This might be of interest as a tool (it's GPL licensed). After initial runs, subsequent releases know how to only check changed files, so workload would be greatly reduced...
Anyone know about or use this? -Marshall -------- Forwarded Message -------- Subject: FOSSology: recent experiences? Date: Thu, 8 Sep 2016 21:28:54 -0400 (EDT) From: Joan Touzet <[email protected]> Reply-To: [email protected], Joan Touzet <[email protected]> To: [email protected] Hi everyone, I posted this on dev@community but got no responses, so I'm trying members@ instead. Apache CouchDB is about to make their big 2.0 release. As part of final due diligence we're double-checking all of our dependencies for licenses. Based on prior experiences, I recommended our team leverage FOSSology (https://www.fossology.org/), an open source tool I've used before for scouring source code archives for licenses and allowing them to be tagged as "clear" after a combination of automated and manual analysis. I'm curious if any other teams out there use FOSSology to help with this ASF-mandatory activity, and if so, would you be willing to share your experiences? Do you have any recommendations for the settings within the automated scanner? We're presently using a combination of Nomos and Monk scanning and finding the results quite satisfactory on a relatively large codebase with complex JavaScript dependencies. Looking forward to your stories! -Joan
