<link href="https://fonts.googleapis.com/css2?family=Poppins:wght@400;600&display=swap" rel="stylesheet">
<style>
body, html {
margin: 0;
padding: 0;
}
.table-wrapper {
width: 100%;
overflow-x: auto;
-webkit-overflow-scrolling: touch;
background-color: #f9fbfd;
padding: 0;
margin: 0;
}
table.simple-table {
width: 100%;
border-collapse: collapse;
font-family: 'Poppins', sans-serif;
font-size: 12px;
min-width: 600px;
color: #2c3e50;
background-color: white;
border-radius: 8px;
box-shadow: 0 3px 10px rgba(0,0,0,0.1);
}
table.simple-table th, table.simple-table td {
border: 1px solid #e0e6ec;
padding: 6px 8px;
text-align: left;
}
table.simple-table thead {
background-color: #3a79f7;
}
table.simple-table thead th {
font-weight: 600;
font-size: 12px;
color: white !important;
white-space: nowrap;
}
/* Značajno sužena prva kolona */
table.simple-table th:first-child,
table.simple-table td:first-child {
width: 3%;
}
table.simple-table tbody tr:nth-child(even) {
background-color: #f4f7ff;
}
table.simple-table tbody tr:hover {
background-color: #dbe6ff;
}
table.simple-table tbody td:first-child {
font-weight: 600;
color: #1f3c88;
white-space: nowrap;
}
</style>
<div class="table-wrapper">
<table class="simple-table">
<thead>
<tr>
<th>Aspect</th>
<th>Self-Assessed Dependencies</th>
<th>Verified Dependencies</th>
<th>Verified Software Licence</th>
<th>Software Licence Assurance</th>
</tr>
</thead>
<tbody>
<tr>
<td>Purpose</td>
<td>Entry-level self-assessment of direct dependencies</td>
<td>External verification of all dependencies, without requiring a licence</td>
<td>Confirms appropriate licence choice and full compliance</td>
<td>Mature, ongoing governance of licences and dependencies</td>
</tr>
<tr>
<td>Suitable For / Scope</td>
<td>Early-stage projects, internal tools, initial governance</td>
<td>Projects nearing release without a licence; internal tools</td>
<td>Software ready for public release, distributed or externally available</td>
<td>Actively governed OSS projects committed to compliance</td>
</tr>
<tr>
<td>Validation</td>
<td>Developer self-assessment; no external validation</td>
<td>Verified by Licence Management Team using SCA or equivalent</td>
<td>Reviewed by Licence Management Team via SLA service or structured process</td>
<td>Licence Management Team review following internal audit; ongoing monitoring</td>
</tr>
<tr>
<td>Effort Level</td>
<td>Low – basic analysis documenting direct dependencies</td>
<td>Medium – full external dependency verification</td>
<td>High – detailed analysis and artefact creation</td>
<td>Very high – continuous governance and validation</td>
</tr>
<tr>
<td>Licence Declaration</td>
<td>Not required</td>
<td>Not required</td>
<td>Required</td>
<td>Required, with full compliance framework</td>
</tr>
<tr>
<td>Dependencies Coverage</td>
<td>Direct only; transitive optional</td>
<td>All, including transitive; mutually compatible licences</td>
<td>All verified, compliant and compatible with chosen licence</td>
<td>All validated through CI/CD integration</td>
</tr>
<tr>
<td>Requirements</td>
<td>Listed in Software Catalogue; identify direct dependencies; mutually compatible licences; no critical vulnerabilities or licence violations</td>
<td>As left, extended to all dependencies</td>
<td>As left, plus GÉANT-approved licence; correct artefacts; licence in documentation, Software Catalogue, repository metadata, and website</td>
<td>As left, plus designated compliance officer; CI/CD-integrated SCA tools; licence monitoring; contributor onboarding; tool maintenance; audits; documented processes</td>
</tr>
<tr>
<td>Artefacts</td>
<td>Internal list of direct dependencies and licences; optional NOTICE or README</td>
<td>SCA report listing licences and vulnerabilities</td>
<td>As left, plus LICENSE, COPYRIGHT, README, NOTICE, CHANGELOG, CONTRIBUTING</td>
<td>As left, plus compliance records; suggested SBOM</td>
</tr>
<tr>
<td>Certification Process</td>
<td>Submit notification</td>
<td>Submit dependency report</td>
<td>Submit after SLA review and artefact finalisation</td>
<td>Provide repository access, documents, and audit evidence</td>
</tr>
<tr>
<td>Governance & Maintenance</td>
<td>Maintained by developers; occasional checks possible</td>
<td>Maintained by developers; reviewed by Licence Management Team; occasional checks</td>
<td>Maintained by developers; reviewed at certification; occasional checks</td>
<td>Continuous maintenance; designated compliance officer; biennial audits; occasional checks</td>
</tr>
<tr>
<td>Validity Period</td>
<td>5 years (renewable)</td>
<td>5 years (renewable)</td>
<td>Indefinite (unless revoked)</td>
<td>Indefinite (with biennial audits)</td>
</tr>
<tr>
<td>Revocation Triggers</td>
<td>Missing dependencies; licence conflicts; critical vulnerabilities; unresolved complaints; non-responsiveness</td>
<td>As left, for all dependencies</td>
<td>As left, plus unapproved licence changes; incorrect artefacts; non-compliance; distribution violations</td>
<td>As left, plus outdated tools/processes/documents; ignored errors; failed audits; not maintained practices; misrepresentation of compliance</td>
</tr>
<tr>
<td>Limitations</td>
<td>Self-assessment only; not validated; no distribution permission; no licence selection</td>
<td>No distribution permission; no licence selection</td>
<td>Not a legal audit; excludes patents, export controls, and data protection</td>
<td>Not a legal or security audit; unsuitable for prototypes; requires sustained adherence and collaboration</td>
</tr>
</tbody>
</table>
</div> |