[feature request] Analysing licenses of dependencies

[svdo]

TL/DR

I think it would be valuable for Graal to be able to analyse the (open source) software licenses of dependencies of my software.

Rationale

People and organisations generally want to adhere to the licenses under which software is made available to them. Nowadays this has become so difficult that tooling is needed to help. Take for example the Javascript/nodejs ecosystem. When you develop even a simple client-server application, you easily end up using hundreds and hundreds of open source packages, either directly or through transitive dependencies. It's virtually impossible to collect and verify all this manually for every release of every product.

Feature Request

I envision a component of Graal that can create a "bill of materials" of my software. A table containing all dependencies of my software, both directly and indirectly. The table should have columns for:

• Name of the dependency
• Version of the dependency
• Where the dependency can be found (could be a link to a package manager repository such as maven / npm / etc; or a link to the source code archive)
• Software license(s) of the dependency; normalised somehow to easily search and filter

Furthermore, a view where the dependency tree is visualised seems useful, but that is probably more of a V2 feature / nice-to-have.

Notes

• Please note that a package can have multiple licenses, e.g. dual licensed BSD and GPLv2, meaning that you (as a user of the package) can choose which you want to apply (example)
• A colleague mentioned that https://spdx.org has a good chance of becoming the standard.
• Please note that this probably depends on #80 to be a useful feature.

Thanks for your consideration and this great software!