Skip to content

[Maintenance] CI/CD: License audit on transitive dependencies (dotnet-licenses / FOSSA) #137

Description

@Chris-Wolfgang

Scope

Dependabot tracks dependency versions (and CVE alerts). It does not check the licenses of transitive dependencies. A new transitive dependency with an incompatible license (GPL, AGPL, OSL, business-source) silently leaks into a derivative work distributed under MIT — a real procurement / legal exposure for downstream consumers.

The deferred work is a license-audit workflow using dotnet-licenses / FOSSA / Snyk Open Source / similar that enumerates every transitive package, captures its declared license, and fails the build on incompatible / unknown licenses.

Acceptance criteria

  • A license-audit.yaml workflow runs on PR + scheduled.
  • Findings produce a THIRD-PARTY-NOTICES.md (or similar) generated automatically per release; license attribution is shipped in the NuGet package per the licenses' requirements.
  • A documented allowlist (MIT / Apache-2.0 / BSD-2-Clause / BSD-3-Clause / similar) gates new packages; anything else needs explicit reviewer approval recorded in the PR.
  • A baseline scan of the current main documents current dependencies + licenses.

Notes

Metadata

Metadata

Assignees

No one assigned

    Labels

    maintenance - CI/CDMaintenance: Docker, CI workflow, build/publish pipelinemaintenance-taskA Maintenance sub-issue — actionable improvement workthorough-reviewDeferred deep-review tier — work on canonical Tier-1 issues first

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions