That's a good question . I believe the current format is FOSSA-generated (see JSON reported on https://gist.github.com/maoo/40a4f7a9df8315290a1b0c347dd018da ).

The identifiers that you see being mentioned are SPDX IDs, which allow to have a consolidated set of license definitions.

Definitely worth discussing this with FOSSA, hopefully during next ODP meeting.

Is this a fossa-generated format, or is this following one of the standard BOM formats being developed by the community for greater reuse?

Existing efforts that i’m aware of in this space are:

• SPDX (probably the most deeply ingrained, lots of tool support, very focused on licensing, verbose)

• SPDX-Lite (subset of SPDX being driven by a working group in Japan, mainly automotive)

• NTIA

• MITRE

• CycloneDX (I just came across this one recently, it's out of an OASIS working group)

Using "FOSSA_API_KEY" and fossa-cli latest version (1.0.3) I managed to get the code working again on https://gist.github.com/maoo/40a4f7a9df8315290a1b0c347dd018da

This simple snippet of code is the spike we were expecting: generate a JSON model of all (direct and transitive) dependency licenses, given the Git endpoint of a code repository.

This code is supposed to be "wrapped" into a containerised architecture, triggered by a GitHub event (ie commit/push), which will eventually notify the developer teams via GitHub Issues and/or email (to enforce confidentiality, if it applies); refer to https://finosfoundation.atlassian.net/browse/ODP-9 for further developments of this feature.

Sharing slides that describe high-level objectives and requirements.

[^[AGENDA] Continuous license validation for FINOS.pdf]

I got something working on https://gist.github.com/maoo/40a4f7a9df8315290a1b0c347dd018da