Obtaining source locations and licenses recursively for a derivation

Checking what licenses apply to a binary is not easy. With Nix we declare the license that applies to a source, although we declare it in the derivation of the built artifact.

I’m looking for a solution that can yield for me for a derivation what components potentially leave traces, what source those are built from, and what licenses apply. Clearly, recursion plays a role here.

We do not declare in our expressions what parts leave traces. We do know that buildInputs are run-time dependencies and are expected to leave traces. Certain nativeBuildInputs may leave traces as well, and thus need to be considered. Would it make sense to declare which dependencies leave traces? If so, where? Maybe nativeBuildInputsViral, or in the actual derivation that could be viral. The latter I don’t think will work because a given derivation does not always have to be viral. Cases where one points directly to derivations are difficult to handle.

Of course, one could also take the other way around. Build it, and check run-time dependencies. This, however, does not cover the cases where one generated or copied in parts.

Maybe consider then the run-time derivations obtained after build, along with manual checking of nativeBuildInputs?

Also, nix-show-derivation -r yields derivation information recursively, however, unfortunately meta is not included there.