documentation for the dependency license audit tool

Fixes elastic#9921
ioanatia · Aug 21, 2018 · b6e355d · b6e355d
1 parent 8b6c162
commit b6e355d
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -150,7 +150,9 @@ Example:
    asking you to assign copyright to us, but to give us the right to distribute
    your code without restriction. We ask this of all contributors in order to
    assure our users of the origin and continuing existence of the code. You
-   only need to sign the CLA once.
+   need to sign the CLA only once. If your contribution involves changes to 
+   third-party dependencies in Logstash core or the default plugins, you may
+   wish to review the documentation for our [dependency audit process](https://github.com/elastic/logstash/blob/master/tools/dependencies-report/README.md).
 3. Send a pull request! Push your changes to your fork of the repository and
    [submit a pull
    request](https://help.github.com/articles/using-pull-requests). In the pull

diff --git a/tools/dependencies-report/README.md b/tools/dependencies-report/README.md
@@ -0,0 +1,16 @@
+# Dependency audit tool
+
+The dependency audit tool automates the verification of the following criteria for all
+third-party dependencies that are shipped as part of either Logstash core or the [default Logstash 
+plugins](https://github.com/elastic/logstash/blob/master/rakelib/plugins-metadata.json):
+* The dependency has been added to the [dependency list file](https://github.com/elastic/logstash/blob/master/tools/dependencies-report/src/main/resources/licenseMapping.csv)
+with an appropriate project URL and [SPDX license identifier](https://spdx.org/licenses/). 
+* The license for the dependency is among those [approved for distribution](https://github.com/elastic/logstash/blob/master/tools/dependencies-report/src/main/resources/acceptableLicenses.csv).
+* There is a corresponding `NOTICE.txt` file in the [notices folder](https://github.com/elastic/logstash/tree/master/tools/dependencies-report/src/main/resources/notices)
+containing the appropriate notices or license information for the dependency. These individual 
+notice files will be combined to form the notice file shipped with Logstash.
+
+The dependency audit tool enumerates all the dependencies, Ruby and Java, direct and transitive,
+for Logstash core and the default plugins. If any dependencies are found that do not conform to
+the criteria above, the name of the dependency(ies) along with instructions for resolving are 
+printed to the console and the tool exits with a non-zero return code.