License inventory is documented

ab-000963 · dependency-supply-chain.license.license-inventory

Severity: lowactive

Why it matters

MIT, Apache-2.0, and BSD licenses all carry attribution requirements: you must preserve copyright notices and license texts when distributing the software. Without a license inventory, you cannot verify that you are meeting these obligations, and during any commercial transaction — acquisition, enterprise sales with contractual IP representations, or legal due diligence — the absence of a license inventory is a red flag that slows or blocks the deal. SSDF PW.4 treats third-party component tracking as a requirement, not a nice-to-have. A license inventory is also the prerequisite for any copyleft or conflict check to be meaningful: you cannot evaluate what you have not enumerated.

Severity rationale

Low because missing attribution documentation is a compliance gap rather than an active vulnerability, but it becomes a blocking issue during legal due diligence or enterprise sales.

Remediation

Generate and commit a license inventory file. Add a generation script to package.json so it stays current on every build:

npx license-checker --production --out LICENSES.txt --customPath '{name},{licenses},{repository}'

Or automate it in CI:

// package.json
"scripts": {
  "licenses": "license-checker --production --out LICENSES.txt"
}

Commit the generated LICENSES.txt and add a CI step that fails if the file is out of date.

Detection

ID: license-inventory
Severity: low
What to look for: Check for a NOTICE, LICENSES, third-party-licenses.txt, or similar attribution file in the project root or a legal/ directory. Alternatively, check package.json for a license script (e.g., "licenses": "npx license-checker --production"). Documentation of dependency licenses is a best practice for commercial projects. Count all instances found and enumerate each.
Pass criteria: A license inventory file exists, or a package.json script exists to generate one on demand, or the project has fewer than 5 production dependencies (too small to require formal tracking).
Fail criteria: No license inventory file or generation script exists, and the project has 5 or more production dependencies.
Skip (N/A) when: No package.json detected.
Detail on fail: "No license inventory file found. For commercial projects with multiple dependencies, maintaining an attribution document reduces legal risk and is required by some licenses."
Remediation: Some open-source licenses (MIT, Apache-2.0) require that attribution notices be included when distributing software. A license inventory file collects all required notices.

Generate and commit one:
```
npx license-checker --production --out LICENSES.txt --customPath '{name},{licenses},{repository}'
```
Or automate it in CI to keep it current on every build.

External references

spdx · LicenseRef-scancode-unknown — License inventory documentation
ssdf:800-218 · PW.4 — Reuse Existing, Well-Secured Software

Taxons

supply-chain

History

2026-04-18·v1.0.0·Initial import from dependency-supply-chain·automated