What
Create a centralized SOUP (Software of Unknown Provenance) inventory document that catalogs all third-party dependencies across the kcenon ecosystem with version, license, purpose, and risk classification.
Why
- IEC 62304 compliance: SOUP traceability requires exact identification of all third-party software components, their versions, licenses, and anomaly risk classifications
- License audit readiness: The ecosystem uses BSD-3-Clause but depends on LGPL-2.1 (libiconv, libmariadb), Apache-2.0 (OpenSSL, gRPC), and other licenses — a unified view prevents compliance gaps
- Cross-project visibility: SOUP dependencies are scattered across 7+ vcpkg.json files with no single source of truth
- Regulatory preparedness: FDA/MDR audits require documented evidence of third-party software evaluation
Where
docs/SOUP-LIST.md — Centralized SOUP inventory (this repo as ecosystem foundation)
LICENSE-THIRD-PARTY — Machine-readable third-party license notices
- Referenced from each downstream project's documentation
How
- Aggregate all
vcpkg.json dependencies (core + feature) across ecosystem projects
- For each SOUP item, document:
- Name, version (minimum required), actual pinned version
- License (SPDX identifier)
- Purpose / functional description
- Risk classification (Critical / High / Medium / Low)
- Anomaly impact assessment
- Identify LGPL items requiring dynamic linking policy documentation
- Create LICENSE-THIRD-PARTY with concatenated license texts
- Add cross-references from downstream projects
SOUP Summary (Current State)
| SOUP |
Projects |
License |
Risk |
| fmt |
logger, network, database |
MIT |
Low |
| asio |
network, database |
BSL-1.0 |
High |
| zlib |
network |
zlib |
Medium |
| libiconv |
thread |
LGPL-2.1 |
Low |
| OpenSSL |
logger, network, database |
Apache-2.0 |
Critical |
| gRPC |
logger, monitoring |
Apache-2.0 |
High |
| protobuf |
logger, monitoring |
BSD-3-Clause |
Medium |
| opentelemetry-cpp |
logger |
Apache-2.0 |
Medium |
| spdlog |
thread, database |
MIT |
Low |
| libpq/libpqxx |
database |
PostgreSQL |
High |
| libmariadb |
database |
LGPL-2.1 |
High |
| sqlite3 |
database |
Public Domain |
Medium |
| mongo-cxx-driver |
database |
Apache-2.0 |
High |
| hiredis |
database |
BSD-3-Clause |
Medium |
| gtest/gmock |
all (test only) |
BSD-3-Clause |
N/A |
| benchmark |
all (test only) |
Apache-2.0 |
N/A |
Acceptance Criteria
What
Create a centralized SOUP (Software of Unknown Provenance) inventory document that catalogs all third-party dependencies across the kcenon ecosystem with version, license, purpose, and risk classification.
Why
Where
docs/SOUP-LIST.md— Centralized SOUP inventory (this repo as ecosystem foundation)LICENSE-THIRD-PARTY— Machine-readable third-party license noticesHow
vcpkg.jsondependencies (core + feature) across ecosystem projectsSOUP Summary (Current State)
Acceptance Criteria
docs/SOUP-LIST.mdcreated with all ecosystem SOUP itemsLICENSE-THIRD-PARTYfile created with all third-party license texts