Description
(I'm posting this feature request here for discussion, as recommended on the DotNetEvolution Discord.)
My feature request is some mechanism to automatically provide a third party / OSS bill of materials and license / copyright list when building a .NET application. With growing number of dependencies, it's not easy to keep such a list up to date manually. Such mechanisms exist on other platforms, for example, we use https://www.npmjs.com/package/license-webpack-plugin with Angular.
Reasons why this feature is useful:
- Such a bill of materials is the base for license compliance. Developers and compliance departments need a reliable way to see which licenses are applicable (including indirect dependencies), so they can make sure the licenses are followed (or dependencies with unacceptable licenses are removed/replaced).
- Such a bill of materials is also security relevant - those packages need to be monitored for CVEs to see which version is affected, and whether a security update is necessary.
- Some jurisdictions (e. G. German copyright law) require that the Authors / Copyright holders are declared when a product is redistributed (except when they explicitly waive).
This is especially important for scenarios <PublishSingleFile> or client side Blazor: For example, the Apache License states "a) You must give any other recipients of the Work or Derivative Works a copy of this License;" - According to the Lawyers at OSADL (https://www.osadl.org/), the word "give" means that the text including the license must be downloaded to the browser when the web application is downloaded. It is not sufficient to just provide a link to the license text, or download it on demand when the user clicks on a "show licenses" link/button in the web application, or just copy-paste it somewhere in the documentation (this has been sufficient back then when the software and documentation were physically shipped together).
IANAL, but as far as I understood, it's ok for a web app when the licenses are in a separate file, and that the license is only actually displayed when the user clicks on the button, but it must be downloaded (into the browsers' memory) each time the application is downloaded. Their detailed analysis is members only: https://www.osadl.org/?id=3543.
I cannot see this feature being easily implemented as an add-on NuGet tool. As far as I can see, this feature needs to be provided by the tool chain (NuGet, MSBuild, Linker...) playing together, as
- The resulting list needs to be included within the deliverable, which might be especially difficult with
<PublishSingleFile>. - We need to avoid false positives (e. G. NuGet Packages which are not actually used, or just provide build tools / analyzers, or where the references are dropped by the linker as the referencing code itself is dropped).
- On the other hand, when using single file publishing, or client side Blazor, (parts of) the framework and runtime are included within the final product, so they also must be included in the List.
- Also, there should be some mechanism to manually "inject" additional license files, when code is included via other mechanisms (e. G. copy-paste, git submodules, ...).
There is https://github.com/tomchavakis/nuget-license, but as far as I can see, it does not take linking into account, and misses the framework/runtime itself (which is not referenced as NuGet). And I could not find an easy way to get the generated list included within the compiled application.