Integrate LicenseDb as Single Source of Truth with Release-Level Snapshot Support #3781
Description
Integration of SW360 and LicenseDB
Goal
To establish LicenseDB as the single source of truth for all license and obligation data within SW360, eliminating fragmented data management and ensuring consistency across workflows.
Problem Statement
Currently, SW360 manages license and obligation information through multiple decentralized mechanisms:
• Manual license creation
• Import from OSADL
• Import from SPDX
• Manual obligation creation
This fragmented approach can lead to:
• Data inconsistencies
• Manual overhead
• Human error in obligation definitions
• Lack of a centralized, authoritative license source
Additionally, existing CLI and XML-based workflows automatically create licenses if they do not exist, further contributing to decentralization.
Proposed Solution
This project aims to integrate SW360 directly with LicenseDB and remove redundant license management mechanisms.
The key components of the solution are:
-
Deprecation of Redundant Data Entry
• Remove manual license creation functionality.
• Remove direct import mechanisms from OSADL and SPDX.
• Disable manual obligation creation.
After this change, licenses and obligations must originate exclusively from LicenseDB. -
Integration Layer with LicenseDB
Develop a robust integration layer between SW360 and LicenseDB including:
OAuth Integration
• Implement Machine-to-Machine OAuth 2.0 Client Credentials flow.
• Secure authentication between SW360 and LicenseDB.
Data Fetching
• Fetch license metadata and associated obligations via REST APIs.
Data Mapping
• Map LicenseDB data structures to SW360’s internal License and Obligation entities.
• Ensure compatibility with existing SW360 data model.
Data Persistence
• Persist fetched licenses and obligations into SW360’s database.
• Maintain synchronization logic for updates. -
Workflow Adaptation
Update existing SW360 workflows:
• CLI-based operations
• XML import workflows
Current behavior:
If license not found → create new license
New behavior:
If license not found → fetch from LicenseDB
This ensures workflows remain functional without manual creation mechanisms. -
Runtime Resilience Strategy
To avoid system disruption if LicenseDB is temporarily unavailable:
• Allow usage of already-synchronized licenses.
• Block creation or usage of unknown licenses until LicenseDB becomes available.
This ensures production stability while preserving single source of truth.
Enhancement
Introduce a release-level snapshot mechanism:
• Capture license text and obligations at release finalization.
• Store version/hash metadata.
• Preserve compliance history even if LicenseDB updates definitions later.
This is considered an advanced compliance-stability feature and not part of the core mandatory scope.
Expected Outcome
• LicenseDB becomes the authoritative source.
• Elimination of inconsistent manual entries.
• Streamlined compliance management.
• Improved architectural consistency within SW360.
Mentor Feedback Requested
@GMishx @deo002
This enhancement is being proposed as part of my GSoC 2026 project plan.
I would greatly appreciate your feedback on:
• The OAuth-based integration approach
• Data mapping and persistence strategy
• Workflow adaptation feasibility
• Scope suitability within a GSoC timeline
I am happy to refine the design based on your guidance.