The dependency audit tool automates the verification of the following criteria for all third-party dependencies that are shipped as part of either Logstash core or the default Logstash plugins:
- The dependency has been added to the dependency list file with an appropriate project URL and SPDX license identifier.
- The license for the dependency is among those approved for distribution.
- There is a corresponding
NOTICE.txtfile in the notices folder containing the appropriate notices or license information for the dependency. These individual notice files will be combined to form the notice file shipped with Logstash.
The dependency audit tool enumerates all the dependencies, Ruby and Java, direct and transitive, for Logstash core and the default plugins. If any dependencies are found that do not conform to the criteria above, the name of the dependency(ies) along with instructions for resolving are printed to the console and the tool exits with a non-zero return code.
The dependency audit tool should be run using the script in the bin folder:
$LS_HOME/bin/dependencies-report --csv report.csv