Skip to content

chore(deps): Create ecosystem-wide SOUP inventory and LICENSE-THIRD-PARTY document #382

Description

@kcenon

What

Create a centralized SOUP (Software of Unknown Provenance) inventory document that catalogs all third-party dependencies across the kcenon ecosystem with version, license, purpose, and risk classification.

Why

  • IEC 62304 compliance: SOUP traceability requires exact identification of all third-party software components, their versions, licenses, and anomaly risk classifications
  • License audit readiness: The ecosystem uses BSD-3-Clause but depends on LGPL-2.1 (libiconv, libmariadb), Apache-2.0 (OpenSSL, gRPC), and other licenses — a unified view prevents compliance gaps
  • Cross-project visibility: SOUP dependencies are scattered across 7+ vcpkg.json files with no single source of truth
  • Regulatory preparedness: FDA/MDR audits require documented evidence of third-party software evaluation

Where

  • docs/SOUP-LIST.md — Centralized SOUP inventory (this repo as ecosystem foundation)
  • LICENSE-THIRD-PARTY — Machine-readable third-party license notices
  • Referenced from each downstream project's documentation

How

  1. Aggregate all vcpkg.json dependencies (core + feature) across ecosystem projects
  2. For each SOUP item, document:
    • Name, version (minimum required), actual pinned version
    • License (SPDX identifier)
    • Purpose / functional description
    • Risk classification (Critical / High / Medium / Low)
    • Anomaly impact assessment
  3. Identify LGPL items requiring dynamic linking policy documentation
  4. Create LICENSE-THIRD-PARTY with concatenated license texts
  5. Add cross-references from downstream projects

SOUP Summary (Current State)

SOUP Projects License Risk
fmt logger, network, database MIT Low
asio network, database BSL-1.0 High
zlib network zlib Medium
libiconv thread LGPL-2.1 Low
OpenSSL logger, network, database Apache-2.0 Critical
gRPC logger, monitoring Apache-2.0 High
protobuf logger, monitoring BSD-3-Clause Medium
opentelemetry-cpp logger Apache-2.0 Medium
spdlog thread, database MIT Low
libpq/libpqxx database PostgreSQL High
libmariadb database LGPL-2.1 High
sqlite3 database Public Domain Medium
mongo-cxx-driver database Apache-2.0 High
hiredis database BSD-3-Clause Medium
gtest/gmock all (test only) BSD-3-Clause N/A
benchmark all (test only) Apache-2.0 N/A

Acceptance Criteria

  • docs/SOUP-LIST.md created with all ecosystem SOUP items
  • Each entry includes: name, version, license (SPDX), purpose, risk class
  • LGPL-2.1 items flagged with linking policy requirements
  • LICENSE-THIRD-PARTY file created with all third-party license texts
  • Document reviewed against actual vcpkg.json contents for accuracy

Metadata

Metadata

Assignees

Labels

dependenciesExternal dependencies managementdocumentationImprovements or additions to documentationpriority:highHigh priority issue

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions