Architecture
The following picture show a business oriented view of Solicitor.
Raw data about the components and attached licenses within an application is gathered by scanning with technology and build chain specific tools. This happens outside Solicitor.
The import step reads this data and transforms it into a common technology independent internal format.
In the normalization step the license information is completed and unified. Information not contained in the raw data is added. Where possible the applicable licenses are expressed by SPDX-IDs.
Many open source components are available via multi licensing models. Within qualification the finally applicable licenses are selected.
In the legal assessment the compliance of applicable licenses will be checked based on generic rules defined in company wide policies and possibly project specific project specific extensions. Defining those rules is considered as "legal advice" and possibly needs to be done by lawyers which are authorized to do so. For this step Solicitor only provides a framework / tool to support the process here but does not deliver any predefined rules.
The final export step produces documents based on the internal data model. This might be the list of licenses to be forwarded to the customer or a license compliance report. Data might also be fed into other systems.
A more technical oriented view of Solicitor is given below.
There are three major technical components: The reader and writer components are performing import and export of data. The business logic - doing normalization, qualification and legal assessment is done by a rule engine. Rules are mainly defined via decision tables. Solicitor comes with a starting set of rules for normalization and qualification but these rulesets need to be extended within the projects. Rules for legal evaluation need to be completely defined by the user.
Solicitor is working without additional persisted data: When being executed it generates the output directly from the read input data after processing the business rules.
Data Model
The internal business data model consists of 6 entities:
-
ModelRoot: root object of the business data model which holds metadata about the data processing -
Engagement: the masterdata of the overall project -
Application: a deliverable within theEngagement -
ApplicationComponent: component within anApplication -
RawLicense: License info attached to anApplicationComponentas it is read from the input data -
NormalizedLicense: License info attached to anApplicationComponentprocessed by the business rules
ModelRoot
| Property | Type | Description |
|---|---|---|
modelVersion |
int |
version number of the data model |
executionTime |
String |
timestamp when the data was processed |
solicitorVersion |
String |
Solicitor version which processed the model |
solicitorGitHash |
String |
buildnumber / GitHash of the Solicitor build |
solicitorBuilddate |
String |
build date of the Solicitor build |
extensionArtifactId |
String |
artifactId of the active Solicitor Extension ("NONE" if no extension) |
extensionVersion |
String |
Version of the active Extension (or "NONE") |
extensionGitHash |
String |
Buildnumber / GitHash of the Extension (or "NONE") |
Engagement
| Property | Type | Description |
|---|---|---|
engagementName |
String |
the engagement name |
engagementType |
EngagementType |
the engagement type; possible values: INTERN, EXTERN |
clientName |
String |
name of the client |
goToMarketModel |
GoToMarketModel |
the go-to-market-model; possible values: LICENSE |
contractAllowsOss |
boolean |
does the contract explicitly allow OSS? |
ossPolicyFollowed |
boolean |
is the companies OSS policy followed? |
customerProvidesOss |
boolean |
does the customer provide the OSS? |
Application
| Property | Type | Description |
|---|---|---|
applicationName |
String |
the name of the application / deliverable |
releaseId |
String |
version identifier of the application |
releaseDate |
Sting |
release data of the application |
sourceRepo |
String |
URL of the source repo of the application (should be an URL) |
programmingEcosystem |
String |
programming ecosystem (e.g. Java8; Android/Java, iOS / Objective C) |
ApplicationComponent
| Property | Type | Description |
|---|---|---|
usagePattern |
UsagePattern |
possible values: DYNAMIC_LINKING, STATIC_LINKING, STANDALONE_PRODUCT |
ossModified |
boolean |
is the OSS modified? |
ossHomepage |
String |
URL of the OSS homepage |
sourceRepoUrl |
String |
URL of the Source-Code-Repo |
groupId |
String |
component identifier: maven group |
artifactId |
String |
component identifier: maven artifactId |
version |
String |
component identifier: Version |
repoType |
String |
component identifier: RepoType |
packageUrl |
String |
the Package URL as an technology neutral component identifier |
noticeFileUrl |
String |
URL referencing a NOTICE file to be included in the attributions (optional, see Experimental Scancode Integration) |
noticeFileContent |
String |
resolved content of noticeFileUrl (optional, see Experimental Scancode Integration) |
copyrights |
String |
Copyright statements found in the components metadata / code (optional, see Experimental Scancode Integration) |
packageDownloadUrl |
String |
URL for downloading the component (optional, see Experimental Scancode Integration) |
sourceDownloadUrl |
String |
URL for downloading the sources of the component (optional, see Experimental Scancode Integration) |
dataStatus |
String |
Optional status of the data associated with the component. Possible values TBD. |
traceabilityNotes |
String |
Optional notes for tracing the information about this component back to its origin. |
RawLicense
| Property | Type | Description |
|---|---|---|
declaredLicense |
String |
name of the declared license |
licenseUrl |
String |
URL of the declared license |
declaredLicenseContent |
String |
license text as provided in the input data |
trace |
String |
detail info of history of this data record |
origin |
String |
origin of the raw license data; either the lowercase classname of the Reader or "scancode" if licensedata was taken from scancode results |
specialHandling |
boolean |
(for controlling rule processing) |
NormalizedLicense
| Property | Type | Description |
|---|---|---|
declaredLicense |
String |
name of the declared license (copied from RawLicense) |
licenseUrl |
String |
URL of the declared license (copied from RawLicense |
declaredLicenseContent |
String |
resolved content of licenseUrl |
normalizedLicenseType |
String |
type of the license, see License types |
normalizedLicense |
String |
name of the license in normalized form (SPDX-Id) or special "pseudo license id", see Pseudo License Ids |
normalizedLicenseUrl |
String |
URL pointing to a normalized form of the license |
normalizedLicenseContent |
String |
resolved content of normalizedLicenseUrl |
normalizedLicenseType |
String |
type of the license, see License types |
effectiveNormalizedLicenseType |
String |
type of the effective license, see License types |
effectiveNormalizedLicense |
String |
effective normalized license (SPDX-Id) or "pseudo license id"; this is the information after selecting the right license in case of multi licensing or any license override due to a component being redistributed under a different license |
effectiveNormalizedLicenseUrl |
String |
URL pointing to the effective normalized license |
effectiveNormalizedLicenseContent |
String |
resolved content of effectiveNormalizedLicenseUrl |
legalPreApproved |
String |
indicates whether the license is pre approved based on company standard policy |
copyLeft |
String |
indicates the type of copyleft of the license |
licenseCompliance |
String |
indicates if the license is compliant according to the default company policy |
licenseRefUrl |
String |
URL to the reference license information (TBD) |
licenseRefContent |
String |
resolved content of licenseRefUrl |
includeLicense |
String |
does the license require to include the license text ? |
includeSource |
String |
does the license require to deliver source code of OSS component ? |
reviewedForRelease |
String |
for which release was the legal evaluation done? |
comments |
String |
comments on the component/license (mainly as input to legal) |
legalApproved |
String |
indicates whether this usage is legally approved |
legalComments |
String |
comments from legal, possibly indicating additional conditions to be fulfilled |
trace |
String |
detail info of history of this data record (rule executions) |
guessedLicenseUrl |
String |
guessed (possibly improved) URL of the effective normalized license |
guessedLicenseUrlAuditInfo |
String |
audit info which documents how the guessedLicenseUrl was guessed |
guessedLicenseContent |
String |
resolved content of guessedLicenseUrl |
For the mechanism how Solicitor resolves the content of URLs and how the result might be influenced see Resolving of License URLs.
For a description of the URL guessing mechanism see Guessing of license URLs.
License types
Defines the type of license
-
OSS-SPDX- An OSS license which has a corresponding SPDX-Id -
OSS-OTHER- An OSS license which has no SPDX-Id -
COMMERCIAL- Commercial (non OSS) license; this might also include code which is owned by the project -
UNKNOWN- License is unknown -
IGNORED- license will be ignored (non selected license in multi licensing case; only to be used as "Effective Normalized License Type")
Pseudo License Ids
A "normalized" license id might be either a SPDX-Id or a "pseudo license id" which is used to indicate a specific situation. The following pseudo license ids are used:
-
OSS specific- a nonstandard OSS license which could not be mapped to a SPDX-Id -
PublicDomain- any form of public domain which is not represented by an explicit SPDX-Id -
Ignored- license will be ignored (non selected license in multi licensing case; only to be used as "Effective Normalized License") -
NonOSS- commercial license, not OSS