>Category X</strong>: Licenses in Category X may
<strong>NOT</strong> be included in Apache Software Foundation products.</li>
+</ul>
+<h2>Category A: What can we include in an ASF Project? {#category-a}</h2>
+<p>For inclusion in an Apache Software Foundation product, we consider the
following licenses to be similar in terms to the Apache License 2.0:</p>
+<ul>
+<li><a href="/licenses/LICENSE-2.0" title="Category A: Apache-2.0">Apache
License 2.0</a></li>
+<li><a href="/licenses/LICENSE-1.1" title="Category A: Apache-1.1">Apache
Software License 1.1</a>.
+Including variants:
+<ul>
+<li><a href="http://www.php.net/license/3_01.txt"; title="Category A:
PHP-3.01">PHP License 3.01</a></li>
+<li><a href="http://mx4j.sourceforge.net/docs/ch01s06.html"; title="Category A:
LicenseRef-MX4J">MX4J License</a></li>
+</ul>
+</li>
+<li>BSD (without advertising clause). Including variants:
+<ul>
+<li><a href="http://opensource.org/licenses/bsd-license.php"; title="Category
A: BSD-2-Clause">BSD 2-clause</a></li>
+<li><a href="http://opensource.org/licenses/BSD-3-Clause"; title="Category A:
BSD-3-Clause">BSD 3-clause</a></li>
+<li><a href="https://github.com/dom4j/dom4j/blob/master/LICENSE";
title="Category A: LicenseRef-DOM4J">DOM4J License</a></li>
+<li><a href="http://opensource.org/licenses/postgresql"; title="Category A:
PostgreSQL">PostgreSQL License</a></li>
+<li><a href="http://www.eclipse.org/org/documents/edl-v10.php"; title="Category
A: BSD-3-Clause">Eclipse Distribution License 1.0</a></li>
+<li><a href="https://spdx.org/licenses/BSD-3-Clause-LBNL.html"; title="Category
A: BSD-3-Clause-LBNL">Lawrence Berkeley National Labs BSD</a></li>
+</ul>
+</li>
+<li><a href="http://opensource.org/licenses/mit-license.php"; title="Category
A: MIT">MIT/X11</a>
+<ul>
+<li><a href="https://opensource.org/licenses/ISC"; title="Category A:
ISC">ISC</a></li>
+<li><a href="https://www.smlnj.org/license.html"; title="Category A:
SMLNJ">Standard ML of New Jersey</a></li>
+<li><a href="http://www2.cs.tum.edu/projects/cup/licence.php"; title="Category
A: LicenseRef-CupPG">Cup Parser Generator</a></li>
+<li><a href="https://opensource.org/license/mit-0/"; title="Category A:
MIT-0">MIT No Attribution (MIT-0)</a></li>
+</ul>
+</li>
+<li><a href="http://source.icu-project.org/repos/icu/icu/trunk/LICENSE";
title="Category A: ICU">ICU</a></li>
+<li><a href="http://opensource.org/licenses/UoI-NCSA.php"; title="Category A:
NCSA">University of Illinois/NCSA</a></li>
+<li><a href="http://opensource.org/licenses/W3C.php"; title="Category A:
W3C">W3C Software License</a></li>
+<li><a href="https://www.w3.org/community/about/agreements/cla/";
title="Category A: LicenseRef-W3C-CCLA">W3C Community Contributor License
Agreement</a> - if at least 45 days after publication<!-- raw HTML omitted
--></li>
+<li><a href="https://opensource.org/license/xnet"; title="Category A:
Xnet">X.Net</a></li>
+<li><a href="http://opensource.org/licenses/zlib-license.php"; title="Category
A: Zlib">zlib</a>/<a href="https://spdx.org/licenses/Libpng.html";
title="Category A: Libpng">libpng</a></li>
+<li><a href="#" title="Category A: FSFAP">FSF autoconf license</a></li>
+<li><a href="https://spdx.org/licenses/Bitstream-Vera.html"; title="Category A:
Bitstream-Vera">DejaVu Fonts (Bitstream Vera/Arev licenses)</a></li>
+<li><a href="http://opensource.org/licenses/afl-3.0.php"; title="Category A:
AFL-3.0">Academic Free License 3.0</a></li>
+<li><a
href="http://web.archive.org/web/20080704184203/http://www.osoa.org/xmlns/sca/1.0/license.txt";
title="Category A:
LicenseRef-SCA-Spec">Service+Component+Architecture+Specifications</a></li>
+<li><a href="#" title="Category A: LicenseRef-ECMA-OOXML-XSD">OOXML XSD ECMA
License</a></li>
+<li><a href="http://www.opensource.org/licenses/ms-pl.html"; title="Category A:
MS-PL">Microsoft Public License (MsPL)</a></li>
+<li><a href="http://creativecommons.org/licenses/publicdomain/";
title="Category A: CC-PDDC">Creative Commons Copyright-Only Dedication</a></li>
+<li><a href="http://www.opensource.org/licenses/PythonSoftFoundation.php";
title="Category A: Python-2.0">Python Software Foundation License</a></li>
+<li><a href="https://github.com/python-pillow/Pillow/blob/master/LICENSE";
title="Category A: LicenseRef-PIL">Python Imaging Library Software
License</a></li>
+<li><a href="https://spdx.org/licenses/APAFML.html"; title="Category A:
APAFML">Adobe Postcript(R) AFM files</a></li>
+<li><a href="http://www.opensource.org/licenses/BSL-1.0"; title="Category A:
BSL-1.0">Boost Software License Version 1.0</a></li>
+<li><a href="https://dst.lbl.gov/ACSSoftware/colt/license.html";
title="Category A: LicenseRef-COLT-CERN">License for CERN packages in COLT</a>
but note that this applies <strong>only</strong> to CERN packages in COLT and
<strong>not</strong> others</li>
+<li><a
href="https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/";
title="Category A: OGL-UK-3.0">UK Open Government Licence</a>. This license
allows the licensor to provide a custom attribution notice. If one is provided,
include in the NOTICE. If one is not provided, include 'Contains public sector
information licensed under the Open Government Licence v3.0.' in the
NOTICE.</li>
+<li><a href="http://www.wtfpl.net/"; title="Category A: WTFPL">WTF Public
License</a></li>
+<li><a href="https://github.com/pygy/gosub/blob/master/LICENSE";
title="Category A: LicenseRef-Romantic-WTFPL">The Romantic WTF public
license</a></li>
+<li><a href="http://www.unicode.org/copyright.html#Exhibit1"; title="Category
A: Unicode-DFS-2016">UNICODE, INC. LICENSE AGREEMENT - DATA FILES AND
SOFTWARE</a></li>
+<li><a href="https://opensource.org/licenses/ZPL-2.0"; title="Category A:
ZPL-2.0">Zope Public License 2.0</a></li>
+<li><a
href="https://docs.oracle.com/en/industries/communications/lsms/14.0/licensing-information-user-manual/ace-license1.html";
title="Category A: DOC">ACE license</a></li>
+<li><a href="https://oss.oracle.com/licenses/upl/"; title="Category A:
UPL-1.0">Oracle Universal Permissive License (UPL) Version 1.0</a></li>
+<li><a href="https://www.ogf.org/ogf/doku.php/about/copyright"; title="Category
A: LicenseRef-Open-Grid-Forum">Open Grid Forum License</a></li>
+<li><a
href="https://chromium.googlesource.com/external/webrtc/+/master/PATENTS";
title="Category A: LicenseRef-Google-AIPG">Google "Additional IP Rights
Grant (Patents)" file</a></li>
+<li><a href="https://unlicense.org/"; title="Category A: Unlicense">The
Unlicense</a></li>
+<li><a href="https://opensource.org/licenses/HPND"; title="Category A:
HPND">Historical Permission Notice and Disclaimer</a></li>
+<li><a href="https://opensource.org/license/mulanpsl-2-0"; title="Category A:
MulanPSL-2.0">Mulan Permissive Software License,Version 2</a></li>
+<li><a href="https://blueoakcouncil.org/license/1.0.0"; title="Category A:
BlueOak-1.0.0">Blue Oak Model License 1.0.0</a></li>
+<li><a href="https://epics-controls.org/epics-open-license/"; title="Category
A: EPICS">EPICS Open License</a></li>
+<li><a href="https://opensource.org/license/0bsd/"; title="Category A:
0BSD">Zero-Clause BSD (0BSD)</a></li>
+<li><a href="https://spdx.org/licenses/TCL.html"; title="Category A:
TCL">TCL/TK License</a></li>
+</ul>
+<p>Many of these licenses have specific attribution terms that the project
needs to adhered to, often by <a href="/dev/licensing-howto.html">adding
+them to the NOTICE file</a>. Ensure you are doing this when including these
works.</p>
+<h3>Handling Public Domain 'licensed' works</h3>
+<p>You can include works in the public domain (or covered by a license treated
similarly) within Apache products. You must provide attribution (in a similar
fashion to the Category A list).</p>
+<p>A work should be treated as being in the public domain when one of the
following applies:</p>
+<ul>
+<li>the work is covered by
+<ul>
+<li>the Creative Commons <a
href="http://creativecommons.org/publicdomain/mark/1.0/"; title="Category A:
CC-PDM-1.0">Public Domain Mark</a></li>
+<li>a suitable dedication (to the public domain) by the authors</li>
+</ul>
+</li>
+<li>clear evidence exists that US copyright for the work
+<ul>
+<li>has expired</li>
+<li>cannot be claimed.</li>
+</ul>
+</li>
+</ul>
+<p>Licenses that we treat as similar to public domain:</p>
+<ul>
+<li>Creative Commons <a href="http://creativecommons.org/about/cc0";
title="Category A: CC0-1.0">CC0 “No Rights Reserved”</a></li>
+<li>Creative Commons <a
href="http://creativecommons.org/licenses/publicdomain/"; title="Category A:
CC-PDDC">Public Domain Certification</a></li>
+</ul>
+<p><strong>Note that</strong> whether a work falls in the public domain may be
a
+<a
href="http://fairuse.stanford.edu/Copyright_and_Fair_Use_Overview/chapter8/";>difficult</a>
subject.
+Determining whether the copyright in a work has expired may be non-trivial and
may vary between jurisdictions. Raise the topic on legal-discuss@ or via a JIRA
issue if you have doubt over whether a work falls in the public domain.</p>
+<h2>Category B: What can we <em>maybe</em> include in an ASF Project?
{#category-b}</h2>
+<p>You may include the licenses and/or projects described in this section in
an Apache Software Foundation product <strong>IF</strong> they meet the
specified conditions.</p>
+<h3>Appropriately Labelled Condition</h3>
+<p>In all Category B cases our users should not be surprised at their
inclusion in our products.
+If we attach an appropriate and prominent label to the distribution,
+users are less likely to be unaware of restrictions significantly
+different from those of the Apache License. An appropriate and
+prominent label is a label the user will read while learning about the
+distribution - for example in a README, and it should identify the third-party
product and
+its licensing, and provide a url to the its homepage. Please also comply with
+any attribution/notice requirements in the specific license in question.</p>
+<h3>Binary-only Inclusion Condition</h3>
+<p>Any Category B licensed works may be included in binary-only form in Apache
Software Foundation convenience binaries.
+Do not include Category B licensed works in source releases.</p>
+<h3>"Weak Copyleft" Licenses</h3>
+<p>Each license in this section requires some degree of reciprocity. This may
require
+additional action to minimize the chance that a user of
+an Apache product will create a derivative work of a differently-licensed
+portion of an Apache product without being aware of the applicable
+requirements.</p>
+<p>You may include software under the following licenses in binary form
+within an Apache product if you label the inclusion appropriately (see
above):</p>
+<ul>
+<li>Common Development and Distribution Licenses: <a
href="https://opensource.org/licenses/CDDL-1.0"; title="Category B:
CDDL-1.0">CDDL 1.0</a> and <a href="https://spdx.org/licenses/CDDL-1.1.html";
title="Category B: CDDL-1.1">CDDL 1.1</a></li>
+<li>Common Public License: <a
href="http://www.opensource.org/licenses/cpl1.0.php"; title="Category B:
CPL-1.0">CPL 1.0</a></li>
+<li>Eclipse Public License: <a
href="http://www.eclipse.org/legal/epl-v10.html"; title="Category B:
EPL-1.0">EPL 1.0</a></li>
+<li>IBM Public License: <a href="http://www.opensource.org/licenses/ibmpl.php";
title="Category B: IPL-1.0">IPL 1.0</a></li>
+<li>Mozilla Public Licenses: <a href="http://www.mozilla.org/MPL/1.0/";
title="Category B: MPL-1.0">MPL 1.0</a>,
+<a href="http://www.mozilla.org/MPL/1.1/"; title="Category B: MPL-1.1">MPL
1.1</a>, and
+<a href="http://www.mozilla.org/MPL/2.0/"; title="Category B: MPL-2.0">MPL
2.0</a></li>
+<li>Sun Public License: <a href="https://opensource.org/license/sunpublic-php";
title="Category B: SPL-1.0">SPL 1.0</a></li>
+<li><a href="https://opensource.org/licenses/OSL-3.0"; title="Category B:
OSL-3.0">Open Software License 3.0</a></li>
+<li><a href="http://www.erlang.org/EPLICENSE"; title="Category B:
ErlPL-1.1">Erlang Public License</a></li>
+<li><a href="https://github.com/jukka/java-unrar/blob/master/license.txt";
title="Category B: LicenseRef-UnRAR">UnRAR License</a> (only for
unarchiving)</li>
+<li><a href="http://scripts.sil.org/OFL"; title="Category B: OFL-1.1">SIL Open
Font License</a></li>
+<li><a href="https://www.ubuntu.com/legal/font-licence"; title="Category B:
Ubuntu-font-1.0">Ubuntu Font License Version 1.0</a></li>
+<li><a href="https://fedoraproject.org/wiki/Licensing/IPAFontLicense";
title="Category B: IPA">IPA Font License Agreement v1.0</a></li>
+<li><a href="https://www.ruby-lang.org/en/about/license.txt"; title="Category
B: Ruby">Ruby License</a> (including the older version when GPLv2 was a listed
alternative <a
href="https://svn.ruby-lang.org/cgi-bin/viewvc.cgi/tags/v1_9_2_320/COPYING?view=markup";
title="Category B: Ruby">Ruby 1.9.2 license</a>)</li>
+<li>Eclipse Public License 2.0: <a
href="https://www.eclipse.org/legal/epl-2.0/"; title="Category B: EPL-2.0">EPL
2.0</a></li>
+</ul>
+<p>By including only the object/binary form, there is less exposed
+surface area of the third-party work from which someone might derive a work.
This addresses the second guiding principle of this policy.</p>
+<p>For small amounts of source code that the ASF product directly consumes at
runtime, and for which that source is
+unmodified and unlikely to be changed anyway (say, by virtue of being
specified by a
+standard), you may include appropriately labeled source code. An example of
this is the web-facesconfig_1_0.dtd, whose
+inclusion is mandated by the JSR 127: JavaServer Faces specification.</p>
+<h3>Including Creative Commons Attribution content {#cc-by}</h3>
+<p>Works under the <a href="http://creativecommons.org/licenses/by/4.0/";
title="Category B: CC-BY-4.0">Creative Commons Attribution (CC-BY)</a> licenses
(<a href="http://creativecommons.org/licenses/by/2.5/"; title="Category B:
CC-BY-2.5">2.5</a>, <a href="http://creativecommons.org/licenses/by/3.0/";
title="Category B: CC-BY-3.0">3.0</a>, and 4.0)
+contain terms related to "Effective Technological Measures", which
may come as a surprise to users. Thus you should label them appropriately and
only include them in binary form.</p>
+<h3>Unmodified media under the Creative Commons Attribution-Share Alike
license {#cc-sa}</h3>
+<p>You may include unmodified media under the
+<a href="http://creativecommons.org/licenses/by-sa/2.5/"; title="Category B:
CC-BY-SA-2.5">Creative Commons Attribution-Share Alike 2.5</a>,
+<a href="http://creativecommons.org/licenses/by-sa/3.0/"; title="Category B:
CC-BY-SA-3.0">Creative Commons Attribution-Share Alike 3.0</a> and <a
href="http://creativecommons.org/licenses/by-sa/4.0/"; title="Category B:
CC-BY-SA-4.0">Creative Commons Attribution-Share Alike 4.0</a>
+license in Apache products, subject to the licenses attribution clauses which
may require
+LICENSE/NOTICE/README changes. For any other type of CC-SA licensed work,
contact the Legal PMC.</p>
+<p>Note that media is intended to mean binary visual/video/audio elements used
in our documentation. It is not intended to mean inclusion in our source
code.</p>
+<h3>Can I copy code from Stack Overflow and contribute it to an ASF project?
{#stackoverflow}</h3>
+<p>No, not without contacting the original author and getting permission from
them to use the code in an Apache project under the Apache License 2.0.</p>
+<h3>Doug Lea's concurrent library {#concurrent}</h3>
+<p>Doug Lea's concurrent library is public domain, but contains some Sun files
which are not public domain. You may include this library in ASF products much
like the resources in the 'weak copyleft' list above.
+"It may be included in binary form within an Apache product if the
inclusion
+is appropriately labeled". If using the source, remove the files Sun
licensed to Doug and
+treat as Category A (or get the files from
+<a
href="http://svn.apache.org/repos/asf/harmony/standard/classlib/trunk/modules/concurrent/src/main/java/java/util/concurrent/";>Harmony</a>).</p>
+<h3>Adding OSGi metadata to weak copyleft binaries {#osgi-category-b}</h3>
+<p>You can insert OSGi metadata into 'Category B' licensed jars, provided that
you include a note that this has occurred in the
+prominent labeling for the jar.</p>
+<h3>Cobertura reports {#cobertura}</h3>
+<p>You may include Cobertura reports in ASF distributions.</p>
+<h3>Handling licenses that prevent modification {#no-modification}</h3>
+<p>There are licenses that give broad rights for redistribution of
+<strong>unmodified</strong> copies. Such licenses are not open source, but they
+do satisfy the second and third guiding principles above.</p>
+<p>Apache projects must not include material under such licenses in
+version control or in released source packages. It is however acceptable
+for a build process to automatically download such non-software materials
+like fonts and standardized data and include them in the resulting
+binaries. Such use makes it clear that these dependencies are not a part
+of the open source code of the project.</p>
+<p>You may use material under the following licenses, as described above:</p>
+<ul>
+<li><a href="http://www.adobe.com/devnet/font/#pcfi"; title="Category B:
LicenseRef-CMaps-Fonts">CMaps for PDF CJK Fonts</a></li>
+<li>JCR API jar (<a
href="http://www.day.com/maven/jsr170/licenses/day-spec-license.htm";
title="Category B: LicenseRef-JCR-API">Day Spec License</a> +
+<a href="http://www.day.com/maven/jsr170/jars/LICENSE.txt"; title="Category B:
LicenseRef-JARs-Additional">Additional License</a>)</li>
+<li><a href="https://issues.apache.org/jira/browse/LEGAL-385"; title="Category
B: LicenseRef-WSDL-SFL">WSDL (2004) Schema Files License</a></li>
+</ul>
+<h3>Including build tools in ASF products {#build-tools}</h3>
+<p>Many languages have developed ecosystems of associated tools that aid
+in the building of artifacts for distribution. While such tools may not
+always be made available under an otherwise compatible license, we have
approved specific
+tools for inclusion in Apache distributions when they are used for
+that specific purpose.</p>
+<p>Note that the tool must not affect the licensing of the project source
code. We also expect that our use of the tooling to build our source code is
+its typical use.</p>
+<p>To date, we have approved the following tools for such use:</p>
+<ul>
+<li>The Autotools family of products, specifically:
+<ul>
+<li><a href="http://www.gnu.org/software/autoconf/";>Autoconf</a></li>
+<li><a href="http://www.gnu.org/software/automake/";>Automake</a></li>
+<li><a href="http://www.gnu.org/software/libtool/";>Libtool</a></li>
+<li><a
href="http://www.gnu.org/software/hello/manual/gettext/mkinstalldirs.html";>mkinstalldirs.sh</a></li>
+</ul>
+</li>
+<li><a href="http://hg.ocaml.info/release/ocaml-make/";>OCamlMakefile</a></li>
+<li><a href="http://i.loveruby.net/en/projects/setup/";>setup.rb</a></li>
+</ul>
+<h3>Including Perl licensed header files when creating dynamically loaded XS
modules</h3>
+<p>Developing Perl bindings which link compiled C code to create dynamically
loaded XS modules requires including header files licensed under the Perl
license (http://dev.perl.org/licenses/ - GPL-any/Artistic1, with
exceptions).</p>
+<p>You may include these header files - XSUB.h, perl.h and EXTERN.h (see: <a
href="https://issues.apache.org/jira/browse/LEGAL-79";>LEGAL-79</a>).</p>
+<h3>Including Doxygen-generated config files</h3>
+<p>You may use these files as long as you remove the generated comments.</p>
+<h3>Can Apache projects have external dependencies on Ruby licensed works?
{#ruby-license}</h3>
+<p>A project written primarily and obviously in Ruby can have a dependency
either on Matz's Ruby Interpreter (MRI),
+or on any Gem which is licensed under the <a
href="http://www.ruby-lang.org/en/LICENSE.txt";>Ruby license</a>.
+Of course Gems written under other licenses (such as MIT) may also be OK,
depending on the license.</p>
+<p>Also note that the Ruby license is listed on the 'Category B' Weak Copyleft
list above for binary usage (for example JRuby).</p>
+<h3>From Java 9 onwards, Javadoc can include search functionality that
includes JavaScript under other open source licenses. Can Apache projects
include this javadoc?</h3>
+<p>From Java 9 onwards, Javadoc can include JavaScript under MIT, MIT OR
GPL-3.0, or GPL-2.0 WITH ClasspathException-2.0. Apache binary releases
(including Maven javadoc jars) and Apache websites may include this for their
javadoc. It must not be included in source releases.</p>
+<h2>Category X: What can we NOT include in an ASF Project? {#category-x}</h2>
+<p>You may NOT include the following licenses within Apache products:</p>
+<ul>
+<li>Not OSD-compliant:
+<ul>
+<li><a href="#" title="Category X: LicenseRef-BCL">Binary Code License
(BCL)</a></li>
+<li><a
href="https://software.intel.com/en-us/license/intel-simplified-software-license";
title="Category X: LicenseRef-Intel-SSL">Intel Simplified Software
License</a></li>
+<li><a
href="https://github.com/unitsofmeasurement/jsr-275/blob/0.9.3/LICENSE.txt";
title="Category X: LicenseRef-JSR-275">JSR-275 License</a></li>
+<li>Field of use restrictions:
+<ul>
+<li><a href="https://www.openhub.net/licenses/mslpl"; title="Category X:
MS-LPL">Microsoft Limited Public License</a></li>
+<li><a href="https://aws.amazon.com/asl/"; title="Category X:
LicenseRef-Amazon-Software-License">Amazon Software License (ASL)</a></li>
+<li><a
href="https://github.com/satori-com/satori-rtm-sdk-java/blob/master/LICENSE";
title="Category X: LicenseRef-Java-SDK-for-Satori-RTM">Java SDK for Satori RTM
license</a></li>
+<li><a href="https://redislabs.com/community/licenses/"; title="Category X:
LicenseRef-Redis-Source-Available">Redis Source Available License
(RSAL)</a></li>
+<li><a href="http://boozallen.github.io/licenses/bapl"; title="Category X:
LicenseRef-Booz-Allen-Public-License">Booz Allen Public License</a></li>
+<li><a href="https://www.confluent.io/confluent-community-license/";
title="Category X: LicenseRef-Confluent-Community-1.0">Confluent Community
License Version 1.0</a></li>
+<li><a href="https://spdx.org/licenses/BUSL-1.1.html"; title="Category X:
BUSL-1.1">Business Source License 1.1</a></li>
+<li>Any license including the <a href="https://commonsclause.com";
title="Category X: LicenseRef-Commons-Clause-1.0">Commons Clause License
Condition v1.0</a></li>
+</ul>
+</li>
+<li>Non-commercial licenses:
+<ul>
+<li><a
href="https://en.wikipedia.org/wiki/Creative_Commons_license#Non-commercial_licenses";
title="Category X: CC-BY-NC-4.0">Creative Commons Non-Commercial</a>
variants</li>
+<li><a href="http://jcp.org/aboutJava/communityprocess/SCSL3.0.rtf";
title="Category X: LicenseRef-Sun-Community-Source-3.0">Sun Community Source
License 3.0</a></li>
+</ul>
+</li>
+</ul>
+</li>
+<li>Places restrictions on larger works:
+<ul>
+<li><a href="https://spdx.org/licenses/GPL-1.0-only.html"; title="Category X:
GPL-1.0-only, GPL-1.0-or-later">GNU GPL 1</a>, <a
href="https://spdx.org/licenses/GPL-2.0-only.html"; title="Category X:
GPL-2.0-only, GPL-2.0-or-later">GNU GPL 2</a>, <a
href="http://www.opensource.org/licenses/gpl-license.php"; title="Category X:
GPL-3.0-only, GPL-3.0-or-later">GNU GPL 3</a>
+<ul>
+<li>Special exceptions to the GNU GPL (e.g. <a href="#" title="Category X:
GPL-2.0-only WITH Classpath-exception-2.0, GPL-2.0-or-later WITH
Classpath-exception-2.0, GPL-3.0-only WITH Classpath-exception-2.0,
GPL-3.0-or-later WITH Classpath-exception-2.0">GNU Classpath</a>) unless
otherwise permitted elsewhere on this page.</li>
+</ul>
+</li>
+<li><a href="http://www.opensource.org/licenses/agpl-v3.html"; title="Category
X: AGPL-3.0-only, AGPL-3.0-or-later">GNU Affero GPL 3</a></li>
+<li><a href="https://spdx.org/licenses/LGPL-2.0-only.html"; title="Category X:
LGPL-2.0-only, LGPL-2.0-or-later">GNU LGPL 2</a>, <a
href="https://spdx.org/licenses/LGPL-2.1-only.html"; title="Category X:
LGPL-2.1-only, LGPL-2.1-or-later">LGPL 2.1</a>, <a
href="http://www.opensource.org/licenses/lgpl-license.php"; title="Category X:
LGPL-3.0-only, LGPL-3.0-or-later">LGPL 3</a></li>
+<li><a href="https://opensource.org/licenses/QPL-1.0"; title="Category X:
QPL-1.0">QPL</a></li>
+<li><a href="http://www.opensource.org/licenses/sleepycat.php"; title="Category
X: Sleepycat">Sleepycat License</a></li>
+<li><a href="https://www.mongodb.com/licensing/server-side-public-license";
title="Category X: SSPL-1.0">Server Side Public License (SSPL) version
1</a></li>
+<li><a href="http://www.codeproject.com/info/cpol10.aspx"; title="Category X:
CPOL-1.02">Code Project Open License (CPOL)</a></li>
+</ul>
+</li>
+<li>Other concerns:
+<ul>
+<li><a href="https://spdx.org/licenses/BSD-4-Clause.html"; title="Category X:
BSD-4-Clause">BSD-4-Clause</a>/<a
href="https://spdx.org/licenses/BSD-4-Clause-UC.html"; title="Category X:
BSD-4-Clause-UC">BSD-4-Clause (University of California-Specific)</a></li>
+<li><a href="https://code.facebook.com/pages/850928938376556"; title="Category
X: LicenseRef-Facebook-BSD-Patents">Facebook BSD+Patents license</a></li>
+<li><a href="https://spdx.org/licenses/NPL-1.0.html"; title="Category X:
NPL-1.0">NPL 1.0</a>/<a href="https://spdx.org/licenses/NPL-1.1.html";
title="Category X: NPL-1.1">NPL 1.1</a></li>
+<li>Nonsensical licenses:
+<ul>
+<li><a href="#" title="Category X:
LicenseRef-Solipsistic-Eclipse-Public-License">The Solipsistic Eclipse Public
License</a></li>
+<li><a href="https://dbad-license.org/"; title="Category X:
LicenseRef-DBAD">The "Don't Be A Dick" Public License</a></li>
+<li><a href="http://www.json.org/license.html"; title="Category X: JSON">JSON
License</a></li>
+</ul>
+</li>
+</ul>
+</li>
+</ul>
+<p>Details of 'other concerns':</p>
+<p><strong>Facebook BSD+Patents license</strong> <!-- raw HTML omitted -->
+The Facebook BSD+Patents license includes a specification of a PATENTS file
that
+passes along risk to downstream consumers of our software imbalanced
+in favor of the licensor, not the licensee, thereby violating our Apache
+legal policy of being a <a href="https://s.apache.org/4Uzg";>universal
donor</a>.
+The terms of Facebook BSD+Patents license are not a subset of those found in
the ALv2, and they cannot be sublicensed as ALv2.</p>
+<p><strong>NPL</strong> <!-- raw HTML omitted -->
+The Netscape Public License is the original license for Mozilla containing
+amendments that are specific to Netscape. These
+amendments allow "Netscape" (now part of AOL) to avoid the
+reciprocity requirement that all other licensees must adhere to. This
+disqualifies the license from meeting Open Source Definition #5 ("No
+Discrimination Against Persons or Groups").</p>
+<p><strong>Nonsensical licenses</strong> <!-- raw HTML omitted -->
+These licenses while amusing to their creators are legally problematic. They
often include subjective Field of use restrictions e.g. “Don’t be evil” with no
definition of the arbiter for that subjective restriction. In some cases they
may not even grant sufficient rights to conform to the OSI open source
definition. Since we do not wish to surprise our downstream consumers we
forbid the use of such licenses.</p>
+<p><strong>JSON license</strong> <!-- raw HTML omitted -->
+As of 2016-11-03 the JSON license was moved to the 'Category X' license list.
Prior to this, use of
+the <a href="https://github.com/stleary/JSON-java";>JSON Java library</a> was
allowed. See Debian's page for a
+<a href="https://wiki.debian.org/qa.debian.org/jsonevil";>list of
alternatives</a>.</p>
+<h3>They may not be distributed {#prohibited}</h3>
+<p>Apache projects may not distribute Category X licensed components, in
source or binary form;
+in ASF source code or in convenience binaries. As with the previous question
on platforms, you can rely on
+the component if its license terms do not affect the Apache product's
+licensing. For example, using a GPL'ed tool during the build is okay, but
including GPL'ed source code is not.</p>
+<h3>You may rely on them when they support an optional feature
{#optional}</h3>
+<p>Apache projects can rely on components under prohibited licenses if the
component is only needed
+for optional features. When doing so, a project shall provide the user with
instructions on how
+to obtain and install the non-included work. Optional means that the component
is not required for
+standard use of the product or for the product to achieve a desirable level of
quality. The question to
+ask yourself in this situation is:</p>
+<ul>
+<li>"Will the majority of users want to use my product without adding the
optional components?"</li>
+</ul>
+<h2>FAQ:</h2>
+<h3>Does it matter what platform an Apache product is created to work with?
{#platform}</h3>
+<p>It does not matter, unless the terms for that platform affect
+the Apache product's licensing. For example, creating a product that
+runs on Windows or Java, uses a web service such as Google Services or
+Yahoo Search, or is a plugin for a product such as JBoss or JIRA is fine,
whereas
+creating a Linux kernel module is not fine because the Apache product
+itself would have to be licensed under something other than the Apache
License, version 2.0.</p>
+<p>Note that this does not mean you can redistribute the platform code itself.
That of course
+depends on the licensing of said code. If you have any doubts as to whether
the licensing
+of the platform would affect the Apache code, check the legal-discuss@
+archives to see if it has come up before, and if not email legal-discuss@ to
find out.</p>
+<h3>Is IP clearance required for library dependencies?
{#library-ip-clearance}</h3>
+<p>No.</p>
+<p><a href="http://incubator.apache.org/ip-clearance/index.html";>IP
clearance</a>
+is used to import code bases from outside Apache for future development
here.</p>
+<h3>How should I handle a work when there is a choice of license?
{#mutually-exclusive}</h3>
+<p>When including that work's licensing, state which license you are using and
include only the license that you have chosen. Prefer
+Category A to Category B to Category X. You don't need to modify the
+work itself if, for example, it mentions the various licensing options
+in the source headers.</p>
+<h3>What Are Required Third-party Notices?
{#required-third-party-notices}</h3>
+<p>When a release contains third party works, the licenses covering those
works may ask that you inform consumers in certain specific fashions. These
<em>third party notices</em> vary from license to license. Apache releases
should contain a copy of each license, usually contained in the LICENSE
document. For many licenses this is a sufficient notice. Some licenses require
some additional notice. In many cases, you can include this notice within the
dependent artifact.</p>
+<p>A <em>required third-party notice</em> is any third party notice which the
above cases don't cover.</p>
+<p>See <a href="/dev/licensing-howto.html#bundle-asf-product">Bundling Other
ASF Products</a> for a note on required notices when a release contains another
Apache product.</p>
diff --git a/atr/static/json/resolved.json
b/atr/policy/third-party-licenses.json
similarity index 85%
rename from atr/static/json/resolved.json
rename to atr/policy/third-party-licenses.json
index e05e195..e19b4bc 100644
--- a/atr/static/json/resolved.json
+++ b/atr/policy/third-party-licenses.json
@@ -1,18 +1,18 @@
{
- "CATEGORY_A_LICENSES":
- [
+ "CATEGORY_A_LICENSES": [
"0BSD",
"AFL-3.0",
+ "APAFML",
"Apache-1.1",
"Apache-2.0",
- "APAFML",
- "Bitstream-Vera",
- "BlueOak-1.0.0",
"BSD-2-Clause",
- "BSD-3-Clause-LBNL",
"BSD-3-Clause",
+ "BSD-3-Clause-LBNL",
"BSL-1.0",
+ "Bitstream-Vera",
+ "BlueOak-1.0.0",
"CC-PDDC",
+ "CC-PDM-1.0",
"CC0-1.0",
"DOC",
"EPICS",
@@ -20,38 +20,39 @@
"HPND",
"ICU",
"ISC",
- "libpng-2.0",
- "LicenseRef-Arev-1.0",
+ "Libpng",
+ "LicenseRef-COLT-CERN",
+ "LicenseRef-CupPG",
+ "LicenseRef-DOM4J",
"LicenseRef-ECMA-OOXML-XSD",
"LicenseRef-Google-AIPG",
"LicenseRef-MX4J",
"LicenseRef-Open-Grid-Forum",
+ "LicenseRef-PIL",
"LicenseRef-Romantic-WTFPL",
"LicenseRef-SCA-Spec",
"LicenseRef-W3C-CCLA",
- "MIT-0",
"MIT",
+ "MIT-0",
"MS-PL",
"MulanPSL-2.0",
"NCSA",
"OGL-UK-3.0",
"PHP-3.01",
- "Plexus",
"PostgreSQL",
"Python-2.0",
"SMLNJ",
"TCL",
+ "UPL-1.0",
"Unicode-DFS-2016",
"Unlicense",
- "UPL-1.0",
"W3C",
"WTFPL",
"Xnet",
- "Zlib",
- "ZPL-2.0"
+ "ZPL-2.0",
+ "Zlib"
],
- "CATEGORY_B_LICENSES":
- [
+ "CATEGORY_B_LICENSES": [
"CC-BY-2.5",
"CC-BY-3.0",
"CC-BY-4.0",
@@ -66,7 +67,11 @@
"ErlPL-1.1",
"IPA",
"IPL-1.0",
+ "LicenseRef-CMaps-Fonts",
+ "LicenseRef-JARs-Additional",
+ "LicenseRef-JCR-API",
"LicenseRef-UnRAR",
+ "LicenseRef-WSDL-SFL",
"MPL-1.0",
"MPL-1.1",
"MPL-2.0",
@@ -76,33 +81,24 @@
"SPL-1.0",
"Ubuntu-font-1.0"
],
- "CATEGORY_X_LICENSES":
- [
+ "CATEGORY_X_LICENSES": [
"AGPL-3.0-only",
"AGPL-3.0-or-later",
- "BSD-4-Clause-UC",
"BSD-4-Clause",
+ "BSD-4-Clause-UC",
"BUSL-1.1",
- "CC-BY-NC-2.5",
- "CC-BY-NC-3.0",
"CC-BY-NC-4.0",
- "CC-BY-NC-ND-2.5",
- "CC-BY-NC-ND-3.0",
- "CC-BY-NC-ND-4.0",
- "CC-BY-NC-SA-2.5",
- "CC-BY-NC-SA-3.0",
- "CC-BY-NC-SA-4.0",
"CPOL-1.02",
"GPL-1.0-only",
"GPL-1.0-or-later",
- "GPL-2.0-only WITH Classpath-exception-2.0",
"GPL-2.0-only",
- "GPL-2.0-or-later WITH Classpath-exception-2.0",
+ "GPL-2.0-only WITH Classpath-exception-2.0",
"GPL-2.0-or-later",
- "GPL-3.0-only WITH Classpath-exception-2.0",
+ "GPL-2.0-or-later WITH Classpath-exception-2.0",
"GPL-3.0-only",
- "GPL-3.0-or-later WITH Classpath-exception-2.0",
+ "GPL-3.0-only WITH Classpath-exception-2.0",
"GPL-3.0-or-later",
+ "GPL-3.0-or-later WITH Classpath-exception-2.0",
"JSON",
"LGPL-2.0-only",
"LGPL-2.0-or-later",
@@ -118,16 +114,16 @@
"LicenseRef-DBAD",
"LicenseRef-Facebook-BSD-Patents",
"LicenseRef-Intel-SSL",
- "LicenseRef-Java-SDK-for-Satori-RTM",
"LicenseRef-JSR-275",
- "LicenseRef-MS-LPL",
+ "LicenseRef-Java-SDK-for-Satori-RTM",
"LicenseRef-Redis-Source-Available",
"LicenseRef-Solipsistic-Eclipse-Public-License",
"LicenseRef-Sun-Community-Source-3.0",
+ "MS-LPL",
"NPL-1.0",
"NPL-1.1",
"QPL-1.0",
- "Sleepycat",
- "SSPL-1.0"
+ "SSPL-1.0",
+ "Sleepycat"
]
}
diff --git a/atr/policy/third-party-licenses.md
b/atr/policy/third-party-licenses.md
new file mode 100644
index 0000000..e1d3c26
--- /dev/null
+++ b/atr/policy/third-party-licenses.md
@@ -0,0 +1,384 @@
+Title: ASF 3rd Party License Policy
+license: https://www.apache.org/licenses/LICENSE-2.0
+
+
+
+[TOC]
+
+## Purpose {#audience}
+This policy provides licensing guidance to Apache Software Foundation
projects. It identifies the acceptable
+licenses for inclusion of third-party Open Source components in Apache
Software Foundation products.
+
+Projects can submit licensing questions to the Legal Affairs Committee
+[JIRA space](https://issues.apache.org/jira/browse/LEGAL).
+
+
+### License Criteria {#criteria}
+The following criteria serve as guidelines for the categories on this page.
+
+1. The license must meet the [Open Source
Definition](https://opensource.org/osd-annotated).<sup>a</sup>
+2. The license, as applied in practice, must not impose significant
restrictions beyond those imposed by the Apache License 2.0.
+
+<sub>*a. (reviewed: 2019-02-16)*</sub>
+
+### High Level {#highlevel}
+At a high level this policy separates licenses into three categories.
+
+- **Category A**: Licenses in Category A may be included in Apache Software
Foundation products. They are said to be "Apache-like".
+- **Category B**: Licenses in Category B may be, under certain conditions,
included in Apache Software Foundation products. They 'may Be' included.
+- **Category X**: Licenses in Category X may **NOT** be included in Apache
Software Foundation products.
+
+## Category A: What can we include in an ASF Project? {#category-a}
+
+For inclusion in an Apache Software Foundation product, we consider the
following licenses to be similar in terms to the Apache License 2.0:
+
+- [Apache License 2.0](/licenses/LICENSE-2.0 "Category A: Apache-2.0")
+- [Apache Software License 1.1](/licenses/LICENSE-1.1 "Category A:
Apache-1.1").
+ Including variants:
+ - [PHP License 3.01](http://www.php.net/license/3_01.txt "Category A:
PHP-3.01")
+ - [MX4J License](http://mx4j.sourceforge.net/docs/ch01s06.html "Category
A: LicenseRef-MX4J")
+- BSD (without advertising clause). Including variants:
+ - [BSD 2-clause](http://opensource.org/licenses/bsd-license.php "Category
A: BSD-2-Clause")
+ - [BSD 3-clause](http://opensource.org/licenses/BSD-3-Clause "Category A:
BSD-3-Clause")
+ - [DOM4J License](https://github.com/dom4j/dom4j/blob/master/LICENSE
"Category A: LicenseRef-DOM4J")
+ - [PostgreSQL License](http://opensource.org/licenses/postgresql "Category
A: PostgreSQL")
+ - [Eclipse Distribution License
1.0](http://www.eclipse.org/org/documents/edl-v10.php "Category A:
BSD-3-Clause")
+ - [Lawrence Berkeley National Labs
BSD](https://spdx.org/licenses/BSD-3-Clause-LBNL.html "Category A:
BSD-3-Clause-LBNL")
+- [MIT/X11](http://opensource.org/licenses/mit-license.php "Category A: MIT")
+ - [ISC](https://opensource.org/licenses/ISC "Category A: ISC")
+ - [Standard ML of New Jersey](https://www.smlnj.org/license.html "Category
A: SMLNJ")
+ - [Cup Parser Generator](http://www2.cs.tum.edu/projects/cup/licence.php
"Category A: LicenseRef-CupPG")
+ - [MIT No Attribution (MIT-0)](https://opensource.org/license/mit-0/
"Category A: MIT-0")
+- [ICU](http://source.icu-project.org/repos/icu/icu/trunk/LICENSE "Category A:
ICU")
+- [University of Illinois/NCSA](http://opensource.org/licenses/UoI-NCSA.php
"Category A: NCSA")
+- [W3C Software License](http://opensource.org/licenses/W3C.php "Category A:
W3C")
+- [W3C Community Contributor License
Agreement](https://www.w3.org/community/about/agreements/cla/ "Category A:
LicenseRef-W3C-CCLA") - if at least 45 days after publication</li>
+- [X.Net](https://opensource.org/license/xnet "Category A: Xnet")
+- [zlib](http://opensource.org/licenses/zlib-license.php "Category A:
Zlib")/[libpng](https://spdx.org/licenses/Libpng.html "Category A: Libpng")
+- [FSF autoconf license](# "Category A: FSFAP")
+- [DejaVu Fonts (Bitstream Vera/Arev
licenses)](https://spdx.org/licenses/Bitstream-Vera.html "Category A:
Bitstream-Vera")
+- [Academic Free License 3.0](http://opensource.org/licenses/afl-3.0.php
"Category A: AFL-3.0")
+-
[Service+Component+Architecture+Specifications](http://web.archive.org/web/20080704184203/http://www.osoa.org/xmlns/sca/1.0/license.txt
"Category A: LicenseRef-SCA-Spec")
+- [OOXML XSD ECMA License](# "Category A: LicenseRef-ECMA-OOXML-XSD")
+- [Microsoft Public License
(MsPL)](http://www.opensource.org/licenses/ms-pl.html "Category A: MS-PL")
+- [Creative Commons Copyright-Only
Dedication](http://creativecommons.org/licenses/publicdomain/ "Category A:
CC-PDDC")
+- [Python Software Foundation
License](http://www.opensource.org/licenses/PythonSoftFoundation.php "Category
A: Python-2.0")
+- [Python Imaging Library Software
License](https://github.com/python-pillow/Pillow/blob/master/LICENSE "Category
A: LicenseRef-PIL")
+- [Adobe Postcript(R) AFM files](https://spdx.org/licenses/APAFML.html
"Category A: APAFML")
+- [Boost Software License Version
1.0](http://www.opensource.org/licenses/BSL-1.0 "Category A: BSL-1.0")
+- [License for CERN packages in
COLT](https://dst.lbl.gov/ACSSoftware/colt/license.html "Category A:
LicenseRef-COLT-CERN") but note that this applies **only** to CERN packages in
COLT and **not** others
+- [UK Open Government
Licence](https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/
"Category A: OGL-UK-3.0"). This license allows the licensor to provide a
custom attribution notice. If one is provided, include in the NOTICE. If one is
not provided, include 'Contains public sector information licensed under the
Open Government Licence v3.0.' in the NOTICE.
+- [WTF Public License](http://www.wtfpl.net/ "Category A: WTFPL")
+- [The Romantic WTF public
license](https://github.com/pygy/gosub/blob/master/LICENSE "Category A:
LicenseRef-Romantic-WTFPL")
+- [UNICODE, INC. LICENSE AGREEMENT - DATA FILES AND
SOFTWARE](http://www.unicode.org/copyright.html#Exhibit1 "Category A:
Unicode-DFS-2016")
+- [Zope Public License 2.0](https://opensource.org/licenses/ZPL-2.0 "Category
A: ZPL-2.0")
+- [ACE
license](https://docs.oracle.com/en/industries/communications/lsms/14.0/licensing-information-user-manual/ace-license1.html
"Category A: DOC")
+- [Oracle Universal Permissive License (UPL) Version
1.0](https://oss.oracle.com/licenses/upl/ "Category A: UPL-1.0")
+- [Open Grid Forum License](https://www.ogf.org/ogf/doku.php/about/copyright
"Category A: LicenseRef-Open-Grid-Forum")
+- [Google "Additional IP Rights Grant (Patents)"
file](https://chromium.googlesource.com/external/webrtc/+/master/PATENTS
"Category A: LicenseRef-Google-AIPG")
+- [The Unlicense](https://unlicense.org/ "Category A: Unlicense")
+- [Historical Permission Notice and
Disclaimer](https://opensource.org/licenses/HPND "Category A: HPND")
+- [Mulan Permissive Software License,Version
2](https://opensource.org/license/mulanpsl-2-0 "Category A: MulanPSL-2.0")
+- [Blue Oak Model License 1.0.0](https://blueoakcouncil.org/license/1.0.0
"Category A: BlueOak-1.0.0")
+- [EPICS Open License]( https://epics-controls.org/epics-open-license/
"Category A: EPICS")
+- [Zero-Clause BSD (0BSD)](https://opensource.org/license/0bsd/ "Category A:
0BSD")
+- [TCL/TK License](https://spdx.org/licenses/TCL.html "Category A: TCL")
+
+Many of these licenses have specific attribution terms that the project needs
to adhered to, often by [adding
+them to the NOTICE file](/dev/licensing-howto.html). Ensure you are doing this
when including these works.
+
+### Handling Public Domain 'licensed' works
+
+You can include works in the public domain (or covered by a license treated
similarly) within Apache products. You must provide attribution (in a similar
fashion to the Category A list).
+
+A work should be treated as being in the public domain when one of the
following applies:
+
+ - the work is covered by
+ - the Creative Commons [Public Domain
Mark](http://creativecommons.org/publicdomain/mark/1.0/ "Category A:
CC-PDM-1.0")
+ - a suitable dedication (to the public domain) by the authors
+ - clear evidence exists that US copyright for the work
+ - has expired
+ - cannot be claimed.
+
+Licenses that we treat as similar to public domain:
+
+ - Creative Commons [CC0 “No Rights
Reserved”](http://creativecommons.org/about/cc0 "Category A: CC0-1.0")
+ - Creative Commons [Public Domain
Certification](http://creativecommons.org/licenses/publicdomain/ "Category A:
CC-PDDC")
+
+**Note that** whether a work falls in the public domain may be a
+[difficult](http://fairuse.stanford.edu/Copyright_and_Fair_Use_Overview/chapter8/)
subject.
+Determining whether the copyright in a work has expired may be non-trivial and
may vary between jurisdictions. Raise the topic on legal-discuss@ or via a JIRA
issue if you have doubt over whether a work falls in the public domain.
+
+
+## Category B: What can we *maybe* include in an ASF Project? {#category-b}
+
+You may include the licenses and/or projects described in this section in an
Apache Software Foundation product **IF** they meet the specified conditions.
+
+### Appropriately Labelled Condition
+In all Category B cases our users should not be surprised at their inclusion
in our products.
+If we attach an appropriate and prominent label to the distribution,
+users are less likely to be unaware of restrictions significantly
+different from those of the Apache License. An appropriate and
+prominent label is a label the user will read while learning about the
+distribution - for example in a README, and it should identify the third-party
product and
+its licensing, and provide a url to the its homepage. Please also comply with
+any attribution/notice requirements in the specific license in question.
+
+### Binary-only Inclusion Condition
+Any Category B licensed works may be included in binary-only form in Apache
Software Foundation convenience binaries.
+Do not include Category B licensed works in source releases.
+
+### "Weak Copyleft" Licenses
+
+Each license in this section requires some degree of reciprocity. This may
require
+additional action to minimize the chance that a user of
+an Apache product will create a derivative work of a differently-licensed
+portion of an Apache product without being aware of the applicable
+requirements.
+
+You may include software under the following licenses in binary form
+within an Apache product if you label the inclusion appropriately (see above):
+
+- Common Development and Distribution Licenses: [CDDL
1.0](https://opensource.org/licenses/CDDL-1.0 "Category B: CDDL-1.0") and [CDDL
1.1](https://spdx.org/licenses/CDDL-1.1.html "Category B: CDDL-1.1")
+- Common Public License: [CPL
1.0](http://www.opensource.org/licenses/cpl1.0.php "Category B: CPL-1.0")
+- Eclipse Public License: [EPL 1.0](http://www.eclipse.org/legal/epl-v10.html
"Category B: EPL-1.0")
+- IBM Public License: [IPL 1.0](http://www.opensource.org/licenses/ibmpl.php
"Category B: IPL-1.0")
+- Mozilla Public Licenses: [MPL 1.0](http://www.mozilla.org/MPL/1.0/ "Category
B: MPL-1.0"),
+ [MPL 1.1](http://www.mozilla.org/MPL/1.1/ "Category B: MPL-1.1"), and
+ [MPL 2.0](http://www.mozilla.org/MPL/2.0/ "Category B: MPL-2.0")
+- Sun Public License: [SPL 1.0](https://opensource.org/license/sunpublic-php
"Category B: SPL-1.0")
+- [Open Software License 3.0](https://opensource.org/licenses/OSL-3.0
"Category B: OSL-3.0")
+- [Erlang Public License](http://www.erlang.org/EPLICENSE "Category B:
ErlPL-1.1")
+- [UnRAR License](https://github.com/jukka/java-unrar/blob/master/license.txt
"Category B: LicenseRef-UnRAR") (only for unarchiving)
+- [SIL Open Font License](http://scripts.sil.org/OFL "Category B: OFL-1.1")
+- [Ubuntu Font License Version 1.0](https://www.ubuntu.com/legal/font-licence
"Category B: Ubuntu-font-1.0")
+- [IPA Font License Agreement
v1.0](https://fedoraproject.org/wiki/Licensing/IPAFontLicense "Category B: IPA")
+- [Ruby License](https://www.ruby-lang.org/en/about/license.txt "Category B:
Ruby") (including the older version when GPLv2 was a listed alternative [Ruby
1.9.2
license](https://svn.ruby-lang.org/cgi-bin/viewvc.cgi/tags/v1_9_2_320/COPYING?view=markup
"Category B: Ruby"))
+- Eclipse Public License 2.0: [EPL 2.0](https://www.eclipse.org/legal/epl-2.0/
"Category B: EPL-2.0")
+
+By including only the object/binary form, there is less exposed
+surface area of the third-party work from which someone might derive a work.
This addresses the second guiding principle of this policy.
+
+For small amounts of source code that the ASF product directly consumes at
runtime, and for which that source is
+unmodified and unlikely to be changed anyway (say, by virtue of being
specified by a
+standard), you may include appropriately labeled source code. An example of
this is the web-facesconfig_1_0.dtd, whose
+inclusion is mandated by the JSR 127: JavaServer Faces specification.
+
+### Including Creative Commons Attribution content {#cc-by}
+Works under the [Creative Commons Attribution
(CC-BY)](http://creativecommons.org/licenses/by/4.0/ "Category B: CC-BY-4.0")
licenses ([2.5](http://creativecommons.org/licenses/by/2.5/ "Category B:
CC-BY-2.5"), [3.0](http://creativecommons.org/licenses/by/3.0/ "Category B:
CC-BY-3.0"), and 4.0)
+contain terms related to "Effective Technological Measures", which may come as
a surprise to users. Thus you should label them appropriately and only include
them in binary form.
+
+### Unmodified media under the Creative Commons Attribution-Share Alike
license {#cc-sa}
+
+You may include unmodified media under the
+[Creative Commons Attribution-Share Alike
2.5](http://creativecommons.org/licenses/by-sa/2.5/ "Category B: CC-BY-SA-2.5"),
+[Creative Commons Attribution-Share Alike
3.0](http://creativecommons.org/licenses/by-sa/3.0/ "Category B: CC-BY-SA-3.0")
and [Creative Commons Attribution-Share Alike
4.0](http://creativecommons.org/licenses/by-sa/4.0/ "Category B: CC-BY-SA-4.0")
+license in Apache products, subject to the licenses attribution clauses which
may require
+LICENSE/NOTICE/README changes. For any other type of CC-SA licensed work,
contact the Legal PMC.
+
+Note that media is intended to mean binary visual/video/audio elements used in
our documentation. It is not intended to mean inclusion in our source code.
+
+### Can I copy code from Stack Overflow and contribute it to an ASF project?
{#stackoverflow}
+
+No, not without contacting the original author and getting permission from
them to use the code in an Apache project under the Apache License 2.0.
+
+### Doug Lea's concurrent library {#concurrent}
+
+Doug Lea's concurrent library is public domain, but contains some Sun files
which are not public domain. You may include this library in ASF products much
like the resources in the 'weak copyleft' list above.
+"It may be included in binary form within an Apache product if the
inclusion
+is appropriately labeled". If using the source, remove the files Sun
licensed to Doug and
+treat as Category A (or get the files from
+[Harmony](http://svn.apache.org/repos/asf/harmony/standard/classlib/trunk/modules/concurrent/src/main/java/java/util/concurrent/)).
+
+### Adding OSGi metadata to weak copyleft binaries {#osgi-category-b}
+
+You can insert OSGi metadata into 'Category B' licensed jars, provided that
you include a note that this has occurred in the
+prominent labeling for the jar.
+
+### Cobertura reports {#cobertura}
+
+You may include Cobertura reports in ASF distributions.
+
+### Handling licenses that prevent modification {#no-modification}
+
+There are licenses that give broad rights for redistribution of
+**unmodified** copies. Such licenses are not open source, but they
+do satisfy the second and third guiding principles above.
+
+Apache projects must not include material under such licenses in
+version control or in released source packages. It is however acceptable
+for a build process to automatically download such non-software materials
+like fonts and standardized data and include them in the resulting
+binaries. Such use makes it clear that these dependencies are not a part
+of the open source code of the project.
+
+You may use material under the following licenses, as described above:
+
+- [CMaps for PDF CJK Fonts](http://www.adobe.com/devnet/font/#pcfi "Category
B: LicenseRef-CMaps-Fonts")
+- JCR API jar ([Day Spec
License](http://www.day.com/maven/jsr170/licenses/day-spec-license.htm
"Category B: LicenseRef-JCR-API") +
+ [Additional License](http://www.day.com/maven/jsr170/jars/LICENSE.txt
"Category B: LicenseRef-JARs-Additional"))
+- [WSDL (2004) Schema Files
License](https://issues.apache.org/jira/browse/LEGAL-385 "Category B:
LicenseRef-WSDL-SFL")
+
+### Including build tools in ASF products {#build-tools}
+
+Many languages have developed ecosystems of associated tools that aid
+in the building of artifacts for distribution. While such tools may not
+always be made available under an otherwise compatible license, we have
approved specific
+tools for inclusion in Apache distributions when they are used for
+that specific purpose.
+
+Note that the tool must not affect the licensing of the project source code.
We also expect that our use of the tooling to build our source code is
+its typical use.
+
+To date, we have approved the following tools for such use:
+
+- The Autotools family of products, specifically:
+ - [Autoconf](http://www.gnu.org/software/autoconf/)
+ - [Automake](http://www.gnu.org/software/automake/)
+ - [Libtool](http://www.gnu.org/software/libtool/)
+ -
[mkinstalldirs.sh](http://www.gnu.org/software/hello/manual/gettext/mkinstalldirs.html)
+- [OCamlMakefile](http://hg.ocaml.info/release/ocaml-make/)
+- [setup.rb](http://i.loveruby.net/en/projects/setup/)
+
+### Including Perl licensed header files when creating dynamically loaded XS
modules
+
+Developing Perl bindings which link compiled C code to create dynamically
loaded XS modules requires including header files licensed under the Perl
license (http://dev.perl.org/licenses/ - GPL-any/Artistic1, with exceptions).
+
+You may include these header files - XSUB.h, perl.h and EXTERN.h (see:
[LEGAL-79](https://issues.apache.org/jira/browse/LEGAL-79)).
+
+### Including Doxygen-generated config files
+
+You may use these files as long as you remove the generated comments.
+
+### Can Apache projects have external dependencies on Ruby licensed works?
{#ruby-license}
+
+A project written primarily and obviously in Ruby can have a dependency either
on Matz's Ruby Interpreter (MRI),
+or on any Gem which is licensed under the [Ruby
license](http://www.ruby-lang.org/en/LICENSE.txt).
+Of course Gems written under other licenses (such as MIT) may also be OK,
depending on the license.
+
+Also note that the Ruby license is listed on the 'Category B' Weak Copyleft
list above for binary usage (for example JRuby).
+
+### From Java 9 onwards, Javadoc can include search functionality that
includes JavaScript under other open source licenses. Can Apache projects
include this javadoc?
+
+From Java 9 onwards, Javadoc can include JavaScript under MIT, MIT OR GPL-3.0,
or GPL-2.0 WITH ClasspathException-2.0. Apache binary releases (including Maven
javadoc jars) and Apache websites may include this for their javadoc. It must
not be included in source releases.
+
+
+## Category X: What can we NOT include in an ASF Project? {#category-x}
+
+You may NOT include the following licenses within Apache products:
+
+- Not OSD-compliant:
+ - [Binary Code License (BCL)](# "Category X: LicenseRef-BCL")
+ - [Intel Simplified Software
License](https://software.intel.com/en-us/license/intel-simplified-software-license
"Category X: LicenseRef-Intel-SSL")
+ - [JSR-275
License](https://github.com/unitsofmeasurement/jsr-275/blob/0.9.3/LICENSE.txt
"Category X: LicenseRef-JSR-275")
+ - Field of use restrictions:
+ - [Microsoft Limited Public
License](https://www.openhub.net/licenses/mslpl "Category X: MS-LPL")
+ - [Amazon Software License (ASL)](https://aws.amazon.com/asl/
"Category X: LicenseRef-Amazon-Software-License")
+ - [Java SDK for Satori RTM
license](https://github.com/satori-com/satori-rtm-sdk-java/blob/master/LICENSE
"Category X: LicenseRef-Java-SDK-for-Satori-RTM")
+ - [Redis Source Available License
(RSAL)](https://redislabs.com/community/licenses/ "Category X:
LicenseRef-Redis-Source-Available")
+ - [Booz Allen Public License](http://boozallen.github.io/licenses/bapl
"Category X: LicenseRef-Booz-Allen-Public-License")
+ - [Confluent Community License Version
1.0](https://www.confluent.io/confluent-community-license/ "Category X:
LicenseRef-Confluent-Community-1.0")
+ - [Business Source License
1.1](https://spdx.org/licenses/BUSL-1.1.html "Category X: BUSL-1.1")
+ - Any license including the [Commons Clause License Condition
v1.0](https://commonsclause.com "Category X: LicenseRef-Commons-Clause-1.0")
+ - Non-commercial licenses:
+ - [Creative Commons
Non-Commercial](https://en.wikipedia.org/wiki/Creative_Commons_license#Non-commercial_licenses
"Category X: CC-BY-NC-4.0") variants
+ - [Sun Community Source License
3.0](http://jcp.org/aboutJava/communityprocess/SCSL3.0.rtf "Category X:
LicenseRef-Sun-Community-Source-3.0")
+- Places restrictions on larger works:
+ - [GNU GPL 1](https://spdx.org/licenses/GPL-1.0-only.html "Category X:
GPL-1.0-only, GPL-1.0-or-later"), [GNU GPL
2](https://spdx.org/licenses/GPL-2.0-only.html "Category X: GPL-2.0-only,
GPL-2.0-or-later"), [GNU GPL
3](http://www.opensource.org/licenses/gpl-license.php "Category X:
GPL-3.0-only, GPL-3.0-or-later")
+ - Special exceptions to the GNU GPL (e.g. [GNU Classpath](# "Category
X: GPL-2.0-only WITH Classpath-exception-2.0, GPL-2.0-or-later WITH
Classpath-exception-2.0, GPL-3.0-only WITH Classpath-exception-2.0,
GPL-3.0-or-later WITH Classpath-exception-2.0")) unless otherwise permitted
elsewhere on this page.
+ - [GNU Affero GPL 3](http://www.opensource.org/licenses/agpl-v3.html
"Category X: AGPL-3.0-only, AGPL-3.0-or-later")
+ - [GNU LGPL 2](https://spdx.org/licenses/LGPL-2.0-only.html "Category X:
LGPL-2.0-only, LGPL-2.0-or-later"), [LGPL
2.1](https://spdx.org/licenses/LGPL-2.1-only.html "Category X: LGPL-2.1-only,
LGPL-2.1-or-later"), [LGPL
3](http://www.opensource.org/licenses/lgpl-license.php "Category X:
LGPL-3.0-only, LGPL-3.0-or-later")
+ - [QPL](https://opensource.org/licenses/QPL-1.0 "Category X: QPL-1.0")
+ - [Sleepycat License](http://www.opensource.org/licenses/sleepycat.php
"Category X: Sleepycat")
+ - [Server Side Public License (SSPL) version
1](https://www.mongodb.com/licensing/server-side-public-license "Category X:
SSPL-1.0")
+ - [Code Project Open License
(CPOL)](http://www.codeproject.com/info/cpol10.aspx "Category X: CPOL-1.02")
+- Other concerns:
+ - [BSD-4-Clause](https://spdx.org/licenses/BSD-4-Clause.html "Category X:
BSD-4-Clause")/[BSD-4-Clause (University of
California-Specific)](https://spdx.org/licenses/BSD-4-Clause-UC.html "Category
X: BSD-4-Clause-UC")
+ - [Facebook BSD+Patents
license](https://code.facebook.com/pages/850928938376556 "Category X:
LicenseRef-Facebook-BSD-Patents")
+ - [NPL 1.0](https://spdx.org/licenses/NPL-1.0.html "Category X:
NPL-1.0")/[NPL 1.1](https://spdx.org/licenses/NPL-1.1.html "Category X:
NPL-1.1")
+ - Nonsensical licenses:
+ - [The Solipsistic Eclipse Public License](# "Category X:
LicenseRef-Solipsistic-Eclipse-Public-License")
+ - [The "Don't Be A Dick" Public License](https://dbad-license.org/
"Category X: LicenseRef-DBAD")
+ - [JSON License](http://www.json.org/license.html "Category X: JSON")
+
+Details of 'other concerns':
+
+**Facebook BSD+Patents license** <br>
+The Facebook BSD+Patents license includes a specification of a PATENTS file
that
+passes along risk to downstream consumers of our software imbalanced
+in favor of the licensor, not the licensee, thereby violating our Apache
+legal policy of being a [universal donor](https://s.apache.org/4Uzg).
+The terms of Facebook BSD+Patents license are not a subset of those found in
the ALv2, and they cannot be sublicensed as ALv2.
+
+**NPL** <br>
+The Netscape Public License is the original license for Mozilla containing
+amendments that are specific to Netscape. These
+amendments allow "Netscape" (now part of AOL) to avoid the
+reciprocity requirement that all other licensees must adhere to. This
+disqualifies the license from meeting Open Source Definition #5 ("No
+Discrimination Against Persons or Groups").
+
+**Nonsensical licenses** <br>
+These licenses while amusing to their creators are legally problematic. They
often include subjective Field of use restrictions e.g. “Don’t be evil” with no
definition of the arbiter for that subjective restriction. In some cases they
may not even grant sufficient rights to conform to the OSI open source
definition. Since we do not wish to surprise our downstream consumers we
forbid the use of such licenses.
+
+**JSON license** <br>
+As of 2016-11-03 the JSON license was moved to the 'Category X' license list.
Prior to this, use of
+the [JSON Java library](https://github.com/stleary/JSON-java) was allowed. See
Debian's page for a
+[list of alternatives](https://wiki.debian.org/qa.debian.org/jsonevil).
+
+### They may not be distributed {#prohibited}
+
+Apache projects may not distribute Category X licensed components, in source
or binary form;
+in ASF source code or in convenience binaries. As with the previous question
on platforms, you can rely on
+the component if its license terms do not affect the Apache product's
+licensing. For example, using a GPL'ed tool during the build is okay, but
including GPL'ed source code is not.
+
+### You may rely on them when they support an optional feature {#optional}
+
+Apache projects can rely on components under prohibited licenses if the
component is only needed
+for optional features. When doing so, a project shall provide the user with
instructions on how
+to obtain and install the non-included work. Optional means that the component
is not required for
+standard use of the product or for the product to achieve a desirable level of
quality. The question to
+ask yourself in this situation is:
+
+* "Will the majority of users want to use my product without adding the
optional components?"
+
+
+## FAQ:
+
+### Does it matter what platform an Apache product is created to work with?
{#platform}
+
+It does not matter, unless the terms for that platform affect
+the Apache product's licensing. For example, creating a product that
+runs on Windows or Java, uses a web service such as Google Services or
+Yahoo Search, or is a plugin for a product such as JBoss or JIRA is fine,
whereas
+creating a Linux kernel module is not fine because the Apache product
+itself would have to be licensed under something other than the Apache
License, version 2.0.
+
+Note that this does not mean you can redistribute the platform code itself.
That of course
+depends on the licensing of said code. If you have any doubts as to whether
the licensing
+of the platform would affect the Apache code, check the legal-discuss@
+archives to see if it has come up before, and if not email legal-discuss@ to
find out.
+
+### Is IP clearance required for library dependencies? {#library-ip-clearance}
+
+No.
+
+[IP clearance](http://incubator.apache.org/ip-clearance/index.html)
+is used to import code bases from outside Apache for future development here.
+
+### How should I handle a work when there is a choice of license?
{#mutually-exclusive}
+
+When including that work's licensing, state which license you are using and
include only the license that you have chosen. Prefer
+Category A to Category B to Category X. You don't need to modify the
+work itself if, for example, it mentions the various licensing options
+in the source headers.
+
+
+### What Are Required Third-party Notices? {#required-third-party-notices}
+
+When a release contains third party works, the licenses covering those works
may ask that you inform consumers in certain specific fashions. These *third
party notices* vary from license to license. Apache releases should contain a
copy of each license, usually contained in the LICENSE document. For many
licenses this is a sufficient notice. Some licenses require some additional
notice. In many cases, you can include this notice within the dependent
artifact.
+
+A *required third-party notice* is any third party notice which the above
cases don't cover.
+
+See [Bundling Other ASF
Products](/dev/licensing-howto.html#bundle-asf-product) for a note on required
notices when a release contains another Apache product.
diff --git a/atr/sbomtool.py b/atr/sbomtool.py
index a31c564..09f4d7e 100644
--- a/atr/sbomtool.py
+++ b/atr/sbomtool.py
@@ -48,16 +48,17 @@ LICENSES: Final[dict[str, list[str]]] = {
"CATEGORY_A_LICENSES": [
"0BSD",
"AFL-3.0",
+ "APAFML",
"Apache-1.1",
"Apache-2.0",
- "APAFML",
- "Bitstream-Vera",
- "BlueOak-1.0.0",
"BSD-2-Clause",
- "BSD-3-Clause-LBNL",
"BSD-3-Clause",
+ "BSD-3-Clause-LBNL",
"BSL-1.0",
+ "Bitstream-Vera",
+ "BlueOak-1.0.0",
"CC-PDDC",
+ "CC-PDM-1.0",
"CC0-1.0",
"DOC",
"EPICS",
@@ -65,35 +66,37 @@ LICENSES: Final[dict[str, list[str]]] = {
"HPND",
"ICU",
"ISC",
- "libpng-2.0",
- "LicenseRef-Arev-1.0",
+ "Libpng",
+ "LicenseRef-COLT-CERN",
+ "LicenseRef-CupPG",
+ "LicenseRef-DOM4J",
"LicenseRef-ECMA-OOXML-XSD",
"LicenseRef-Google-AIPG",
"LicenseRef-MX4J",
"LicenseRef-Open-Grid-Forum",
+ "LicenseRef-PIL",
"LicenseRef-Romantic-WTFPL",
"LicenseRef-SCA-Spec",
"LicenseRef-W3C-CCLA",
- "MIT-0",
"MIT",
+ "MIT-0",
"MS-PL",
"MulanPSL-2.0",
"NCSA",
"OGL-UK-3.0",
"PHP-3.01",
- "Plexus",
"PostgreSQL",
"Python-2.0",
"SMLNJ",
"TCL",
+ "UPL-1.0",
"Unicode-DFS-2016",
"Unlicense",
- "UPL-1.0",
"W3C",
"WTFPL",
"Xnet",
- "Zlib",
"ZPL-2.0",
+ "Zlib",
],
"CATEGORY_B_LICENSES": [
"CC-BY-2.5",
@@ -110,7 +113,11 @@ LICENSES: Final[dict[str, list[str]]] = {
"ErlPL-1.1",
"IPA",
"IPL-1.0",
+ "LicenseRef-CMaps-Fonts",
+ "LicenseRef-JARs-Additional",
+ "LicenseRef-JCR-API",
"LicenseRef-UnRAR",
+ "LicenseRef-WSDL-SFL",
"MPL-1.0",
"MPL-1.1",
"MPL-2.0",
@@ -123,29 +130,21 @@ LICENSES: Final[dict[str, list[str]]] = {
"CATEGORY_X_LICENSES": [
"AGPL-3.0-only",
"AGPL-3.0-or-later",
- "BSD-4-Clause-UC",
"BSD-4-Clause",
+ "BSD-4-Clause-UC",
"BUSL-1.1",
- "CC-BY-NC-2.5",
- "CC-BY-NC-3.0",
"CC-BY-NC-4.0",
- "CC-BY-NC-ND-2.5",
- "CC-BY-NC-ND-3.0",
- "CC-BY-NC-ND-4.0",
- "CC-BY-NC-SA-2.5",
- "CC-BY-NC-SA-3.0",
- "CC-BY-NC-SA-4.0",
"CPOL-1.02",
"GPL-1.0-only",
"GPL-1.0-or-later",
- "GPL-2.0-only WITH Classpath-exception-2.0",
"GPL-2.0-only",
- "GPL-2.0-or-later WITH Classpath-exception-2.0",
+ "GPL-2.0-only WITH Classpath-exception-2.0",
"GPL-2.0-or-later",
- "GPL-3.0-only WITH Classpath-exception-2.0",
+ "GPL-2.0-or-later WITH Classpath-exception-2.0",
"GPL-3.0-only",
- "GPL-3.0-or-later WITH Classpath-exception-2.0",
+ "GPL-3.0-only WITH Classpath-exception-2.0",
"GPL-3.0-or-later",
+ "GPL-3.0-or-later WITH Classpath-exception-2.0",
"JSON",
"LGPL-2.0-only",
"LGPL-2.0-or-later",
@@ -161,27 +160,29 @@ LICENSES: Final[dict[str, list[str]]] = {
"LicenseRef-DBAD",
"LicenseRef-Facebook-BSD-Patents",
"LicenseRef-Intel-SSL",
- "LicenseRef-Java-SDK-for-Satori-RTM",
"LicenseRef-JSR-275",
- "LicenseRef-MS-LPL",
+ "LicenseRef-Java-SDK-for-Satori-RTM",
"LicenseRef-Redis-Source-Available",
"LicenseRef-Solipsistic-Eclipse-Public-License",
"LicenseRef-Sun-Community-Source-3.0",
+ "MS-LPL",
"NPL-1.0",
"NPL-1.1",
"QPL-1.0",
- "Sleepycat",
"SSPL-1.0",
+ "Sleepycat",
],
}
-_CATEGORY_A_LICENSES_FOLD: Final[frozenset[str]] = frozenset(
+CATEGORY_A_LICENSES_FOLD: Final[frozenset[str]] = frozenset(
value.casefold() for value in LICENSES["CATEGORY_A_LICENSES"]
)
-_CATEGORY_B_LICENSES_FOLD: Final[frozenset[str]] = frozenset(
+
+CATEGORY_B_LICENSES_FOLD: Final[frozenset[str]] = frozenset(
value.casefold() for value in LICENSES["CATEGORY_B_LICENSES"]
)
-_CATEGORY_X_LICENSES_FOLD: Final[frozenset[str]] = frozenset(
+
+CATEGORY_X_LICENSES_FOLD: Final[frozenset[str]] = frozenset(
value.casefold() for value in LICENSES["CATEGORY_X_LICENSES"]
)
@@ -832,12 +833,12 @@ def check_licenses(bom: Bom) -> tuple[list[LicenseIssue],
list[LicenseIssue]]:
any_unknown = parse_failed
for atom in atoms:
folded = atom.casefold()
- if folded in _CATEGORY_A_LICENSES_FOLD:
+ if folded in CATEGORY_A_LICENSES_FOLD:
continue
- if folded in _CATEGORY_B_LICENSES_FOLD:
+ if folded in CATEGORY_B_LICENSES_FOLD:
got_warning = True
continue
- if folded in _CATEGORY_X_LICENSES_FOLD:
+ if folded in CATEGORY_X_LICENSES_FOLD:
got_error = True
continue
got_error = True
diff --git a/scripts/extract_spdx_identifiers.py
b/scripts/extract_spdx_identifiers.py
new file mode 100755
index 0000000..13a7c32
--- /dev/null
+++ b/scripts/extract_spdx_identifiers.py
@@ -0,0 +1,84 @@
+#!/usr/bin/env python3
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+import json
+import re
+import sys
+from html.parser import HTMLParser
+
+
+class SPDXLinkParser(HTMLParser):
+ def __init__(self):
+ super().__init__()
+ self.category_a = set()
+ self.category_b = set()
+ self.category_x = set()
+
+ def handle_starttag(self, tag, attrs):
+ if tag == "a":
+ attrs_dict = dict(attrs)
+ title = attrs_dict.get("title") or ""
+
+ match = re.match(r"Category\s+([ABX]):\s+(.+)", title,
re.IGNORECASE)
+ if match:
+ category = match.group(1).upper()
+ spdx_identifiers = match.group(2).strip()
+
+ for spdx_identifier in spdx_identifiers.split(","):
+ spdx_identifier = spdx_identifier.strip()
+
+ if category == "A":
+ self.category_a.add(spdx_identifier)
+ elif category == "B":
+ self.category_b.add(spdx_identifier)
+ elif category == "X":
+ self.category_x.add(spdx_identifier)
+
+
+def main():
+ if len(sys.argv) != 2:
+ print("Usage: extract_spdx_identifiers.py <html_file>",
file=sys.stderr)
+ sys.exit(1)
+
+ filename = sys.argv[1]
+
+ try:
+ with open(filename, encoding="utf-8") as f:
+ html_content = f.read()
+ except FileNotFoundError:
+ print(f"Error: File '{filename}' not found", file=sys.stderr)
+ sys.exit(1)
+ except Exception as e:
+ print(f"Error reading file: {e}", file=sys.stderr)
+ sys.exit(1)
+
+ parser = SPDXLinkParser()
+ parser.feed(html_content)
+
+ result = {
+ "CATEGORY_A_LICENSES": sorted(parser.category_a),
+ "CATEGORY_B_LICENSES": sorted(parser.category_b),
+ "CATEGORY_X_LICENSES": sorted(parser.category_x),
+ }
+
+ print(json.dumps(result, indent=4))
+
+
+if __name__ == "__main__":
+ main()
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
