Org rollup
No composite score. Each tile is a per-signal ratio; see methodology — pill semantics for the green / amber / red rules. The dep-graph and Build-level claims are derived per-package below (CISA minimums, SLSA per package).
SLSA Build Level (derived per package)
Derived from modules[].supply_chain.attestations. A
package reaches Build L2 (effective) when every
artifact in the latest release carries a verified PEP 740
attestation AND the publisher identity names a hosted CI/CD
platform (GitHub Actions / GitLab CI). L3 (hardened platform with
isolation guarantees) is not separately claimed; see
methodology — Limits and
honest gaps.
| Package | Build level | Publisher | Note |
|---|---|---|---|
| kaos-agents | Build L2 (effective) | GitHub | Hosted build platform (GitHub); every artifact in the latest release has a verified PEP 740 attestation. L3 (hardened platform) is not separately claimed — see methodology Limits & honest gaps. |
| kaos-citations | Build L2 (effective) | GitHub | Hosted build platform (GitHub); every artifact in the latest release has a verified PEP 740 attestation. L3 (hardened platform) is not separately claimed — see methodology Limits & honest gaps. |
| kaos-content | Build L2 (effective) | GitHub | Hosted build platform (GitHub); every artifact in the latest release has a verified PEP 740 attestation. L3 (hardened platform) is not separately claimed — see methodology Limits & honest gaps. |
| kaos-core | Build L2 (effective) | GitHub | Hosted build platform (GitHub); every artifact in the latest release has a verified PEP 740 attestation. L3 (hardened platform) is not separately claimed — see methodology Limits & honest gaps. |
| kaos-graph | Build L2 (effective) | GitHub | Hosted build platform (GitHub); every artifact in the latest release has a verified PEP 740 attestation. L3 (hardened platform) is not separately claimed — see methodology Limits & honest gaps. |
| kaos-llm-client | Build L2 (effective) | GitHub | Hosted build platform (GitHub); every artifact in the latest release has a verified PEP 740 attestation. L3 (hardened platform) is not separately claimed — see methodology Limits & honest gaps. |
| kaos-llm-core | Build L2 (effective) | GitHub | Hosted build platform (GitHub); every artifact in the latest release has a verified PEP 740 attestation. L3 (hardened platform) is not separately claimed — see methodology Limits & honest gaps. |
| kaos-mcp | Build L2 (effective) | GitHub | Hosted build platform (GitHub); every artifact in the latest release has a verified PEP 740 attestation. L3 (hardened platform) is not separately claimed — see methodology Limits & honest gaps. |
| kaos-ml-core | Build L2 (effective) | GitHub | Hosted build platform (GitHub); every artifact in the latest release has a verified PEP 740 attestation. L3 (hardened platform) is not separately claimed — see methodology Limits & honest gaps. |
| kaos-names | Build L2 (effective) | GitHub | Hosted build platform (GitHub); every artifact in the latest release has a verified PEP 740 attestation. L3 (hardened platform) is not separately claimed — see methodology Limits & honest gaps. |
| kaos-nlp-core | Build L2 (effective) | GitHub | Hosted build platform (GitHub); every artifact in the latest release has a verified PEP 740 attestation. L3 (hardened platform) is not separately claimed — see methodology Limits & honest gaps. |
| kaos-nlp-transformers | Build L2 (effective) | GitHub | Hosted build platform (GitHub); every artifact in the latest release has a verified PEP 740 attestation. L3 (hardened platform) is not separately claimed — see methodology Limits & honest gaps. |
| kaos-office | Build L2 (effective) | GitHub | Hosted build platform (GitHub); every artifact in the latest release has a verified PEP 740 attestation. L3 (hardened platform) is not separately claimed — see methodology Limits & honest gaps. |
| kaos-pdf | Build L2 (effective) | GitHub | Hosted build platform (GitHub); every artifact in the latest release has a verified PEP 740 attestation. L3 (hardened platform) is not separately claimed — see methodology Limits & honest gaps. |
| kaos-source | Build L2 (effective) | GitHub | Hosted build platform (GitHub); every artifact in the latest release has a verified PEP 740 attestation. L3 (hardened platform) is not separately claimed — see methodology Limits & honest gaps. |
| kaos-tabular | Build L2 (effective) | GitHub | Hosted build platform (GitHub); every artifact in the latest release has a verified PEP 740 attestation. L3 (hardened platform) is not separately claimed — see methodology Limits & honest gaps. |
| kaos-ui | Build L2 (effective) | GitHub | Hosted build platform (GitHub); every artifact in the latest release has a verified PEP 740 attestation. L3 (hardened platform) is not separately claimed — see methodology Limits & honest gaps. |
| kaos-web | Build L2 (effective) | GitHub | Hosted build platform (GitHub); every artifact in the latest release has a verified PEP 740 attestation. L3 (hardened platform) is not separately claimed — see methodology Limits & honest gaps. |
CISA SBOM Minimum Elements (per package)
The CISA-defined SBOM Minimum Elements (Author, Supplier, Component
name, Component version, Unique identifier, Dependency
relationships, Timestamp). Each element is evaluated against the
per-package CycloneDX output. Today every package fails
Dependency relationships because the SBOM emitter
doesn’t yet build the dependencies[] edge graph;
tracked as F9 in
docs/research/08-followup.md.
| Package | Author | Supplier | Name | Version | PURL | Relationships | Timestamp |
|---|---|---|---|---|---|---|---|
| kaos-agents | |||||||
| kaos-citations | |||||||
| kaos-content | |||||||
| kaos-core | |||||||
| kaos-graph | |||||||
| kaos-llm-client | |||||||
| kaos-llm-core | |||||||
| kaos-mcp | |||||||
| kaos-ml-core | |||||||
| kaos-names | |||||||
| kaos-nlp-core | |||||||
| kaos-nlp-transformers | |||||||
| kaos-office | |||||||
| kaos-pdf | |||||||
| kaos-source | |||||||
| kaos-tabular | |||||||
| kaos-ui | |||||||
| kaos-web |
License and dependency findings
This is the explanation behind the License and Deps pills. Approved exceptions point at license-policy.html; documented parser gaps name the true license and the parser fix that is tracked. Raw CycloneDX JSON remains available, but it is no longer the only evidence link for a license/dependency caveat.
| Package | Status | Component | License | Decision | Explanation |
|---|---|---|---|---|---|
| kaos-agents | certifi | MPL-2.0 |
Allowed by policy audit A.1 |
Show rationalecertifi ships the Mozilla CA bundle as cacert.pem plus a 30-line Python wrapper. MPL-2.0 is file-scoped (MPL-2.0 §3.3): obligations attach to the modified file, not the consuming codebase. We ship cacert.pem unmodified. This is the same posture requests, httpx, urllib3, aiohttp, boto3 take; Mozilla's own MPL FAQ confirms this interpretation. Standard enterprise legal-review outcome. |
|
| kaos-agents | protobuf | Apache-2.0 |
Known license; parser fix tracked audit B.4 |
PyPI license metadata gap; offline license book fallback | |
| kaos-agents | py-rust-stemmers | BSD-3-Clause |
Known license; parser fix tracked audit B.4 |
PyPI license metadata gap | |
| kaos-agents | regex | Apache-2.0 OR MIT |
Known license; parser fix tracked audit B.4 |
Investigate — both license_expression and license should be populated upstream | |
| kaos-agents | tqdm | MPL-2.0 AND MIT |
Allowed by policy audit A.2 |
Show rationaletqdm is dual-licensed. The MPL-2.0 component is file-scoped to a single source file (the sub-interval feature) which we do not modify. The MIT track covers the entire public API. Used by ~5B downloads across the Python ecosystem with this posture. |
|
| kaos-citations | certifi | MPL-2.0 |
Allowed by policy audit A.1 |
Show rationalecertifi ships the Mozilla CA bundle as cacert.pem plus a 30-line Python wrapper. MPL-2.0 is file-scoped (MPL-2.0 §3.3): obligations attach to the modified file, not the consuming codebase. We ship cacert.pem unmodified. This is the same posture requests, httpx, urllib3, aiohttp, boto3 take; Mozilla's own MPL FAQ confirms this interpretation. Standard enterprise legal-review outcome. |
|
| kaos-citations | regex | Apache-2.0 OR MIT |
Known license; parser fix tracked audit B.4 |
Investigate — both license_expression and license should be populated upstream | |
| kaos-content | certifi | MPL-2.0 |
Allowed by policy audit A.1 |
Show rationalecertifi ships the Mozilla CA bundle as cacert.pem plus a 30-line Python wrapper. MPL-2.0 is file-scoped (MPL-2.0 §3.3): obligations attach to the modified file, not the consuming codebase. We ship cacert.pem unmodified. This is the same posture requests, httpx, urllib3, aiohttp, boto3 take; Mozilla's own MPL FAQ confirms this interpretation. Standard enterprise legal-review outcome. |
|
| kaos-content | hypothesis | MPL-2.0 |
Allowed by policy audit A.4 |
Show rationalehypothesis is a dev/test-only dependency declared in [dependency-groups].dev, never in [project].dependencies. A consumer who pip-installs kaos-content does not receive hypothesis. MPL-2.0 obligations cannot reach a shipped wheel. |
|
| kaos-content | imagehash | BSD-2-Clause |
Known license; parser fix tracked audit B.4 |
Widen text-mine window | |
| kaos-content | tqdm | MPL-2.0 AND MIT |
Allowed by policy audit A.2 |
Show rationaletqdm is dual-licensed. The MPL-2.0 component is file-scoped to a single source file (the sub-interval feature) which we do not modify. The MIT track covers the entire public API. Used by ~5B downloads across the Python ecosystem with this posture. |
|
| kaos-core | certifi | MPL-2.0 |
Allowed by policy audit A.1 |
Show rationalecertifi ships the Mozilla CA bundle as cacert.pem plus a 30-line Python wrapper. MPL-2.0 is file-scoped (MPL-2.0 §3.3): obligations attach to the modified file, not the consuming codebase. We ship cacert.pem unmodified. This is the same posture requests, httpx, urllib3, aiohttp, boto3 take; Mozilla's own MPL FAQ confirms this interpretation. Standard enterprise legal-review outcome. |
|
| kaos-graph | certifi | MPL-2.0 |
Allowed by policy audit A.1 |
Show rationalecertifi ships the Mozilla CA bundle as cacert.pem plus a 30-line Python wrapper. MPL-2.0 is file-scoped (MPL-2.0 §3.3): obligations attach to the modified file, not the consuming codebase. We ship cacert.pem unmodified. This is the same posture requests, httpx, urllib3, aiohttp, boto3 take; Mozilla's own MPL FAQ confirms this interpretation. Standard enterprise legal-review outcome. |
|
| kaos-graph | r-efi | MPL-2.0 |
Allowed by policy audit A.3 |
Show rationaler-efi is a UEFI bindings crate pulled transitively by getrandom only on UEFI targets. Our wheel matrix builds for linux, macOS, and Windows — never UEFI — so r-efi is in the resolver graph but never compiled into shipped binaries. No practical MPL-2.0 obligations attach. A stricter alternative is a cargo-deny exclude rule; tracked as future hygiene work. |
|
| kaos-llm-client | azure-core | MIT |
Known license; parser fix tracked audit B.4 |
Offline license book fallback | |
| kaos-llm-client | azure-identity | MIT |
Known license; parser fix tracked audit B.4 |
Offline license book fallback | |
| kaos-llm-client | certifi | MPL-2.0 |
Allowed by policy audit A.1 |
Show rationalecertifi ships the Mozilla CA bundle as cacert.pem plus a 30-line Python wrapper. MPL-2.0 is file-scoped (MPL-2.0 §3.3): obligations attach to the modified file, not the consuming codebase. We ship cacert.pem unmodified. This is the same posture requests, httpx, urllib3, aiohttp, boto3 take; Mozilla's own MPL FAQ confirms this interpretation. Standard enterprise legal-review outcome. |
|
| kaos-llm-core | certifi | MPL-2.0 |
Allowed by policy audit A.1 |
Show rationalecertifi ships the Mozilla CA bundle as cacert.pem plus a 30-line Python wrapper. MPL-2.0 is file-scoped (MPL-2.0 §3.3): obligations attach to the modified file, not the consuming codebase. We ship cacert.pem unmodified. This is the same posture requests, httpx, urllib3, aiohttp, boto3 take; Mozilla's own MPL FAQ confirms this interpretation. Standard enterprise legal-review outcome. |
|
| kaos-mcp | certifi | MPL-2.0 |
Allowed by policy audit A.1 |
Show rationalecertifi ships the Mozilla CA bundle as cacert.pem plus a 30-line Python wrapper. MPL-2.0 is file-scoped (MPL-2.0 §3.3): obligations attach to the modified file, not the consuming codebase. We ship cacert.pem unmodified. This is the same posture requests, httpx, urllib3, aiohttp, boto3 take; Mozilla's own MPL FAQ confirms this interpretation. Standard enterprise legal-review outcome. |
|
| kaos-ml-core | certifi | MPL-2.0 |
Allowed by policy audit A.1 |
Show rationalecertifi ships the Mozilla CA bundle as cacert.pem plus a 30-line Python wrapper. MPL-2.0 is file-scoped (MPL-2.0 §3.3): obligations attach to the modified file, not the consuming codebase. We ship cacert.pem unmodified. This is the same posture requests, httpx, urllib3, aiohttp, boto3 take; Mozilla's own MPL FAQ confirms this interpretation. Standard enterprise legal-review outcome. |
|
| kaos-ml-core | tqdm | MPL-2.0 AND MIT |
Allowed by policy audit A.2 |
Show rationaletqdm is dual-licensed. The MPL-2.0 component is file-scoped to a single source file (the sub-interval feature) which we do not modify. The MIT track covers the entire public API. Used by ~5B downloads across the Python ecosystem with this posture. |
|
| kaos-nlp-core | certifi | MPL-2.0 |
Allowed by policy audit A.1 |
Show rationalecertifi ships the Mozilla CA bundle as cacert.pem plus a 30-line Python wrapper. MPL-2.0 is file-scoped (MPL-2.0 §3.3): obligations attach to the modified file, not the consuming codebase. We ship cacert.pem unmodified. This is the same posture requests, httpx, urllib3, aiohttp, boto3 take; Mozilla's own MPL FAQ confirms this interpretation. Standard enterprise legal-review outcome. |
|
| kaos-nlp-core | fnv | Apache-2.0 OR MIT |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-core | fst | Unlicense OR MIT |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-core | id-arena | MIT |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-core | matrixmultiply | MIT OR Apache-2.0 |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-core | page_size | MIT OR Apache-2.0 |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-core | quick-error | MIT OR Apache-2.0 |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-core | r-efi | MPL-2.0 |
Allowed by policy audit A.3 |
Show rationaler-efi is a UEFI bindings crate pulled transitively by getrandom only on UEFI targets. Our wheel matrix builds for linux, macOS, and Windows — never UEFI — so r-efi is in the resolver graph but never compiled into shipped binaries. No practical MPL-2.0 obligations attach. A stricter alternative is a cargo-deny exclude rule; tracked as future hygiene work. |
|
| kaos-nlp-core | rawpointer | MIT OR Apache-2.0 |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-core | rusty-fork | MIT OR Apache-2.0 |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-core | same-file | Unlicense OR MIT |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-core | siphasher | MIT OR Apache-2.0 |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-core | utf8-ranges | Unlicense OR MIT |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-core | version_check | MIT OR Apache-2.0 |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-core | wait-timeout | MIT OR Apache-2.0 |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-core | walkdir | Unlicense OR MIT |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-core | winapi | MIT OR Apache-2.0 |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-core | winapi-i686-pc-windows-gnu | MIT OR Apache-2.0 |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-core | winapi-x86_64-pc-windows-gnu | MIT OR Apache-2.0 |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-core | zstd-sys | MIT OR Apache-2.0 |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-transformers | base64 | MIT OR Apache-2.0 |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-transformers | certifi | MPL-2.0 |
Allowed by policy audit A.1 |
Show rationalecertifi ships the Mozilla CA bundle as cacert.pem plus a 30-line Python wrapper. MPL-2.0 is file-scoped (MPL-2.0 §3.3): obligations attach to the modified file, not the consuming codebase. We ship cacert.pem unmodified. This is the same posture requests, httpx, urllib3, aiohttp, boto3 take; Mozilla's own MPL FAQ confirms this interpretation. Standard enterprise legal-review outcome. |
|
| kaos-nlp-transformers | fnv | Apache-2.0 OR MIT |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-transformers | id-arena | MIT |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-transformers | ident_case | MIT OR Apache-2.0 |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-transformers | matrixmultiply | MIT OR Apache-2.0 |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-transformers | minimal-lexical | MIT OR Apache-2.0 |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-transformers | option-ext | MPL-2.0 |
Allowed by policy audit A.5 |
Show rationaleoption-ext is an 87-line Rust crate adding Option extension methods, pulled transitively via dirs → dirs-sys → option-ext. We ship it unmodified inside the kaos-nlp-transformers Rust binary; MPL-2.0 file-scoped obligations don't propagate. Future work: remove the dirs dependency entirely to drop this branch. |
|
| kaos-nlp-transformers | page_size | MIT OR Apache-2.0 |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-transformers | r-efi | MPL-2.0 |
Allowed by policy audit A.3 |
Show rationaler-efi is a UEFI bindings crate pulled transitively by getrandom only on UEFI targets. Our wheel matrix builds for linux, macOS, and Windows — never UEFI — so r-efi is in the resolver graph but never compiled into shipped binaries. No practical MPL-2.0 obligations attach. A stricter alternative is a cargo-deny exclude rule; tracked as future hygiene work. |
|
| kaos-nlp-transformers | rawpointer | MIT OR Apache-2.0 |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-transformers | rayon-cond | MIT OR Apache-2.0 |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-transformers | same-file | Unlicense OR MIT |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-transformers | serde_urlencoded | MIT OR Apache-2.0 |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-transformers | socks | MIT OR Apache-2.0 |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-transformers | tqdm | MPL-2.0 AND MIT |
Allowed by policy audit A.2 |
Show rationaletqdm is dual-licensed. The MPL-2.0 component is file-scoped to a single source file (the sub-interval feature) which we do not modify. The MIT track covers the entire public API. Used by ~5B downloads across the Python ecosystem with this posture. |
|
| kaos-nlp-transformers | unicode-normalization-alignments | MIT OR Apache-2.0 |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-transformers | version_check | MIT OR Apache-2.0 |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-transformers | walkdir | Unlicense OR MIT |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-transformers | webpki-roots | MPL-2.0 |
Known license; parser fix tracked audit A.1 |
Mozilla CA roots, same posture as certifi — should land in allowed_expressions | |
| kaos-nlp-transformers | winapi | MIT OR Apache-2.0 |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-transformers | winapi-i686-pc-windows-gnu | MIT OR Apache-2.0 |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-nlp-transformers | winapi-x86_64-pc-windows-gnu | MIT OR Apache-2.0 |
Known license; parser fix tracked audit B.3 |
crates.io enrichment retry | |
| kaos-office | certifi | MPL-2.0 |
Allowed by policy audit A.1 |
Show rationalecertifi ships the Mozilla CA bundle as cacert.pem plus a 30-line Python wrapper. MPL-2.0 is file-scoped (MPL-2.0 §3.3): obligations attach to the modified file, not the consuming codebase. We ship cacert.pem unmodified. This is the same posture requests, httpx, urllib3, aiohttp, boto3 take; Mozilla's own MPL FAQ confirms this interpretation. Standard enterprise legal-review outcome. |
|
| kaos-pdf | certifi | MPL-2.0 |
Allowed by policy audit A.1 |
Show rationalecertifi ships the Mozilla CA bundle as cacert.pem plus a 30-line Python wrapper. MPL-2.0 is file-scoped (MPL-2.0 §3.3): obligations attach to the modified file, not the consuming codebase. We ship cacert.pem unmodified. This is the same posture requests, httpx, urllib3, aiohttp, boto3 take; Mozilla's own MPL FAQ confirms this interpretation. Standard enterprise legal-review outcome. |
|
| kaos-source | certifi | MPL-2.0 |
Allowed by policy audit A.1 |
Show rationalecertifi ships the Mozilla CA bundle as cacert.pem plus a 30-line Python wrapper. MPL-2.0 is file-scoped (MPL-2.0 §3.3): obligations attach to the modified file, not the consuming codebase. We ship cacert.pem unmodified. This is the same posture requests, httpx, urllib3, aiohttp, boto3 take; Mozilla's own MPL FAQ confirms this interpretation. Standard enterprise legal-review outcome. |
|
| kaos-source | playwright | Apache-2.0 |
Known license; parser fix tracked audit B.4 |
Offline license book fallback; upstream PR to populate info.license_expression | |
| kaos-tabular | certifi | MPL-2.0 |
Allowed by policy audit A.1 |
Show rationalecertifi ships the Mozilla CA bundle as cacert.pem plus a 30-line Python wrapper. MPL-2.0 is file-scoped (MPL-2.0 §3.3): obligations attach to the modified file, not the consuming codebase. We ship cacert.pem unmodified. This is the same posture requests, httpx, urllib3, aiohttp, boto3 take; Mozilla's own MPL FAQ confirms this interpretation. Standard enterprise legal-review outcome. |
|
| kaos-web | certifi | MPL-2.0 |
Allowed by policy audit A.1 |
Show rationalecertifi ships the Mozilla CA bundle as cacert.pem plus a 30-line Python wrapper. MPL-2.0 is file-scoped (MPL-2.0 §3.3): obligations attach to the modified file, not the consuming codebase. We ship cacert.pem unmodified. This is the same posture requests, httpx, urllib3, aiohttp, boto3 take; Mozilla's own MPL FAQ confirms this interpretation. Standard enterprise legal-review outcome. |
|
| kaos-web | playwright | Apache-2.0 |
Known license; parser fix tracked audit B.4 |
Offline license book fallback; upstream PR to populate info.license_expression |
License breakdown (org-wide)
Aggregated across all direct and transitive components in published SBOMs. Unknown = published license metadata was missing or non-SPDX. Per-package detail below.
PEP 740 attestations
| Package | Publisher | Source repo | Workflow ref | Rekor | Provenance |
|---|---|---|---|---|---|
| kaos-agents | — | — | — | — | |
| kaos-citations | — | — | — | — | |
| kaos-content | — | — | — | — | |
| kaos-core | — | — | — | — | |
| kaos-graph | — | — | — | — | |
| kaos-llm-client | — | — | — | — | |
| kaos-llm-core | — | — | — | — | |
| kaos-mcp | — | — | — | — | |
| kaos-ml-core | — | — | — | — | |
| kaos-names | — | — | — | — | |
| kaos-nlp-core | — | — | — | — | |
| kaos-nlp-transformers | — | — | — | — | |
| kaos-office | — | — | — | — | |
| kaos-pdf | — | — | — | — | |
| kaos-source | — | — | — | — | |
| kaos-tabular | — | — | — | — | |
| kaos-ui | — | — | — | — | |
| kaos-web | — | — | — | — |
Per-package details
Click a row to expand SBOM links, top licenses, and the wheel platform matrix.
kaos-agents
- SBOM
- CycloneDX (mirror) · CycloneDX (GitHub Release)
- Top licenses
- MIT × 59 Apache-2.0 × 36 BSD-3-Clause × 25 BSD-2-Clause × 3 Apache-2.0 OR BSD-3-Clause × 2 ISC × 2 PSF-2.0 × 2 Python-2.0 × 2
- Wheel matrix
- ·
kaos-citations
- SBOM
- CycloneDX (mirror) · CycloneDX (GitHub Release)
- Top licenses
- MIT × 29 BSD-3-Clause × 12 Apache-2.0 × 8 BSD-2-Clause × 4 Apache-2.0 OR BSD-2-Clause × 1 Apache-2.0 OR BSD-3-Clause × 1 BSD-3-Clause AND 0BSD AND MIT AND Zlib AND CC0-1.0 × 1 ISC × 1
- Wheel matrix
- ·
kaos-content
- SBOM
- CycloneDX (mirror) · CycloneDX (GitHub Release)
- Top licenses
- MIT × 26 Apache-2.0 × 10 BSD-3-Clause × 9 BSD-2-Clause × 2 MPL-2.0 × 2 Apache-2.0 OR BSD-2-Clause × 1 BSD-3-Clause AND 0BSD AND MIT AND Zlib AND CC0-1.0 × 1 ISC × 1
- Wheel matrix
- ·
kaos-core
- SBOM
- CycloneDX (mirror) · CycloneDX (GitHub Release)
- Top licenses
- MIT × 26 BSD-3-Clause × 9 Apache-2.0 × 2 BSD-2-Clause × 2 Apache-2.0 OR BSD-2-Clause × 1 Apache-2.0 OR BSD-3-Clause × 1 MPL-2.0 × 1 PSF-2.0 × 1
- Wheel matrix
- ·
kaos-graph
- SBOM
- CycloneDX (mirror) · CycloneDX (GitHub Release)
- Top licenses
- MIT OR Apache-2.0 × 37 MIT × 35 BSD-3-Clause × 11 Apache-2.0 × 9 Apache-2.0 OR MIT × 3 Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT × 2 BSD-2-Clause OR Apache-2.0 OR MIT × 2 Python-2.0 × 2
- Wheel matrix
- · · · · ·
kaos-llm-client
- SBOM
- CycloneDX (mirror) · CycloneDX (GitHub Release)
- Top licenses
- MIT × 36 BSD-3-Clause × 10 Apache-2.0 × 7 LicenseRef-unknown-e3b0c442 × 2 Apache-2.0 OR BSD-2-Clause × 1 Apache-2.0 OR BSD-3-Clause × 1 BSD-2-Clause × 1 ISC × 1
- Wheel matrix
- ·
kaos-llm-core
- SBOM
- CycloneDX (mirror) · CycloneDX (GitHub Release)
- Top licenses
- MIT × 32 BSD-3-Clause × 10 Apache-2.0 × 9 Apache-2.0 OR BSD-2-Clause × 1 Apache-2.0 OR BSD-3-Clause × 1 BSD-2-Clause × 1 BSD-3-Clause AND 0BSD AND MIT AND Zlib AND CC0-1.0 × 1 ISC × 1
- Wheel matrix
- ·
kaos-mcp
- SBOM
- CycloneDX (mirror) · CycloneDX (GitHub Release)
- Top licenses
- MIT × 29 BSD-3-Clause × 10 Apache-2.0 × 5 Apache-2.0 OR BSD-2-Clause × 1 Apache-2.0 OR BSD-3-Clause × 1 BSD-2-Clause × 1 ISC × 1 MPL-2.0 × 1
- Wheel matrix
- ·
kaos-ml-core
- SBOM
- CycloneDX (mirror) · CycloneDX (GitHub Release)
- Top licenses
- MIT × 36 BSD-3-Clause × 16 Apache-2.0 × 13 MIT OR Apache-2.0 × 12 BSD-2-Clause × 2 (MIT OR Apache-2.0) AND Unicode-3.0 × 1 Apache-2.0 OR BSD-2-Clause × 1 Apache-2.0 OR BSD-3-Clause × 1
- Wheel matrix
- · · · · ·
kaos-names
- SBOM
- CycloneDX (mirror) · CycloneDX (GitHub Release)
- Top licenses
- MIT × 6 Apache-2.0 × 1 Apache-2.0 OR BSD-2-Clause × 1 BSD-2-Clause × 1 BSD-3-Clause × 1
- Wheel matrix
- ·
kaos-nlp-core
- SBOM
- CycloneDX (mirror) · CycloneDX (GitHub Release)
- Top licenses
- MIT OR Apache-2.0 × 92 MIT × 30 Unicode-3.0 × 16 Apache-2.0 OR MIT × 14 Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT × 13 LicenseRef-unknown-ec5c82d8 × 13 Apache-2.0 × 8 BSD-3-Clause × 7
- Wheel matrix
- · · · · ·
kaos-nlp-transformers
- SBOM
- CycloneDX (mirror) · CycloneDX (GitHub Release)
- Top licenses
- MIT OR Apache-2.0 × 154 MIT × 74 Apache-2.0 × 20 Unicode-3.0 × 18 Apache-2.0 OR MIT × 16 Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT × 15 BSD-3-Clause × 15 LicenseRef-unknown-ec5c82d8 × 14
- Wheel matrix
- · · · · ·
kaos-office
- SBOM
- CycloneDX (mirror) · CycloneDX (GitHub Release)
- Top licenses
- MIT × 33 BSD-3-Clause × 11 Apache-2.0 × 7 BSD-2-Clause × 2 Apache-2.0 OR BSD-2-Clause × 1 Apache-2.0 OR BSD-3-Clause × 1 BSD-3-Clause AND 0BSD AND MIT AND Zlib AND CC0-1.0 × 1 ISC × 1
- Wheel matrix
- ·
kaos-pdf
- SBOM
- CycloneDX (mirror) · CycloneDX (GitHub Release)
- Top licenses
- MIT × 32 BSD-3-Clause × 12 Apache-2.0 × 8 Apache-2.0 OR BSD-2-Clause × 1 Apache-2.0 OR BSD-3-Clause × 1 BSD-2-Clause × 1 BSD-3-Clause AND 0BSD AND MIT AND Zlib AND CC0-1.0 × 1 ISC × 1
- Wheel matrix
- ·
kaos-source
- SBOM
- CycloneDX (mirror) · CycloneDX (GitHub Release)
- Top licenses
- MIT × 30 BSD-3-Clause × 11 Apache-2.0 × 7 Apache-2.0 OR BSD-2-Clause × 1 Apache-2.0 OR BSD-3-Clause × 1 BSD-2-Clause × 1 BSD-3-Clause AND 0BSD AND MIT AND Zlib AND CC0-1.0 × 1 ISC × 1
- Wheel matrix
- ·
kaos-tabular
- SBOM
- CycloneDX (mirror) · CycloneDX (GitHub Release)
- Top licenses
- MIT × 30 BSD-3-Clause × 10 Apache-2.0 × 6 Apache-2.0 OR BSD-2-Clause × 1 Apache-2.0 OR BSD-3-Clause × 1 BSD-2-Clause × 1 ISC × 1 MPL-2.0 × 1
- Wheel matrix
- ·
kaos-ui
- SBOM
- CycloneDX (mirror) · CycloneDX (GitHub Release)
- Top licenses
- MIT × 11 Apache-2.0 × 3 BSD-3-Clause × 3 Apache-2.0 OR BSD-2-Clause × 1 BSD-2-Clause × 1 PSF-2.0 × 1
- Wheel matrix
- ·
kaos-web
- SBOM
- CycloneDX (mirror) · CycloneDX (GitHub Release)
- Top licenses
- MIT × 35 BSD-3-Clause × 11 Apache-2.0 × 7 BSD-2-Clause × 2 ISC × 2 Apache-2.0 OR BSD-2-Clause × 1 Apache-2.0 OR BSD-3-Clause × 1 BSD-3-Clause AND 0BSD AND MIT AND Zlib AND CC0-1.0 × 1
- Wheel matrix
- ·
How this is collected
data/sbom/<pkg>-<version>.cdx.json.
License rollup is the union of all component[].licenses[].license.id
fields. PEP 740 attestation rows come from
https://pypi.org/simple/<pkg>/ with
Accept: application/vnd.pypi.simple.v1+json —
the files[i].provenance URL and the embedded Rekor
index. SBOMs without a dependencies[] graph are flagged
yellow because a component list without edges is a manifest, not an
SBOM. See methodology.html.