How does a company go about fleshing out the aspects of FOSS without wasting so many people's time? As FOSS gains in popularity, we are sinking in a quagmire of manual research, analysis and legal license inspections. It seems the FOSSology product will unpack compressed files and sniff around for licenses while on the other side of the planet we have Maven repositories that understand version dependencies -- but there is a void in bring them together!
In an attempt to follow a concrete day-in-the-job, let us consider struts2.1.6 and let's further suppose that we plan to take advantage of all the downstream dependencies it offers (i.e. optionals). 1. Is there a version specific dependency tree mechanically available? - Will subsequent versions eventually appear in the same location.format? 2. What technique to use in determining the stack of licenses gleaned from this tree? I see developers struggling to bring together the jars necessary to do a build, which is time consuming and expensive. I see a legal team in the other building struggling to ascertain our risk, should this "stack" be implemented. P.S. Does anyone here have first hand experience with FOSSology? Peace, Scott