Global-Chem has about 14,000 lines of code built into the software and roughly 44 direct dependencies and thousands of transitive dependencies. As you can see in the pipdeptree.
Since on my team, I was the sole developer, it was up to me to make a choice on how I was going to be transparent about the licensing for the software. I chose the Mozilla Public License 2.0 as my base and needed a platform that could go through my dependencies as needed and consistently check for any legal problems.
I signed up the repository for FOSSA, a full grade audit reporting system to report.
The detail of python dependencies that it allows the user to do gives me confidence that if I submitted these reports to the Federal Drug and Administration it would pass the CFR Electronic Health Records Compliance Part 11 for software.
So I signed up global-chem and went through each license that didn’t have it recorded. Where the FOSSA automatically started analyzing my package dependencies in my setup and files. It generated a report.
However, not everything was automated and I needed to do a lot of manual checks across licenses to make sure that Mozilla Public License was compliant with others. The full report for each license check can be outputted to a CSV with my issue resolution notes. I probably should have said something better than that.
Where the dependency and the versions licenses within each package is highlighted. This allows full legal transparency into your software and identifies and potential problems early on.
Example output:
Direct Dependencies
Title,Version,Authors,Declared License,Discovered License(s),Issue Resolution Notes
"global-chem",1.7.4.0,"sharifsuliman1@gmail.com","MPL-2.0","",
"numpy",1.23.2,"","BSD-3-Clause; Multi-license: BSD-3-Clause OR GPL-1.0-or-later OR GPL-3.0-only OR GPL-3.0-or-later OR GPL-3.0-with-GCC-exception; Zlib; BSD-2-Clause","BSD-3-Clause; Multi-license: BSD-3-Clause OR GPL-1.0-or-later OR GPL-3.0-only OR GPL-3.0-or-later OR GPL-3.0-with-GCC-exception; Zlib; BSD-2-Clause",
"pandas",1.4.4,"pandas-dev@python.org","Multi-license: Apache-2.0 OR BSD-3-Clause; BSD-3-Clause; Multi-license: BSD-3-Clause OR TCL; BSD-2-Clause; MIT","Multi-license: Apache-2.0 OR BSD-3-Clause; BSD-3-Clause; Multi-license: BSD-3-Clause OR TCL; BSD-2-Clause; MIT",
"rdkit-pypi",2022.3.5,"chris@kuenneth.dev","BSD-3-Clause; MIT; OFL-1.1; LGPL-2.0-or-later; BSD-2-Clause; GPL-2.0-or-later; HPND","BSD-3-Clause; MIT; OFL-1.1; LGPL-2.0-or-later; BSD-2-Clause; GPL-2.0-or-later; HPND","It's good"
"requests",2.28.1,"me@kennethreitz.org","Apache-2.0; MIT","MIT",Happy Cheminformatics and Devops!
