Skip to content

docs(deps): create ecosystem-wide SOUP inventory and LICENSE-THIRD-PARTY#384

Merged
kcenon merged 1 commit into
mainfrom
docs/issue-382-create-ecosystem-soup-inventory
Mar 5, 2026
Merged

docs(deps): create ecosystem-wide SOUP inventory and LICENSE-THIRD-PARTY#384
kcenon merged 1 commit into
mainfrom
docs/issue-382-create-ecosystem-soup-inventory

Conversation

@kcenon

@kcenon kcenon commented Mar 5, 2026

Copy link
Copy Markdown
Owner

Closes #382

Summary

  • Create docs/SOUP-LIST.md cataloging all 17 SOUP items across the kcenon ecosystem
  • Create LICENSE-THIRD-PARTY with consolidated third-party license texts
  • Each SOUP entry includes: name, version, SPDX license, purpose, risk classification, anomaly impact
  • LGPL-2.1 items (libiconv, libmariadb) flagged with dynamic linking policy
  • License compatibility matrix and quarterly review schedule included

SOUP Coverage

Risk Level Components
Critical OpenSSL
High ASIO, libmariadb, libpq/libpqxx, mongo-cxx-driver, gRPC
Medium fmt, zlib, protobuf, sqlite3, hiredis, opentelemetry-cpp
Low libiconv, spdlog
Test-only gtest/gmock, benchmark

Test Plan

  • Verify SOUP-LIST.md entries match actual vcpkg.json dependencies
  • Verify LICENSE-THIRD-PARTY covers all license types used
  • Confirm LGPL items are correctly flagged with compliance requirements
  • Cross-reference with existing LICENSE-THIRD-PARTY files in thread_system, network_system, database_system

Add comprehensive SOUP (Software of Unknown Provenance) inventory
documenting all third-party dependencies across the kcenon ecosystem:

- docs/SOUP-LIST.md: Catalogs 17 SOUP items with version, license (SPDX),
  purpose, risk classification (Critical/High/Medium/Low), and anomaly
  impact assessment per IEC 62304 requirements
- LICENSE-THIRD-PARTY: Consolidates all third-party license texts (MIT,
  BSL-1.0, Apache-2.0, BSD-3-Clause, Zlib, PostgreSQL, LGPL-2.1, Public
  Domain) with copyright holders and compliance obligations
- Flags LGPL-2.1 items (libiconv, libmariadb) with dynamic linking policy
- Documents GPL-2.0 prohibition following libmysql removal (2026-03)
- Includes license compatibility matrix and maintenance schedule

Closes #382
@kcenon

kcenon commented Mar 5, 2026

Copy link
Copy Markdown
Owner Author

Test Plan Verification - All Checks Passed

Verification Date: 2026-03-06
Status: All CI/CD checks GREEN

CI Results Summary

Check Category Count Status
Multi-platform builds (gcc, clang, msvc) 3 All Passed
Integration tests (4 configs) 4 All Passed
Sanitizers (thread, address, undefined) 3 All Passed
Code coverage 1 Passed
Static analysis (clang-tidy, cppcheck) 2 All Passed
Performance benchmarks (ubuntu, macos) 2 All Passed
Module builds (clang-16, msvc) 2 All Passed
Warning checks (gcc, clang) 2 All Passed
Circular dependency check 1 Passed
SBOM generation 1 Passed
Security (gitguardian) 1 Passed
Total 24 All Passed

Test Plan Items Verified

  • SOUP-LIST.md entries match vcpkg.json: All 17 SOUP items cross-referenced against 7 project vcpkg.json files
  • LICENSE-THIRD-PARTY covers all license types: 8 license types documented (MIT, BSL-1.0, Apache-2.0, BSD-3-Clause, Zlib, PostgreSQL, LGPL-2.1, Public Domain)
  • LGPL items flagged: libiconv and libmariadb correctly flagged with dynamic linking policy
  • Cross-reference verified: Consistent with existing LICENSE-THIRD-PARTY files in thread_system, network_system, database_system
  • No build impact: Documentation-only changes, all builds and tests unaffected

Ready for Review

All 24 CI checks passed. This PR is ready for code review and merge.

@kcenon kcenon merged commit c68c6ae into main Mar 5, 2026
24 checks passed
@kcenon kcenon deleted the docs/issue-382-create-ecosystem-soup-inventory branch March 5, 2026 20:49
kcenon added a commit that referenced this pull request Apr 13, 2026
…RTY (#384)

Add comprehensive SOUP (Software of Unknown Provenance) inventory
documenting all third-party dependencies across the kcenon ecosystem:

- docs/SOUP-LIST.md: Catalogs 17 SOUP items with version, license (SPDX),
  purpose, risk classification (Critical/High/Medium/Low), and anomaly
  impact assessment per IEC 62304 requirements
- LICENSE-THIRD-PARTY: Consolidates all third-party license texts (MIT,
  BSL-1.0, Apache-2.0, BSD-3-Clause, Zlib, PostgreSQL, LGPL-2.1, Public
  Domain) with copyright holders and compliance obligations
- Flags LGPL-2.1 items (libiconv, libmariadb) with dynamic linking policy
- Documents GPL-2.0 prohibition following libmysql removal (2026-03)
- Includes license compatibility matrix and maintenance schedule

Closes #382
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

chore(deps): Create ecosystem-wide SOUP inventory and LICENSE-THIRD-PARTY document

1 participant