[Feature Request] Add support for license compliance analyzers

[pdbaumhart]

Is your feature request related to a problem? Please describe.

scfw in its current form provides critical feedback about vulnerabilities to users at the time of dependency installation.

For many product / projects there is an opportunity for scfw to provide additional feedback to users about OSS licensing implications (i.e., copy left or viral licensing) for the dependencies they are introducing.

This would prevent rework for teams who inadvertently introduce dependencies that do not align with their project or organization's licensing models.

---

Describe the solution you'd like

scfw could be enhanced to add additional analyzers that will look at the licenses associated with the packages that a user is trying to install. Some potential considerations:

• This feature should be optional, and not enabled by default (this behavior would maintain the focus of scfw on looking at security concerns, but give an optional enhancement to users that would benefit from licensing support) → this would be managed via a config file or flags
• An initial list of reject/warn lists could be provided based on guidance from a source like FOSSA, with the ability to extend or replace using a customized disallowlist → this would be managed via a config file or flags
• The analyzers should perform a best effort check; if licensing information cannot be identified it should print a warning but proceed with installation; this is to accommodate libraries that may not have licenses declared in a conventional location (e.g., the package.json)
  • The user experience of this should be similar to the output formats of the vulnerability data that scfw generates today
• Possible data sources for analyzers could include:
  • The package repositories that are already supported by scfw (e.g., npm, PyPi)
  • ClearlyDefined

---

Describe alternatives you've considered

• The dd-license-attribution library provides similar functionality, but does not have support to do checks at the time of installation. This proposed feature would have the potential to support users earlier in the SDLC, rather than at the time of commit or PR when a formal attribution check is performed

---

Additional context

Since scfw has been focused on security, it isn't clear if this would align to the goals of the project. I wanted to get feedback on whether this would be of interest for the project before I forked and did a PR.

[ikretz]

Hi @pdbaumhart ,

Thanks for your interest in SCFW! This is a neat idea and one that we have discussed internally at various times as a kind of offshoot use-case for the tool.

At the moment, we're laser-focused on malicious packages and, to a slightly lesser extent, vulnerabilities. We don't have any plans to branch out into license checking or compliance enforcement in the foreseeable future. However, please feel free to leave this issue open as a kind of planted flag that we can refer back to down the road if things change.

[ikretz]

Just a quick update related to this issue: v2.5.0 added support for blocking or warning on user-provided lists of custom findings. This feature could be used, albeit in an ad hoc way, to block on packages with licenses known to be incompatible.