Just very recently, like last year, we have incorporated OpenAPI and SPDX compatbility into our procurement regulations. SPDX is a Linux Foundation thing that allows any project to list all the open source dependencies that it have and thereby waive themself of warranties and stuff.