Hi Jim.
It's not quite that simple.
ClearlyDefined provides license data. We need to have some confidence that the license data is correct and that the licenses are compatible with the project license.
If third-party content is not known to IPZilla, then ClearlyDefined can be used. When an entry is known to ClearlyDefined and has a score of at least 75 and all discovered licenses are on the Eclipse Foundation’s approved licenses list, then the content can be used without further action.
As I look at this, I realize that it's not quite right. As you suggested, the effective license score is what we're most interested in, and both the declared and discovered licenses need to match. I'll update this. Note that we've discussed dropping the threshold.
I'm new to SBT, but I think that this command feeds the
Dash License Tool with the information that it needs to sort out what third party content needs further investigation.
[wayne@localhost geotrellis]$ ./sbt dependencyTree | grep -Poh "(?<=\+\-)[^:]+:[^:]+:[^:\s]+" | sort | uniq | java -jar /gitroot/dash/org.eclipse.dash.license/target/org.eclipse.dash.licenses-0.0.1-SNAPSHOT.jar -
The dependencyTree command seems to answer ranges on some dependencies, so that may require some further.
The tool finds 167 items that are good-to-go in ClearlyDefined (so that means at least a few fewer CQs).
GeoTools 23.2 will drop off the list when the corresponding CQ is resolved. I'm looking through the other hits identified by the tool to see if we can map them to existing CQs. In the meantime, if anything obvious jumps out at you as "we have a CQ for that", please let me know.
Wayne