{"id":37027030,"url":"https://github.com/aschet/spdx-license-compat","last_synced_at":"2026-01-14T03:11:47.060Z","repository":{"id":54055723,"uuid":"89005584","full_name":"aschet/spdx-license-compat","owner":"aschet","description":"A graph based license compatibility analysis library that operates on SPDX identifiers and expressions.","archived":false,"fork":false,"pushed_at":"2021-03-09T23:47:55.000Z","size":29,"stargazers_count":2,"open_issues_count":1,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-07-24T14:11:49.739Z","etag":null,"topics":["license-checking","spdx","spdx-license"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aschet.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-04-21T16:54:25.000Z","updated_at":"2023-03-15T14:42:40.000Z","dependencies_parsed_at":"2022-08-13T06:20:39.215Z","dependency_job_id":null,"html_url":"https://github.com/aschet/spdx-license-compat","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/aschet/spdx-license-compat","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aschet%2Fspdx-license-compat","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aschet%2Fspdx-license-compat/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aschet%2Fspdx-license-compat/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aschet%2Fspdx-license-compat/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aschet","download_url":"https://codeload.github.com/aschet/spdx-license-compat/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aschet%2Fspdx-license-compat/sbom","scorecard":{"id":211004,"data":{"date":"2025-08-11","repo":{"name":"github.com/aschet/spdx-license-compat","commit":"224200643a56021b521a8e4423fba9fe0184caba"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":1.7,"checks":[{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":0,"reason":"Found 0/13 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: GNU Lesser General Public License v3.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":0,"reason":"33 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-5mg8-w23w-74h3","Warn: Project is vulnerable to: GHSA-7g45-4rm6-3mm3","Warn: Project is vulnerable to: GHSA-mvr2-9pj6-7w5j","Warn: Project is vulnerable to: GHSA-q446-82vq-w674","Warn: Project is vulnerable to: GHSA-j288-q9x7-2f5v","Warn: Project is vulnerable to: GHSA-6pcc-3rfx-4gpm","Warn: Project is vulnerable to: GHSA-hwj3-m3p6-hj38","Warn: Project is vulnerable to: GHSA-269g-pwp5-87pp","Warn: Project is vulnerable to: GHSA-2qrg-x229-3v8q","Warn: Project is vulnerable to: GHSA-65fg-84f6-3jq3","Warn: Project is vulnerable to: GHSA-f7vh-qwp3-x37m","Warn: Project is vulnerable to: GHSA-fp5r-v3w9-4333","Warn: Project is vulnerable to: GHSA-w9p3-5cr8-m3jj","Warn: Project is vulnerable to: GHSA-7r82-7xv7-xcpj","Warn: Project is vulnerable to: GHSA-523c-xh4g-mh5m","Warn: Project is vulnerable to: GHSA-5wfp-8643-c58x","Warn: Project is vulnerable to: GHSA-78vv-qj73-h9m5","Warn: Project is vulnerable to: GHSA-9jwc-q6j3-8g9g","Warn: Project is vulnerable to: GHSA-jqx5-h2hw-5q4f","Warn: Project is vulnerable to: GHSA-q56h-jjj6-52mf","Warn: Project is vulnerable to: GHSA-x9mm-6gpf-f749","Warn: Project is vulnerable to: GHSA-gmg8-593g-7mv3","Warn: Project is vulnerable to: GHSA-mw3r-pfmg-xp92","Warn: Project is vulnerable to: GHSA-3p86-9955-h393","Warn: Project is vulnerable to: GHSA-vrpq-qp53-qv56","Warn: Project is vulnerable to: GHSA-48rh-qgjr-xfj6","Warn: Project is vulnerable to: GHSA-gp7f-rwcx-9369","Warn: Project is vulnerable to: GHSA-m72m-mhq2-9p6c","Warn: Project is vulnerable to: GHSA-334p-wv2m-w3vp","Warn: Project is vulnerable to: GHSA-7j4h-8wpf-rqfh","Warn: Project is vulnerable to: GHSA-h65f-jvqw-m9fj","Warn: Project is vulnerable to: GHSA-vmqm-g3vh-847m","Warn: Project is vulnerable to: GHSA-w4jq-qh47-hvjq"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-17T00:46:10.158Z","repository_id":54055723,"created_at":"2025-08-17T00:46:10.158Z","updated_at":"2025-08-17T00:46:10.158Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28408815,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T01:52:23.358Z","status":"online","status_checked_at":"2026-01-14T02:00:06.678Z","response_time":107,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["license-checking","spdx","spdx-license"],"created_at":"2026-01-14T03:11:46.450Z","updated_at":"2026-01-14T03:11:47.052Z","avatar_url":"https://github.com/aschet.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# spdx-license-compat\n\nSpdx-license-compat is a Java library which implements a graph based license compatibility analysis [1] and operates on [SPDX](https://spdx.org/spdx-specification-21-web-version) identifiers and expressions. While some design decisions and the graph database were derived from the [SPDX License Compatibility RESTful Service](https://github.com/dpasch01/spdx-compat-tools), this library itself is a clean-room implementation. Spdx-license-compat builds on top of the [SPDX tools](https://github.com/spdx/tools) and provides the following features:\n- Comatibility check between SPDX license identifiers (with `+` and `WITH` operator) and non SPDX listed licenses.\n- Compatibility analysis of SPDX license expressions.\n- Compatibility analysis for SPDX elements with dual or multi licensing.\n\n## Operations\n\nLicense compatibility check:\n\n```java\nAnyLicenseInfo GPL = LicenseInfoFactory.parseSPDXLicenseString(\"GPL-3.0+\");\nAnyLicenseInfo MIT = LicenseInfoFactory.parseSPDXLicenseString(\"MIT\");\n\nLicenseCompatStrategy compatStrategy = LicenseCompatGraph.createFromResources();\ncompatStrategy.areCompatible(GPL, MIT); // -\u003e true\n```\n\nCompatibility analysis for SPDX license expressions:\n\n```java\nAnyLicenseInfo expression = LicenseInfoFactory.parseSPDXLicenseString(\"(((LGPL-3.0+ OR MIT) AND GPL-2.0) OR BSD-3-Clause)\");\n\nLicenseCompatAnalysis analysis = new LicenseCompatAnalysis(LicenseCompatGraph.createFromResources());\nanalysis.analyseExpressions(expression); // conflict between LGPL-3.0+ and GPL-2.0\n```\n\nCompatibility analysis for SPDX elements:\n\n```java\nAnyLicenseInfo declaredLicense = LicenseInfoFactory.parseSPDXLicenseString(\"(AGPL-3.0 OR GPL-3.0)\");\nAnyLicenseInfo[] licensesFromFiles = new AnyLicenseInfo[3];\nlicensesFromFiles[0] = LicenseInfoFactory.parseSPDXLicenseString(\"GPL-3.0\");\nlicensesFromFiles[1] = LicenseInfoFactory.parseSPDXLicenseString(\"LGPL-3.0+\");\nlicensesFromFiles[2] = LicenseInfoFactory.parseSPDXLicenseString(\"MIT\");\n\nLicenseCompatAnalysis analysis = new LicenseCompatAnalysis(LicenseCompatGraph.createFromResources());\nanalysis.analyse(declaredLicense, licensesFromFiles); // no conflicts\n```\n\n## Limitations\n\n- License exceptions are irgnored by the compatibility analysis.\n- Ordered forward compatibility checking is currently not implemented (e.g. `GPL-2.0+ -\u003e GPL-3.0` vs `GPL-3.0 -\u003e GPL-2.0+`).\n- No possible adjustments are suggested in case of license conflicts.\n- Only a fraction of the existing SPDX license identifiers is supported: AFL-3.0, AGPL-1.0, AGPL-3.0, Apache-1.0, Apache-2.0, APSL-1.0, Artistic-2.0, BSD-2-Clause-FreeBSD, BSD-3-Clause, CDDL-1.0, CDDL-1.1, CECILL-2.0, EUPL-1.1, GPL-2.0, GPL-3.0, LGPL-2.1, LGPL-3.0, Libpng, MIT, MPL-1.1, MPL-2.0, OSL-3.0, X11, Zlib.\n\n## Compiling and Integration\n\nMaven is used as build system. To build from source use:\n\n```\nmvn package\n```\n\nspdx-license-compat is available via the Maven Central Repository:\n\n```\n\u003cdependency\u003e\n  \u003cgroupId\u003ecom.github.aschet\u003c/groupId\u003e\n  \u003cartifactId\u003espdx-license-compat\u003c/artifactId\u003e\n  \u003cversion\u003e1.0.0\u003c/version\u003e\n\u003c/dependency\u003e\n```\n\n## References\n\n[1] Kapitsaki, Georgia M., Frederik Kramer and Nikolaos D. Tselikas (2016). Automating the License Compatibility Process in Open Source Software with SPDX. In: Journal of Systems and Software. DOI: [10.1016/j.jss.2016.06.064](http://dx.doi.org/10.1016/j.jss.2016.06.064).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faschet%2Fspdx-license-compat","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faschet%2Fspdx-license-compat","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faschet%2Fspdx-license-compat/lists"}