License attribution for modified transitive dependencies
Summary
When scanning a project you may see that transitive dependencies are attributed to the creator of one of your dependencies. This article will describe how Mend determines license and library attribution.
Scenario
For example, you have a project projA, that references dependency depA. This dependency requires that a dependency depB also be included. However, instead of referencing the file in a project manifest file such as a pom.xml, it includes the file directly inside the project because the creator of depA modified depB to work specifically with their library.
Attribution
One might think that the transitive dependency depB should still be attributed to the original creator of the library; however, in this case Mend does not attribute that file directly to the creator because it has been modified, and Mend identifies files based on their SHA-1. If the file has been edited in any way, then the SHA-1 changes, and therefore the owner of the file does as well.
At this point, we have to assume that the party that modified the transitive dependency did so knowing exactly what needs to occur to stay within the restrictions of the assigned license. If you are concerned about whether this file was modified correctly under the terms of the license agreement, please consult with your legal team.
Closing
In summary, any file that has been modified by another party besides the original creator, from Mend’s viewpoint, assumes ownership of the new file after it has been modified. Therefore, that file will be attributed to the new owner.