核心要点统一解析 SPDX 标识;建立允许与禁止清单并支持例外到期。构建门禁:禁止项直接阻断;允许项通过;未知项进入人工审批。实现示例const allowLicenses = new Set<string>(['MIT','Apache-2.0','BSD-3-Clause','ISC'])
const denyLicenses = new Set<string>(['GPL-3.0','AGPL-3.0','LGPL-3.0'])
function normalize(spdx: string): string {
return spdx.trim()
}
type LicenseEntry = { name: string; version: string; license: string }
function evaluateLicense(e: LicenseEntry, exceptions: Map<string, number>, now: number): 'allow' | 'deny' | 'review' {
const id = normalize(e.license)
const key = `${e.name}@${e.version}`
const until = exceptions.get(key) || 0
if (denyLicenses.has(id) && until < now) return 'deny'
if (allowLicenses.has(id)) return 'allow'
return until >= now ? 'allow' : 'review'
}
审计与CI门禁审计报告包含名称、版本、许可证、判定、审批人与到期时间。未审批或被禁止的依赖阻断构建;产线仅接受允许与在例外期内的依赖。
发表评论 取消回复