feluda  by anistark

Automates software license and SBOM compliance

Created 1 year ago
454 stars

Top 65.7% on SourcePulse

GitHubView on GitHub
Project Summary

Summary

Feluda is a Rust-based command-line tool designed to analyze project dependencies, identify their licenses, and flag any restrictions that conflict with personal or commercial usage, or are incompatible with the project's own license. It targets developers and organizations needing to ensure software license compliance, manage supply chain transparency, and meet enterprise audit requirements. The primary benefit is proactive identification of potential legal issues arising from third-party code.

How It Works

Written in Rust, Feluda functions as a CLI utility that scans project dependencies. It employs a hybrid approach, first checking local files (e.g., node_modules, Cargo.toml) for license information before resorting to network lookups for comprehensive data. The tool analyzes detected licenses against a compatibility matrix and OSI approval status, providing clear flags for restrictive or incompatible licenses. It can also generate Software Bill of Materials (SBOM) and detailed compliance documentation.

Quick Start & Requirements

  • Primary Install: cargo install feluda (requires Rust toolchain).
  • Other Installations: Available via DEB (Debian/Ubuntu), RPM (RHEL/Fedora), Homebrew (macOS), AUR (Arch Linux), and NetBSD packages.
  • Prerequisites: Rust toolchain installed and up-to-date.
  • Links: GitHub Releases for DEB/RPM packages.

Highlighted Details

  • License Compliance: Detects restrictive and incompatible licenses, supports filtering by OSI approval status, and allows custom configuration of restrictive/ignored licenses and dependencies.
  • SBOM Generation: Generates SPDX 2.3 and CycloneDX 1.5 compliant SBOMs, with built-in validation capabilities.
  • Compliance Files: Automates the creation of NOTICE and THIRD_PARTY_LICENSES files essential for distribution and legal requirements.
  • CI/CD Integration: Features robust integration options for GitHub Actions, Jenkins, and SARIF output for GitHub Advanced Security, including build-failure triggers.
  • Watch Mode: Provides continuous project scanning upon dependency file changes, useful during active development.
  • TUI Mode: Offers an interactive Terminal User Interface for visually browsing dependency information.

Maintenance & Community

Community-maintained packages are available for Homebrew, AUR, and NetBSD, indicating some level of external contribution and support. No direct links to community forums, chat, or a public roadmap are provided in the README.

Licensing & Compatibility

The project's specific open-source license is not explicitly stated in the README. Users should verify the license before adoption, especially for commercial use.

Limitations & Caveats

Feluda is explicitly described as "highly experimental" and "fast iterating." The project includes a prominent legal disclaimer stating it is not a substitute for legal advice, and users are solely responsible for ensuring their compliance with all applicable license terms and regulations. Accuracy of license information should be independently verified.

Health Check
Last Commit

1 day ago

Responsiveness

Inactive

Pull Requests (30d)
9
Issues (30d)
1
Star History
0 stars in the last 30 days

Explore Similar Projects

Feedback? Help us improve.