The Copyright section in the CONTRIBUTING doc talks about licenses allowed for contributed code. In addition to that we need to explicitly call out the exact list of licenses allowed for dependencies to make it clear for all contributors.
It is going to be the same list. We only allow dependencies that are no-less permissive than Apache license. Borrowing this nice image from Wikipedia which clearly shows what can be combined with Apache 2.0 to result in Apache 2.0 (incoming arrows are fine, outgoing are not):

This issue came up here: https://github.com/open-telemetry/opentelemetry-js-contrib/pull/348
IANAL. There might be a distinction for components used for tests or CI/CD and components being distributed or referenced by the distribution.
@tigrannajaryan - Should we have another step in the CI/CD pipelines that checks licenses? Obviously this would have to be added for each language, but likely worth it due to downstream libraries not always verifying their dependency licenses.
@SergeyKanzhelev - Has an excellent point and also makes the check within the CI/CD pipeline that much more difficult.
There are vendors that offer solutions to this problem, maybe find one that offers free services for open-source projects?
We need to clarify usage of MPL-licensed dependencies. According to MPL it is OK:
Q13: May I combine MPL-licensed code and BSD-licensed code in the same executable program? What about Apache?
Yes to both. Mozilla currently does this with BSD-licensed code. For example, libvpx, which is used in Firefox to decode WebM video, is under a BSD license.
However our CONTRIBUTING guide does not list MPL as an allowed dependency license.
Most helpful comment
IANAL. There might be a distinction for components used for tests or CI/CD and components being distributed or referenced by the distribution.