license-compliance-auditor

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

License Compliance Auditor

许可证合规性审核工具

Purpose and Intent

用途与目标

The

license-compliance-auditor

ensures that software projects remain legally compliant by automatically verifying that all direct and transitive dependencies use licenses approved by the organization.

license-compliance-auditor

通过自动验证所有直接和间接依赖项是否使用组织批准的许可证，确保软件项目保持法律合规性。

When to Use

适用场景

Dependency Onboarding: Run when adding a new library to a project.
CI/CD Gates: Use as a blocking step in pipelines to prevent merging code with non-compliant licenses (e.g., preventing GPL in a proprietary product).
Release Preparation: Audit the entire dependency tree before a major release.

依赖项引入：在向项目中添加新库时运行。
CI/CD 关卡：作为流水线中的阻塞步骤使用，防止合并包含不合规许可证的代码（例如，在专有产品中阻止 GPL 许可证）。
发布准备：在重大版本发布前审核整个依赖树。

When NOT to Use

不适用场景

Legal Advice: This tool provides technical checks based on metadata; it does not replace professional legal counsel.
Custom Licenses: It may struggle with proprietary or highly customized license text not found in SPDX registries.

法律咨询：此工具仅基于元数据提供技术检查，不能替代专业法律顾问。
自定义许可证：对于未在SPDX注册中心收录的专有或高度定制的许可证文本，它可能无法处理。

Error Conditions and Edge Cases

错误情况与边缘案例

Missing Metadata: If a package doesn't define a license in its manifest, it will be flagged as "Unknown".
Dual Licensing: Packages with multiple licenses (e.g., "MIT OR GPL") will require manual review.
Unsupported Ecosystems: Attempting to run on a language not supported by the
```
ecosystem
```
input will fail.

缺失元数据：如果软件包在其清单中未定义许可证，会被标记为“未知”。
双重许可证：带有多个许可证的软件包（例如“MIT OR GPL”）需要人工审核。
不支持的生态系统：尝试在
```
ecosystem
```
输入不支持的语言上运行会失败。

Security and Data-Handling Considerations

安全与数据处理注意事项

ReadOnly: The tool only reads manifest files.
Privacy: No source code is uploaded; only package names and versions are used to check license registries.

只读模式：该工具仅读取清单文件。
隐私保护：不会上传源代码；仅使用软件包名称和版本来检查许可证注册中心。