License Audit Report

Project: MDDB (Markdown Database)
Date: 2026-03-10
Tool:Trivy โ€” filesystem license scanner
Scan command:trivy fs --scanners license .

Executive Summary

Scanned 4 targets (Go modules + npm packages) with a total of 276 dependencies.

MetricValue
Total dependencies scanned276
CRITICAL issues0
HIGH issues0
MEDIUM issues2
LOW issues274
Permissive (notice)272 (98.6%)
Reciprocal2 (0.7%)
Public domain (unencumbered)2 (0.7%)

Overall risk: LOW โ€” No HIGH or CRITICAL license issues detected.

License Distribution

LicenseCountCategoryCommercial Use
MIT225noticeYes
BSD-3-Clause23noticeYes
Apache-2.014noticeYes
ISC6noticeYes
BSD-2-Clause4noticeYes
CC0-1.02unencumberedYes
MPL-2.02reciprocalYes (with conditions)

Scan Targets

services/mddb-cli/go.mod

3 dependencies

PackageLicenseSeverityCategory
github.com/inconshreveable/mousetrapApache-2.0LOWnotice
github.com/spf13/cobraApache-2.0LOWnotice
github.com/spf13/pflagBSD-3-ClauseLOWnotice

services/mddb-panel/package-lock.json

216 dependencies

PackageLicenseSeverityCategory
@0no-co/graphql.webMITLOWnotice
@babel/runtimeMITLOWnotice
@types/debugMITLOWnotice
@types/estreeMITLOWnotice
@types/estree-jsxMITLOWnotice
@types/hastMITLOWnotice
@types/http-proxyMITLOWnotice
@types/mdastMITLOWnotice
@types/msMITLOWnotice
@types/nodeMITLOWnotice
@types/prismjsMITLOWnotice
@types/reactMITLOWnotice
@types/unistMITLOWnotice
@types/unistMITLOWnotice
@ungap/structured-cloneISCLOWnotice
@urql/coreMITLOWnotice
acceptsMITLOWnotice
bailMITLOWnotice
body-parserMITLOWnotice
bracesMITLOWnotice
bytesMITLOWnotice
call-bind-apply-helpersMITLOWnotice
call-boundMITLOWnotice
ccountMITLOWnotice
character-entitiesMITLOWnotice
character-entities-html4MITLOWnotice
character-entities-legacyMITLOWnotice
character-reference-invalidMITLOWnotice
comma-separated-tokensMITLOWnotice
content-dispositionMITLOWnotice
content-typeMITLOWnotice
cookieMITLOWnotice
cookie-signatureMITLOWnotice
csstypeMITLOWnotice
date-fnsMITLOWnotice
debugMITLOWnotice
decode-named-character-referenceMITLOWnotice
depdMITLOWnotice
dequalMITLOWnotice
devlopMITLOWnotice
dunder-protoMITLOWnotice
ee-firstMITLOWnotice
encodeurlMITLOWnotice
entitiesBSD-2-ClauseLOWnotice
es-define-propertyMITLOWnotice
es-errorsMITLOWnotice
es-object-atomsMITLOWnotice
escape-htmlMITLOWnotice
escape-string-regexpMITLOWnotice
estree-util-is-identifier-nameMITLOWnotice
etagMITLOWnotice
eventemitter3MITLOWnotice
expressMITLOWnotice
extendMITLOWnotice
faultMITLOWnotice
fill-rangeMITLOWnotice
finalhandlerMITLOWnotice
follow-redirectsMITLOWnotice
forwardedMITLOWnotice
freshMITLOWnotice
function-bindMITLOWnotice
get-intrinsicMITLOWnotice
get-protoMITLOWnotice
gopdMITLOWnotice
graphqlMITLOWnotice
has-symbolsMITLOWnotice
hasownMITLOWnotice
hast-util-from-parse5MITLOWnotice
hast-util-parse-selectorMITLOWnotice
hast-util-rawMITLOWnotice
hast-util-sanitizeMITLOWnotice
hast-util-to-jsx-runtimeMITLOWnotice
hast-util-to-parse5MITLOWnotice
hast-util-whitespaceMITLOWnotice
hastscriptMITLOWnotice
highlight.jsBSD-3-ClauseLOWnotice
highlightjs-vueCC0-1.0LOWunencumbered
html-url-attributesMITLOWnotice
html-void-elementsMITLOWnotice
http-errorsMITLOWnotice
http-proxyMITLOWnotice
http-proxy-middlewareMITLOWnotice
iconv-liteMITLOWnotice
inheritsISCLOWnotice
inline-style-parserMITLOWnotice
ipaddr.jsMITLOWnotice
is-alphabeticalMITLOWnotice
is-alphanumericalMITLOWnotice
is-decimalMITLOWnotice
is-extglobMITLOWnotice
is-globMITLOWnotice
is-hexadecimalMITLOWnotice
is-numberMITLOWnotice
is-plain-objMITLOWnotice
is-plain-objectMITLOWnotice
is-promiseMITLOWnotice
longest-streakMITLOWnotice
lowlightMITLOWnotice
lucide-reactISCLOWnotice
markdown-tableMITLOWnotice
math-intrinsicsMITLOWnotice
mdast-util-find-and-replaceMITLOWnotice
mdast-util-from-markdownMITLOWnotice
mdast-util-gfmMITLOWnotice
mdast-util-gfm-autolink-literalMITLOWnotice
mdast-util-gfm-footnoteMITLOWnotice
mdast-util-gfm-strikethroughMITLOWnotice
mdast-util-gfm-tableMITLOWnotice
mdast-util-gfm-task-list-itemMITLOWnotice
mdast-util-mdx-expressionMITLOWnotice
mdast-util-mdx-jsxMITLOWnotice
mdast-util-mdxjs-esmMITLOWnotice
mdast-util-phrasingMITLOWnotice
mdast-util-to-hastMITLOWnotice
mdast-util-to-markdownMITLOWnotice
mdast-util-to-stringMITLOWnotice
media-typerMITLOWnotice
merge-descriptorsMITLOWnotice
micromarkMITLOWnotice
micromark-core-commonmarkMITLOWnotice
micromark-extension-gfmMITLOWnotice
micromark-extension-gfm-autolink-literalMITLOWnotice
micromark-extension-gfm-footnoteMITLOWnotice
micromark-extension-gfm-strikethroughMITLOWnotice
micromark-extension-gfm-tableMITLOWnotice
micromark-extension-gfm-tagfilterMITLOWnotice
micromark-extension-gfm-task-list-itemMITLOWnotice
micromark-factory-destinationMITLOWnotice
micromark-factory-labelMITLOWnotice
micromark-factory-spaceMITLOWnotice
micromark-factory-titleMITLOWnotice
micromark-factory-whitespaceMITLOWnotice
micromark-util-characterMITLOWnotice
micromark-util-chunkedMITLOWnotice
micromark-util-classify-characterMITLOWnotice
micromark-util-combine-extensionsMITLOWnotice
micromark-util-decode-numeric-character-referenceMITLOWnotice
micromark-util-decode-stringMITLOWnotice
micromark-util-encodeMITLOWnotice
micromark-util-html-tag-nameMITLOWnotice
micromark-util-normalize-identifierMITLOWnotice
micromark-util-resolve-allMITLOWnotice
micromark-util-sanitize-uriMITLOWnotice
micromark-util-subtokenizeMITLOWnotice
micromark-util-symbolMITLOWnotice
micromark-util-typesMITLOWnotice
micromatchMITLOWnotice
mime-dbMITLOWnotice
mime-typesMITLOWnotice
msMITLOWnotice
negotiatorMITLOWnotice
object-inspectMITLOWnotice
on-finishedMITLOWnotice
onceISCLOWnotice
parse-entitiesMITLOWnotice
parse5MITLOWnotice
parseurlMITLOWnotice
path-to-regexpMITLOWnotice
picomatchMITLOWnotice
prismjsMITLOWnotice
property-informationMITLOWnotice
property-informationMITLOWnotice
proxy-addrMITLOWnotice
qsBSD-3-ClauseLOWnotice
range-parserMITLOWnotice
raw-bodyMITLOWnotice
reactMITLOWnotice
react-domMITLOWnotice
react-markdownMITLOWnotice
react-syntax-highlighterMITLOWnotice
refractorMITLOWnotice
rehype-rawMITLOWnotice
rehype-sanitizeMITLOWnotice
remark-gfmMITLOWnotice
remark-parseMITLOWnotice
remark-rehypeMITLOWnotice
remark-stringifyMITLOWnotice
requires-portMITLOWnotice
routerMITLOWnotice
safer-bufferMITLOWnotice
schedulerMITLOWnotice
sendMITLOWnotice
serve-staticMITLOWnotice
setprototypeofISCLOWnotice
side-channelMITLOWnotice
side-channel-listMITLOWnotice
side-channel-mapMITLOWnotice
side-channel-weakmapMITLOWnotice
space-separated-tokensMITLOWnotice
statusesMITLOWnotice
stringify-entitiesMITLOWnotice
style-to-jsMITLOWnotice
style-to-objectMITLOWnotice
to-regex-rangeMITLOWnotice
toidentifierMITLOWnotice
trim-linesMITLOWnotice
troughMITLOWnotice
type-isMITLOWnotice
undici-typesMITLOWnotice
unifiedMITLOWnotice
unist-util-isMITLOWnotice
unist-util-positionMITLOWnotice
unist-util-stringify-positionMITLOWnotice
unist-util-visitMITLOWnotice
unist-util-visit-parentsMITLOWnotice
unpipeMITLOWnotice
urqlMITLOWnotice
varyMITLOWnotice
vfileMITLOWnotice
vfile-locationMITLOWnotice
vfile-messageMITLOWnotice
web-namespacesMITLOWnotice
wonkaMITLOWnotice
wrappyISCLOWnotice
zustandMITLOWnotice
zwitchMITLOWnotice

services/mddbd/go.mod

36 dependencies

PackageLicenseSeverityCategory
github.com/99designs/gqlgenMITLOWnotice
github.com/agnivade/levenshteinMITLOWnotice
github.com/bits-and-blooms/bitsetBSD-3-ClauseLOWnotice
github.com/bits-and-blooms/bloom/v3BSD-2-ClauseLOWnotice
github.com/chewxy/math32BSD-2-ClauseLOWnotice
github.com/coder/hnswCC0-1.0LOWunencumbered
github.com/go-viper/mapstructure/v2MITLOWnotice
github.com/goccy/go-jsonMITLOWnotice
github.com/golang-jwt/jwt/v5MITLOWnotice
github.com/golang/snappyBSD-3-ClauseLOWnotice
github.com/google/renameioApache-2.0LOWnotice
github.com/google/uuidBSD-3-ClauseLOWnotice
github.com/gorilla/websocketBSD-2-ClauseLOWnotice
github.com/hashicorp/golang-lru/v2MPL-2.0MEDIUMreciprocal
github.com/klauspost/compressApache-2.0LOWnotice
github.com/klauspost/compressBSD-3-ClauseLOWnotice
github.com/klauspost/compressMITLOWnotice
github.com/quic-go/qpackMITLOWnotice
github.com/quic-go/quic-goMITLOWnotice
github.com/robfig/cron/v3MITLOWnotice
github.com/sosodev/durationMITLOWnotice
github.com/vektah/gqlparser/v2MITLOWnotice
github.com/viterin/partialMITLOWnotice
github.com/viterin/vekMITLOWnotice
go.etcd.io/bboltMITLOWnotice
golang.org/x/cryptoBSD-3-ClauseLOWnotice
golang.org/x/expBSD-3-ClauseLOWnotice
golang.org/x/netBSD-3-ClauseLOWnotice
golang.org/x/syncBSD-3-ClauseLOWnotice
golang.org/x/sysBSD-3-ClauseLOWnotice
golang.org/x/textBSD-3-ClauseLOWnotice
google.golang.org/genproto/googleapis/rpcApache-2.0LOWnotice
google.golang.org/grpcApache-2.0LOWnotice
google.golang.org/protobufBSD-3-ClauseLOWnotice
gopkg.in/yaml.v3Apache-2.0LOWnotice
gopkg.in/yaml.v3MITLOWnotice

test/go.mod

21 dependencies

PackageLicenseSeverityCategory
filippo.io/edwards25519BSD-3-ClauseLOWnotice
github.com/go-sql-driver/mysqlMPL-2.0MEDIUMreciprocal
github.com/golang/snappyBSD-3-ClauseLOWnotice
github.com/klauspost/compressApache-2.0LOWnotice
github.com/klauspost/compressBSD-3-ClauseLOWnotice
github.com/klauspost/compressMITLOWnotice
github.com/lib/pqMITLOWnotice
github.com/montanaflynn/statsMITLOWnotice
github.com/xdg-go/pbkdf2Apache-2.0LOWnotice
github.com/xdg-go/scramApache-2.0LOWnotice
github.com/xdg-go/stringprepApache-2.0LOWnotice
github.com/youmark/pkcs8MITLOWnotice
go.mongodb.org/mongo-driverApache-2.0LOWnotice
golang.org/x/cryptoBSD-3-ClauseLOWnotice
golang.org/x/netBSD-3-ClauseLOWnotice
golang.org/x/syncBSD-3-ClauseLOWnotice
golang.org/x/sysBSD-3-ClauseLOWnotice
golang.org/x/textBSD-3-ClauseLOWnotice
google.golang.org/genproto/googleapis/rpcApache-2.0LOWnotice
google.golang.org/grpcApache-2.0LOWnotice
google.golang.org/protobufBSD-3-ClauseLOWnotice

Items Requiring Attention

Reciprocal Licenses (MPL-2.0)

The following packages use MPL-2.0 (Mozilla Public License 2.0), which is a "file-level" copyleft license:

PackageTarget
github.com/hashicorp/golang-lru/v2services/mddbd/go.mod
github.com/go-sql-driver/mysqltest/go.mod

Impact: MPL-2.0 requires that modifications to MPL-licensed source files must be released under MPL-2.0. However, it does not require the rest of the project to be open-sourced (unlike GPL). Using these libraries unmodified in a larger project is fully permitted for commercial use.

Action required: None, as long as the MPL-licensed files themselves are not modified. If modifications are needed, the changed files must be made available under MPL-2.0.

Medium Severity

PackageLicenseTarget
github.com/hashicorp/golang-lru/v2MPL-2.0services/mddbd/go.mod
github.com/go-sql-driver/mysqlMPL-2.0test/go.mod

Note: MEDIUM severity in Trivy license scanning typically indicates licenses that may have additional requirements (e.g., attribution in binary distributions). Review these for compliance with your distribution method.

License Categories Explained

CategoryDescriptionExamples
notice (permissive)Free to use, modify, and distribute. Requires attribution/copyright notice.MIT, BSD, Apache-2.0, ISC
unencumberedPublic domain or equivalent. No restrictions.CC0-1.0, Unlicense
reciprocalModifications to licensed files must be shared. Does not "infect" the rest of the codebase.MPL-2.0
restricted (copyleft)Entire derivative work must use the same license.GPL-2.0, GPL-3.0

Recommendations

  1. No immediate action required โ€” all licenses are compatible with commercial use
  2. Maintain a LICENSE/NOTICE file listing all third-party dependencies and their licenses (standard practice for Apache-2.0 and BSD-licensed dependencies)
  3. Re-run this audit before each major release to catch any newly introduced dependencies with restrictive licenses
  4. Monitor MPL-2.0 dependencies โ€” if you fork or modify their source files, ensure compliance

Report generated on 2026-03-10 using Trivy filesystem license scanner.