Maybe an interesting tool for scanning releases for licenses/notices compliance etc

[Marshall Schor <ms...@schor.com>]

This might be of interest as a tool (it's GPL licensed).

After initial runs, subsequent releases know how to only check changed files, so
workload would be greatly reduced...

Anyone know about or use this?

-Marshall



-------- Forwarded Message --------
Subject: 	FOSSology: recent experiences?
Date: 	Thu, 8 Sep 2016 21:28:54 -0400 (EDT)
From: 	Joan Touzet <wo...@apache.org>
Reply-To: 	members@apache.org, Joan Touzet <wo...@apache.org>
To: 	members@apache.org



Hi everyone,

I posted this on dev@community but got no responses, so I'm trying
members@ instead.

Apache CouchDB is about to make their big 2.0 release. As part of
final due diligence we're double-checking all of our dependencies
for licenses. Based on prior experiences, I recommended our team
leverage FOSSology (https://www.fossology.org/), an open source
tool I've used before for scouring source code archives for
licenses and allowing them to be tagged as "clear" after a
combination of automated and manual analysis.

I'm curious if any other teams out there use FOSSology to help
with this ASF-mandatory activity, and if so, would you be willing
to share your experiences? Do you have any recommendations for
the settings within the automated scanner? We're presently using
a combination of Nomos and Monk scanning and finding the results
quite satisfactory on a relatively large codebase with complex
JavaScript dependencies.

Looking forward to your stories!

-Joan