Description
We're looking at the feasibility of preventing license compatibility regressions in edx/edx-arch-experiments#358 , but that wouldn't catch any existing license compatibility problems that we've failed to notice. To catch those, we could use a repo health check that retrieves GitHub's understanding of all the repo's dependencies and their licenses. This may not be 100% accurate, but could probably flag most obvious oversights. One way of getting this data is to download the SBOM and parse it; other approaches might be available and/or work better. We'd want an allowlist of licenses known to be compatible with Apache 2 and an additional set that's also ok with an AGPLv3 repo.
This data can be browsed and downloaded directly at Insights -> Dependency graph, if that's useful when planning out the implementation. For example, https://github.com/openedx/edx-platform/network/dependencies .