[Project contribution] IP policy and license review for GUAC about tac HOT 6 CLOSED

LICENSE INTAKE SCAN & ANALYSIS:  OpenSSF:  GUAC

- This intake scan is a static analysis of the source code in your repository.  A dependency scan was not performed.  Once a project is added to LFX [https://security.lfx.linuxfoundation.org/], you can use SNYK to view a dependency scan for both licenses and vulnerabilities.

CODE SCANNED:  https://github.com/guacsec/guac  [pulled 11–July-2023]

PROJECT LICENSE:  Apache-2.0

SPDX LICENSE IDENTIFIERS:  SPDX license identifiers were not found in any source file headers.
- Copyright and License statements were found in source file headers.
- We recommend that SPDX license identifiers be added to ALL source file headers.  [see https://spdx.dev/ids for examples]

PERMISSIVE LICENSES:  Apache-2.0, CC0-1.0, BSD-3-Clause, Zlib, MIT, CC-BY-4.0

COPYLEFT LICENSES:  GPL-2.0 [external dependency / test data]
- NOTE:  Copyleft licenses in external dependencies may or may not cause a license conflict, depending on how the dependent code is used, integrated, and distrbuted by the end user.  Since this appears to be test data only it is likely not a problem, but should still be checked to be sure.
-- https://github.com/guacsec/guac/blob/main/internal/testing/testdata/exampledata/alpine-cyclonedx.json
-- https://github.com/guacsec/guac/blob/main/internal/testing/testdata/exampledata/alpine-small-spdx.json
-- https://github.com/guacsec/guac/blob/main/internal/testing/testdata/exampledata/alpine-spdx.json
-- https://github.com/guacsec/guac/blob/main/internal/testing/testdata/exampledata/distroless-cyclonedx.json
-- https://github.com/guacsec/guac/blob/main/internal/testing/testdata/exampledata/quarkus-deps-cyclonedx.json
-- https://github.com/guacsec/guac/blob/main/internal/testing/testdata/exampledata/big-mongo-cyclonedx.json
-- https://github.com/guacsec/guac/blob/main/internal/testing/testdata/exampledata/oci-spdx.json
 
PROPRIETARY LICENSES:  None found

LICENSE CONFLICTS:  None found, however see above NOTE in copyleft licenses.

BINARY / PACKAGE FILES:  None found

THIRD PARTY CODE / DEPENDENCIES:  None found, however see above NOTE in copyleft licenses.

THIRD PARTY NOTICE FILE:  None found

SUMMARY FINDINGS:  The code is licensed under the Apache-2.0 license, which is the project license.  SPDX license identifiers were not found and should be added to all source file headers.  No license conflicts found.  References to GPL-2.0 were found in test data files, these are most likely not an issue, but should be confirmed that there is no actual GPL licensed code in your repository.