Automatic deletion of license inventory items because of small file name changes
Inventory items are tightly associated with files. When we have a software version change, there can be changes to the 3rd party license component file names (cxf-core-3.3.1.jar to cxf-core-3.3.2.jar).
When uploading a new zip file and selecting “delete existing project codebase”, all inventory items are deleted if the new zip file does not contain the exact file name associated with existing inventory items. The time and effort researching license information for inventory items should not be discarded so quickly.
When uploading zip files, you can either:
- Upload zip with no deletion
Pro: Preserves inventory items
Con: Unused folders and files stay around forever. Orphaned inventory items must be removed manually.
- Upload new zip with deletion (overwrite existing files/folders)
Pro: Folders and files are up-to-date with source control system
Con: Inventory item research (audit notes, approvals, license text, etc.) is lost forever once the inventory item is deleted because of file/folder name changes
The user should be given the option to preserve inventory items. This should be the default since it is a huge waste of time and effort to redo the license analysis research. I would propose that the upload with deletion only change the status of the inventory items to “deprecated”. The analyst will then have the option to either:
- Delete the inventory item -- This would be used if the component was no longer used in the application
- Associate the inventory item with new files uploaded in the zip -- Small file name changes (cxf-core-3.3.1.jar to cxf-core-3.3.2.jar) will be handled without losing prior license audit notes and legal team approvals