gitlab-license_finder 6.14.2.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.force-build +0 -0
- data/.gitignore +13 -0
- data/.rspec +1 -0
- data/.rubocop.yml +70 -0
- data/CHANGELOG.md +981 -0
- data/CONTRIBUTING.md +121 -0
- data/Dockerfile +249 -0
- data/Gemfile +2 -0
- data/LICENSE +22 -0
- data/README.md +555 -0
- data/Rakefile +77 -0
- data/TODO.md +12 -0
- data/VERSION +1 -0
- data/appveyor.yml +21 -0
- data/bin/license_finder +6 -0
- data/bin/license_finder_pip.py +43 -0
- data/ci/pipelines/pull-request.yml.erb +141 -0
- data/ci/pipelines/release.yml.erb +200 -0
- data/ci/scripts/containerize-tests.sh +14 -0
- data/ci/scripts/pushscript.sh +32 -0
- data/ci/scripts/run-rubocop.sh +15 -0
- data/ci/scripts/run-tests.sh +24 -0
- data/ci/scripts/test.ps1 +81 -0
- data/ci/scripts/updateChangelog.sh +84 -0
- data/ci/tasks/build-and-push-gem.yml +10 -0
- data/ci/tasks/build-windows.yml +6 -0
- data/ci/tasks/build.yml +16 -0
- data/ci/tasks/rubocop.yml +15 -0
- data/ci/tasks/run-tests.yml +10 -0
- data/ci/tasks/update-changelog.yml +18 -0
- data/dlf +12 -0
- data/examples/Gemfile +4 -0
- data/examples/custom_erb_template.rb +24 -0
- data/examples/extract_license_data.rb +63 -0
- data/examples/sample_template.erb +7 -0
- data/lib/license_finder/cli/approvals.rb +28 -0
- data/lib/license_finder/cli/base.rb +107 -0
- data/lib/license_finder/cli/dependencies.rb +44 -0
- data/lib/license_finder/cli/ignored_dependencies.rb +32 -0
- data/lib/license_finder/cli/ignored_groups.rb +32 -0
- data/lib/license_finder/cli/inherited_decisions.rb +50 -0
- data/lib/license_finder/cli/licenses.rb +26 -0
- data/lib/license_finder/cli/main.rb +221 -0
- data/lib/license_finder/cli/makes_decisions.rb +38 -0
- data/lib/license_finder/cli/patched_thor.rb +33 -0
- data/lib/license_finder/cli/permitted_licenses.rb +32 -0
- data/lib/license_finder/cli/project_name.rb +32 -0
- data/lib/license_finder/cli/restricted_licenses.rb +32 -0
- data/lib/license_finder/cli.rb +20 -0
- data/lib/license_finder/configuration.rb +186 -0
- data/lib/license_finder/core.rb +118 -0
- data/lib/license_finder/decision_applier.rb +70 -0
- data/lib/license_finder/decisions.rb +312 -0
- data/lib/license_finder/decisions_factory.rb +13 -0
- data/lib/license_finder/diff.rb +51 -0
- data/lib/license_finder/license/any_matcher.rb +15 -0
- data/lib/license_finder/license/definitions.rb +366 -0
- data/lib/license_finder/license/header_matcher.rb +17 -0
- data/lib/license_finder/license/matcher.rb +24 -0
- data/lib/license_finder/license/none_matcher.rb +11 -0
- data/lib/license_finder/license/template.rb +19 -0
- data/lib/license_finder/license/templates/0BSD.txt +10 -0
- data/lib/license_finder/license/templates/Apache1_1.txt +16 -0
- data/lib/license_finder/license/templates/Apache2.txt +172 -0
- data/lib/license_finder/license/templates/BSD.txt +24 -0
- data/lib/license_finder/license/templates/CC01.txt +30 -0
- data/lib/license_finder/license/templates/CDDL1.txt +131 -0
- data/lib/license_finder/license/templates/EPL1.txt +86 -0
- data/lib/license_finder/license/templates/GPLv2.txt +339 -0
- data/lib/license_finder/license/templates/GPLv3.txt +674 -0
- data/lib/license_finder/license/templates/ISC.txt +2 -0
- data/lib/license_finder/license/templates/LGPL.txt +165 -0
- data/lib/license_finder/license/templates/LGPL2_1.txt +169 -0
- data/lib/license_finder/license/templates/MIT.txt +9 -0
- data/lib/license_finder/license/templates/MPL1_1.txt +469 -0
- data/lib/license_finder/license/templates/MPL2.txt +373 -0
- data/lib/license_finder/license/templates/NewBSD.txt +21 -0
- data/lib/license_finder/license/templates/OFL.txt +91 -0
- data/lib/license_finder/license/templates/Python.txt +47 -0
- data/lib/license_finder/license/templates/Ruby.txt +52 -0
- data/lib/license_finder/license/templates/SimplifiedBSD.txt +19 -0
- data/lib/license_finder/license/templates/WTFPL.txt +14 -0
- data/lib/license_finder/license/templates/Zlib.txt +17 -0
- data/lib/license_finder/license/text.rb +45 -0
- data/lib/license_finder/license.rb +117 -0
- data/lib/license_finder/license_aggregator.rb +59 -0
- data/lib/license_finder/logger.rb +69 -0
- data/lib/license_finder/package.rb +202 -0
- data/lib/license_finder/package_delta.rb +61 -0
- data/lib/license_finder/package_manager.rb +181 -0
- data/lib/license_finder/package_managers/bower.rb +37 -0
- data/lib/license_finder/package_managers/bundler.rb +110 -0
- data/lib/license_finder/package_managers/cargo.rb +38 -0
- data/lib/license_finder/package_managers/carthage.rb +68 -0
- data/lib/license_finder/package_managers/cocoa_pods.rb +61 -0
- data/lib/license_finder/package_managers/composer.rb +63 -0
- data/lib/license_finder/package_managers/conan.rb +28 -0
- data/lib/license_finder/package_managers/conda.rb +131 -0
- data/lib/license_finder/package_managers/dep.rb +43 -0
- data/lib/license_finder/package_managers/dotnet.rb +83 -0
- data/lib/license_finder/package_managers/erlangmk.rb +50 -0
- data/lib/license_finder/package_managers/glide.rb +36 -0
- data/lib/license_finder/package_managers/go_15vendorexperiment.rb +87 -0
- data/lib/license_finder/package_managers/go_dep.rb +80 -0
- data/lib/license_finder/package_managers/go_modules.rb +93 -0
- data/lib/license_finder/package_managers/go_workspace.rb +116 -0
- data/lib/license_finder/package_managers/govendor.rb +73 -0
- data/lib/license_finder/package_managers/gradle.rb +99 -0
- data/lib/license_finder/package_managers/gvt.rb +69 -0
- data/lib/license_finder/package_managers/maven.rb +65 -0
- data/lib/license_finder/package_managers/mix.rb +131 -0
- data/lib/license_finder/package_managers/npm.rb +57 -0
- data/lib/license_finder/package_managers/nuget.rb +154 -0
- data/lib/license_finder/package_managers/pip.rb +70 -0
- data/lib/license_finder/package_managers/pipenv.rb +63 -0
- data/lib/license_finder/package_managers/rebar.rb +65 -0
- data/lib/license_finder/package_managers/sbt.rb +50 -0
- data/lib/license_finder/package_managers/spm.rb +93 -0
- data/lib/license_finder/package_managers/trash.rb +43 -0
- data/lib/license_finder/package_managers/yarn.rb +107 -0
- data/lib/license_finder/package_utils/activation.rb +40 -0
- data/lib/license_finder/package_utils/conan_info_parser.rb +77 -0
- data/lib/license_finder/package_utils/gradle_dependency_finder.rb +15 -0
- data/lib/license_finder/package_utils/license_files.rb +41 -0
- data/lib/license_finder/package_utils/licensing.rb +39 -0
- data/lib/license_finder/package_utils/maven_dependency_finder.rb +15 -0
- data/lib/license_finder/package_utils/notice_files.rb +40 -0
- data/lib/license_finder/package_utils/possible_license_file.rb +27 -0
- data/lib/license_finder/package_utils/pypi.rb +41 -0
- data/lib/license_finder/package_utils/sbt_dependency_finder.rb +15 -0
- data/lib/license_finder/packages/bower_package.rb +42 -0
- data/lib/license_finder/packages/bundler_package.rb +33 -0
- data/lib/license_finder/packages/cargo_package.rb +28 -0
- data/lib/license_finder/packages/carthage_package.rb +18 -0
- data/lib/license_finder/packages/cocoa_pods_package.rb +22 -0
- data/lib/license_finder/packages/composer_package.rb +13 -0
- data/lib/license_finder/packages/conan_package.rb +23 -0
- data/lib/license_finder/packages/conda_package.rb +74 -0
- data/lib/license_finder/packages/erlangmk_package.rb +114 -0
- data/lib/license_finder/packages/go_package.rb +32 -0
- data/lib/license_finder/packages/gradle_package.rb +30 -0
- data/lib/license_finder/packages/manual_package.rb +27 -0
- data/lib/license_finder/packages/maven_package.rb +27 -0
- data/lib/license_finder/packages/merged_package.rb +44 -0
- data/lib/license_finder/packages/mix_package.rb +13 -0
- data/lib/license_finder/packages/npm_package.rb +171 -0
- data/lib/license_finder/packages/nuget_package.rb +13 -0
- data/lib/license_finder/packages/pip_package.rb +50 -0
- data/lib/license_finder/packages/rebar_package.rb +13 -0
- data/lib/license_finder/packages/sbt_package.rb +22 -0
- data/lib/license_finder/packages/spm_package.rb +18 -0
- data/lib/license_finder/packages/yarn_package.rb +13 -0
- data/lib/license_finder/platform.rb +15 -0
- data/lib/license_finder/project_finder.rb +62 -0
- data/lib/license_finder/report.rb +33 -0
- data/lib/license_finder/reports/csv_report.rb +99 -0
- data/lib/license_finder/reports/diff_report.rb +29 -0
- data/lib/license_finder/reports/erb_report.rb +58 -0
- data/lib/license_finder/reports/html_report.rb +13 -0
- data/lib/license_finder/reports/json_report.rb +30 -0
- data/lib/license_finder/reports/junit_report.rb +19 -0
- data/lib/license_finder/reports/markdown_report.rb +9 -0
- data/lib/license_finder/reports/merged_report.rb +16 -0
- data/lib/license_finder/reports/templates/bootstrap.css +9 -0
- data/lib/license_finder/reports/templates/html_report.erb +113 -0
- data/lib/license_finder/reports/templates/junit_report.erb +41 -0
- data/lib/license_finder/reports/templates/markdown_report.erb +49 -0
- data/lib/license_finder/reports/templates/xml_report.erb +19 -0
- data/lib/license_finder/reports/text_report.rb +12 -0
- data/lib/license_finder/reports/xml_report.rb +19 -0
- data/lib/license_finder/scanner.rb +83 -0
- data/lib/license_finder/shared_helpers/cmd.rb +13 -0
- data/lib/license_finder/shared_helpers/common_path.rb +29 -0
- data/lib/license_finder/version.rb +6 -0
- data/lib/license_finder.rb +14 -0
- data/license_finder.gemspec +72 -0
- data/release/instructions.md +8 -0
- data/swift-all-keys.asc +240 -0
- metadata +544 -0
data/README.md
ADDED
@@ -0,0 +1,555 @@
|
|
1
|
+
# License Finder
|
2
|
+
|
3
|
+
[![Code Climate](https://codeclimate.com/github/pivotal/LicenseFinder.png)](https://codeclimate.com/github/pivotal/LicenseFinder)
|
4
|
+
|
5
|
+
Build status
|
6
|
+
* Ruby 2.3.8 [![Ruby 2.3.8 build status](https://norsk.cf-app.com/api/v1/teams/main/pipelines/LicenseFinder/jobs/ruby-2.3.8/badge)](https://norsk.cf-app.com/teams/main/pipelines/LicenseFinder)
|
7
|
+
* Ruby 2.4.9 [![Ruby 2.4.9 build status](https://norsk.cf-app.com/api/v1/teams/main/pipelines/LicenseFinder/jobs/ruby-2.4.9/badge)](https://norsk.cf-app.com/teams/main/pipelines/LicenseFinder)
|
8
|
+
* Ruby 2.5.7 [![Ruby 2.5.7 build status](https://norsk.cf-app.com/api/v1/teams/main/pipelines/LicenseFinder/jobs/ruby-2.5.7/badge)](https://norsk.cf-app.com/teams/main/pipelines/LicenseFinder)
|
9
|
+
* Ruby 2.6.5 [![Ruby 2.6.5 build status](https://norsk.cf-app.com/api/v1/teams/main/pipelines/LicenseFinder/jobs/ruby-2.6.5/badge)](https://norsk.cf-app.com/teams/main/pipelines/LicenseFinder)
|
10
|
+
* Ruby 2.7.1 [![Ruby 2.7.1 build status](https://norsk.cf-app.com/api/v1/teams/main/pipelines/LicenseFinder/jobs/ruby-2.7.1/badge)](https://norsk.cf-app.com/teams/main/pipelines/LicenseFinder)
|
11
|
+
* JRuby 9.2.9.0 [![JRuby 9.2.9.0 build status](https://norsk.cf-app.com/api/v1/teams/main/pipelines/LicenseFinder/jobs/ruby-jruby-9.2.9.0/badge)](https://norsk.cf-app.com/teams/main/pipelines/LicenseFinder)
|
12
|
+
|
13
|
+
|
14
|
+
LicenseFinder works with your package managers to find dependencies,
|
15
|
+
detect the licenses of the packages in them, compare those licenses
|
16
|
+
against a user-defined list of permitted licenses,
|
17
|
+
and give you an actionable exception report.
|
18
|
+
|
19
|
+
* code: https://github.com/pivotal/LicenseFinder
|
20
|
+
* ci: https://norsk.cf-app.com/teams/main/pipelines/LicenseFinder
|
21
|
+
* docker: [licensefinder/license_finder](https://hub.docker.com/r/licensefinder/license_finder/)
|
22
|
+
* the docker image contains all the package managers needed to run `license_finder`
|
23
|
+
* support:
|
24
|
+
* license-finder@googlegroups.com
|
25
|
+
* https://groups.google.com/forum/#!forum/license-finder
|
26
|
+
* backlog: https://www.pivotaltracker.com/n/projects/234851
|
27
|
+
|
28
|
+
### Supported project types
|
29
|
+
|
30
|
+
| Project Type | Package Manager | Tested on Version |
|
31
|
+
| ------------ | --------------- | -------:|
|
32
|
+
| Ruby Gems | bundler | 1.16.6 |
|
33
|
+
| Python 2.7 Eggs | pip2 | 19.0.2 |
|
34
|
+
| Python 3.5 Eggs | pip3 | 19.0.2 |
|
35
|
+
| Node.js | npm | 6.4.1 |
|
36
|
+
| Bower | bower | 1.8.4 |
|
37
|
+
| Nuget (without license discovery) | nuget | 4.7.1.5393 |
|
38
|
+
| Godep | Godep | 80 |
|
39
|
+
| Go workspace (via a `.envrc` file) | Go lang | 1.11.5 |
|
40
|
+
| Go modules | Go lang | 1.11.5 |
|
41
|
+
| Java | maven | 3.6.0 |
|
42
|
+
| Java | gradle | 4.10.3 |
|
43
|
+
|
44
|
+
### Experimental project types
|
45
|
+
|
46
|
+
* Erlang (via `rebar` and `Erlang.mk`)
|
47
|
+
* Objective-C, Swift (via Carthage, CocoaPods \[0.39 and below. See [CocoaPods Specs Repo Sharding](http://blog.cocoapods.org/Sharding/)\]) and Swift Package Manager)
|
48
|
+
* Objective-C (+ CocoaPods 0.39 and below. See [CocoaPods Specs Repo Sharding](http://blog.cocoapods.org/Sharding/))
|
49
|
+
* Elixir (via `mix`)
|
50
|
+
* Golang (via `gvt`, `glide`,`dep`, `trash` and `govendor`)
|
51
|
+
* JavaScript (via `yarn`)
|
52
|
+
* C++/C (via `conan`)
|
53
|
+
* Scala (via `sbt`)
|
54
|
+
* Rust (via `cargo`)
|
55
|
+
* Go Modules (via `go mod`)
|
56
|
+
* PHP (via `composer`)
|
57
|
+
* Python (via Conda [Conda 4.8.3, Python 3.7, Bash; requires an `environment.yml` or `environment.yaml`])
|
58
|
+
|
59
|
+
## Installation
|
60
|
+
|
61
|
+
License Finder requires Ruby 2.3.3 or greater to run. If you have an older
|
62
|
+
version of Ruby installed, you can update via Homebrew:
|
63
|
+
|
64
|
+
```sh
|
65
|
+
$ ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
|
66
|
+
```
|
67
|
+
|
68
|
+
then:
|
69
|
+
|
70
|
+
```sh
|
71
|
+
$ brew install ruby
|
72
|
+
```
|
73
|
+
|
74
|
+
The easiest way to use `license_finder` is to install it as a command
|
75
|
+
line tool, like brew, awk, gem or bundler:
|
76
|
+
|
77
|
+
```sh
|
78
|
+
$ gem install license_finder
|
79
|
+
```
|
80
|
+
|
81
|
+
Though it's less preferable, if you are using bundler in a Ruby
|
82
|
+
project, you can add `license_finder` to your Gemfile:
|
83
|
+
|
84
|
+
```ruby
|
85
|
+
gem 'license_finder', :group => :development
|
86
|
+
```
|
87
|
+
|
88
|
+
This approach helps you remember to install `license_finder`, but can
|
89
|
+
pull in unwanted dependencies, including `bundler`. To mitigate this
|
90
|
+
problem, see [Excluding Dependencies](#excluding-dependencies).
|
91
|
+
|
92
|
+
|
93
|
+
## Usage
|
94
|
+
|
95
|
+
Make sure your dependencies are installed (with your package manager's install command: `bundle install`, `npm install`, etc.)
|
96
|
+
|
97
|
+
The first time you run `license_finder` it will list all your project's packages.
|
98
|
+
|
99
|
+
```sh
|
100
|
+
$ license_finder
|
101
|
+
```
|
102
|
+
|
103
|
+
Or, if you installed with bundler:
|
104
|
+
|
105
|
+
```sh
|
106
|
+
$ bundle exec license_finder
|
107
|
+
```
|
108
|
+
|
109
|
+
The output will report that none of your packages have been
|
110
|
+
approved. Over time you will tell `license_finder` which packages
|
111
|
+
are approved, so when you run this command in the future, it will
|
112
|
+
report current action items; i.e., packages that are new or have
|
113
|
+
never been approved.
|
114
|
+
|
115
|
+
If you don't wish to see progressive output "dots", use the `--quiet`
|
116
|
+
option.
|
117
|
+
|
118
|
+
If you'd like to see debugging output, use the `--debug`
|
119
|
+
option. `license_finder` will then output info about packages, their
|
120
|
+
dependencies, and where and how each license was discovered. This can
|
121
|
+
be useful when you need to track down an unexpected package or
|
122
|
+
license.
|
123
|
+
|
124
|
+
If you do not want to manually run an individual package manager's prepare
|
125
|
+
command (ex: `bundle install`, `npm install`, etc) to ensure your project
|
126
|
+
is fully prepared to be scanned, use the `--prepare` or `-p` option which will run
|
127
|
+
each active package manager's prepare command for you. If you would like to continue
|
128
|
+
running `license_finder` even if there is an issue with a prepare step, use the
|
129
|
+
`--prepare-no-fail` option which prepares but carries on despite any potential failures.
|
130
|
+
|
131
|
+
Run `license_finder help` to see other available commands, and
|
132
|
+
`license_finder help [COMMAND]` for detailed help on a specific
|
133
|
+
command.
|
134
|
+
|
135
|
+
### Docker
|
136
|
+
|
137
|
+
If you have docker installed, try using the included `dlf` script (potentially
|
138
|
+
symlinked to be in your path via `ln -s LicenseFinder/dlf /usr/local/bin` or
|
139
|
+
whatever method you prefer). This will run any commands passed to it inside a
|
140
|
+
pre-provisioned Docker container to maintain consistent versions of all the
|
141
|
+
package managers. For example,
|
142
|
+
|
143
|
+
```
|
144
|
+
$ dlf npm --version
|
145
|
+
5.3.0
|
146
|
+
|
147
|
+
$ dlf license_finder --help
|
148
|
+
|
149
|
+
Dependencies that need approval:
|
150
|
+
...
|
151
|
+
license_finder, 3.0.3, MIT
|
152
|
+
|
153
|
+
$ dlf "bundle install && license_finder"
|
154
|
+
```
|
155
|
+
|
156
|
+
You can better understand the way this script works by looking at its source, but for
|
157
|
+
reference it will mount your current directory at the path `/scan` and run any commands
|
158
|
+
passed to it from that directory.
|
159
|
+
|
160
|
+
Note that the docker image will run the gem which is installed within it.
|
161
|
+
So the docker image tagged `4.0.2` will run *License Finder Version 4.0.2*
|
162
|
+
|
163
|
+
See the [contributing guide](https://github.com/pivotal/LicenseFinder/blob/master/CONTRIBUTING.md) for information on development.
|
164
|
+
|
165
|
+
### Activation
|
166
|
+
|
167
|
+
`license_finder` will find and include packages for all supported
|
168
|
+
languages, as long as that language has a package definition in the project directory:
|
169
|
+
|
170
|
+
* `Gemfile` (for `bundler`)
|
171
|
+
* `requirements.txt` (for `pip`)
|
172
|
+
* `package.json` (for `npm`)
|
173
|
+
* `pom.xml` (for `maven`)
|
174
|
+
* `build.gradle` (for `gradle`)
|
175
|
+
* `settings.gradle` that specifies `rootProject.buildFileName` (for `gradle`)
|
176
|
+
* `bower.json` (for `bower`)
|
177
|
+
* `Podfile` (for `pod`)
|
178
|
+
* `Cartfile` (for `carthage`)
|
179
|
+
* `workspace-state.json` under build directory (provided as enviroment variable `SPM_DERIVED_DATA` for Xcode, or default `.build` for non-Xcode projects), (for `spm`)
|
180
|
+
* `rebar.config` (for `rebar`)
|
181
|
+
* `Erlang.mk` or `erlang.mk` file (for `Erlang.mk`)
|
182
|
+
* `mix.exs` (for `mix`)
|
183
|
+
* `packages/` directory (for `nuget`)
|
184
|
+
* `*.csproj` (for `dotnet`)
|
185
|
+
* `vendor/manifest` or `*/vendor/manifest` file (for `gvt`)
|
186
|
+
* `glide.lock` file (for `glide`)
|
187
|
+
* `vendor/vendor.json` file (for `govendor`)
|
188
|
+
* `Gopkg.lock` file (for `dep`)
|
189
|
+
* `go.mod` file (for `go mod`)
|
190
|
+
* `vendor.conf` file (for `trash`)
|
191
|
+
* `yarn.lock` file (for `yarn`)
|
192
|
+
* `conanfile.txt` file (for `conan`)
|
193
|
+
* `build.sbt` file (for `sbt`)
|
194
|
+
* `Cargo.lock` file (for `cargo`)
|
195
|
+
* `composer.lock` file (for `composer`)
|
196
|
+
|
197
|
+
|
198
|
+
### Continuous Integration
|
199
|
+
|
200
|
+
`license_finder` will return a non-zero exit status if there are unapproved
|
201
|
+
dependencies. This can be useful for inclusion in a CI environment to alert you
|
202
|
+
if someone adds an unapproved dependency to the project.
|
203
|
+
|
204
|
+
|
205
|
+
## Approving Dependencies
|
206
|
+
|
207
|
+
`license_finder` will inform you whenever you have an unapproved dependency.
|
208
|
+
If your business decides this is an acceptable risk, the easiest way to approve
|
209
|
+
the dependency is by running `license_finder approvals add`.
|
210
|
+
|
211
|
+
For example, let's assume you've added the `awesome_gpl_gem`
|
212
|
+
to your Gemfile, which `license_finder` reports is unapproved:
|
213
|
+
|
214
|
+
```sh
|
215
|
+
$ license_finder
|
216
|
+
Dependencies that need approval:
|
217
|
+
awesome_gpl_gem, 1.0.0, GPL
|
218
|
+
```
|
219
|
+
|
220
|
+
Your business tells you that in this case, it's acceptable to use this
|
221
|
+
gem. You now run:
|
222
|
+
|
223
|
+
```sh
|
224
|
+
$ license_finder approvals add awesome_gpl_gem
|
225
|
+
```
|
226
|
+
|
227
|
+
If you rerun `license_finder`, you should no longer see
|
228
|
+
`awesome_gpl_gem` in the output.
|
229
|
+
|
230
|
+
To approve specific version
|
231
|
+
|
232
|
+
```sh
|
233
|
+
$ license_finder approvals add awesome_gpl_gem --version=1.0.0
|
234
|
+
```
|
235
|
+
|
236
|
+
To record who approved the dependency and why:
|
237
|
+
|
238
|
+
```sh
|
239
|
+
$ license_finder approvals add awesome_gpl_gem --who CTO --why "Go ahead"
|
240
|
+
```
|
241
|
+
|
242
|
+
### Permitting Licenses
|
243
|
+
|
244
|
+
Approving packages one-by-one can be tedious. Usually your business has
|
245
|
+
blanket policies about which packages are approved. To tell `license_finder`
|
246
|
+
that any package with the MIT license should be approved, run:
|
247
|
+
|
248
|
+
``` sh
|
249
|
+
$ license_finder permitted_licenses add MIT
|
250
|
+
```
|
251
|
+
|
252
|
+
Any current or future packages with the MIT license will be excluded from the
|
253
|
+
output of `license_finder`.
|
254
|
+
|
255
|
+
You can also record `--who` and `--why` when changing permitted licenses,
|
256
|
+
or making any other decision about your project.
|
257
|
+
|
258
|
+
|
259
|
+
## Output and Artifacts
|
260
|
+
|
261
|
+
### Decisions file
|
262
|
+
|
263
|
+
Any decisions you make about approvals will be recorded in a YAML file named
|
264
|
+
`doc/dependency_decisions.yml`.
|
265
|
+
|
266
|
+
This file must be committed to version control. Rarely, you will have to
|
267
|
+
manually resolve conflicts in it. In this situation, keep in mind that each
|
268
|
+
decision has an associated timestamp, and the decisions are processed
|
269
|
+
top-to-bottom, with later decisions overwriting or appending to earlier
|
270
|
+
decisions.
|
271
|
+
|
272
|
+
### Output from `action_items`
|
273
|
+
|
274
|
+
You could expect `license_finder`, which is an alias for `license_finder
|
275
|
+
action_items` to output something like the following on a Rails project where
|
276
|
+
MIT had been permitted:
|
277
|
+
|
278
|
+
```
|
279
|
+
Dependencies that need approval:
|
280
|
+
|
281
|
+
highline, 1.6.14, ruby
|
282
|
+
json, 1.7.5, ruby
|
283
|
+
mime-types, 1.19, ruby
|
284
|
+
rails, 3.2.8, unknown
|
285
|
+
rdoc, 3.12, unknown
|
286
|
+
rubyzip, 0.9.9, ruby
|
287
|
+
xml-simple, 1.1.1, unknown
|
288
|
+
```
|
289
|
+
|
290
|
+
You can customize the format of the output in the same way that you customize
|
291
|
+
[output from `report`](#output-from-report).
|
292
|
+
|
293
|
+
### Output from `project_roots`
|
294
|
+
|
295
|
+
The `license_finder project_roots` command will output the current working directory as a string in an array.
|
296
|
+
|
297
|
+
Using the `--recursive` option means the array will include subdirectories that contain a known package manager. With the exception that Gradle and Maven subprojects will not be included.
|
298
|
+
|
299
|
+
|
300
|
+
### Output from `report`
|
301
|
+
|
302
|
+
The `license_finder report` command will output human-readable reports that you
|
303
|
+
could send to your non-technical business partners, lawyers, etc. You can
|
304
|
+
choose the format of the report (text, csv, html or markdown); see
|
305
|
+
`license_finder --help report` for details. The output is sent to STDOUT, so
|
306
|
+
you can save the reports wherever you want them. You can commit them to
|
307
|
+
version control if you like.
|
308
|
+
|
309
|
+
The HTML report generated by `license_finder report --format html` summarizes
|
310
|
+
all of your project's dependencies and includes information about which need to
|
311
|
+
be approved. The project name at the top of the report can be set with
|
312
|
+
`license_finder project_name add`.
|
313
|
+
|
314
|
+
### Note:
|
315
|
+
When using the yarn package manager, when a node_module's package.json doesn't
|
316
|
+
explicitly declare a license, yarn indicates that it has inferred the license based
|
317
|
+
on some keywords in other files by appending an asterisk to the license name. If you
|
318
|
+
see a * at the end of the license name, this is intended.
|
319
|
+
|
320
|
+
See [CONTRIBUTING.md](https://github.com/pivotal/LicenseFinder/blob/master/CONTRIBUTING.md#adding-reports)
|
321
|
+
for advice about adding and customizing reports.
|
322
|
+
|
323
|
+
|
324
|
+
## Manual Intervention
|
325
|
+
|
326
|
+
### Setting Licenses
|
327
|
+
|
328
|
+
When `license_finder` reports that a dependency's license is 'unknown',
|
329
|
+
you should manually research what the actual license is. When you
|
330
|
+
have established the real license, you can record it with:
|
331
|
+
|
332
|
+
```sh
|
333
|
+
$ license_finder licenses add my_unknown_dependency MIT --homepage="www.unknown-code.org"
|
334
|
+
```
|
335
|
+
|
336
|
+
This command would assign the MIT license to the dependency
|
337
|
+
`my_unknown_dependency`. It will also set its homepage to `www.unknown-code.org`.
|
338
|
+
|
339
|
+
|
340
|
+
### Adding Hidden Dependencies
|
341
|
+
|
342
|
+
`license_finder` can track dependencies that your package managers
|
343
|
+
don't know about (JS libraries that don't appear in your
|
344
|
+
Gemfile/requirements.txt/package.json, etc.)
|
345
|
+
|
346
|
+
```sh
|
347
|
+
$ license_finder dependencies add my_js_dep MIT 0.1.2
|
348
|
+
```
|
349
|
+
|
350
|
+
Run `license_finder dependencies help` for
|
351
|
+
additional documentation about managing these dependencies.
|
352
|
+
|
353
|
+
`license_finder` cannot automatically detect when one of these
|
354
|
+
dependencies has been removed from your project, so you can use:
|
355
|
+
|
356
|
+
```sh
|
357
|
+
$ license_finder dependencies remove my_js_dep
|
358
|
+
```
|
359
|
+
|
360
|
+
### Excluding Dependencies
|
361
|
+
|
362
|
+
Sometimes a project will have development or test dependencies which
|
363
|
+
you don't want to track. You can exclude theses dependencies by running
|
364
|
+
`license_finder ignored_groups`. (Currently this only works for packages
|
365
|
+
managed by Bundler, NPM, Yarn, Maven, Pip2, Pip3, and Nuget.)
|
366
|
+
|
367
|
+
On rare occasions a package manager will report an individual dependency
|
368
|
+
that you want to exclude from all reports, even though it is approved.
|
369
|
+
You can exclude an individual dependency by running
|
370
|
+
`license_finder ignored_dependencies`. Think carefully before adding
|
371
|
+
dependencies to this list. A likely item to exclude is `bundler`,
|
372
|
+
since it is a common dependency whose version changes from machine to
|
373
|
+
machine. Adding it to the `ignored_dependencies` would prevent it
|
374
|
+
(and its oscillating versions) from appearing in reports.
|
375
|
+
|
376
|
+
### Restricting Licenses
|
377
|
+
|
378
|
+
Some projects will have a list of licenses that cannot be used. You can
|
379
|
+
restrict these licenses with `license_finder restricted_licenses add`. Any dependency
|
380
|
+
that has exclusively restricted licenses will always appear in the action
|
381
|
+
items, even if someone attempts to manually approve or permit it. However,
|
382
|
+
if a dependency has even one license that is not restricted, it can still be
|
383
|
+
manually approved or permitted.
|
384
|
+
|
385
|
+
## Decision inheritance
|
386
|
+
|
387
|
+
Add or remove decision files you want to inherit from - see `license_finder inherited_decisions help` for more information.
|
388
|
+
|
389
|
+
This allows you to have a centralized decision file for approved/restricted licenses. If you have multiple projects it's way easier to have one single place where you approved or restricted licenses defined.
|
390
|
+
|
391
|
+
Add one or more decision files to the inherited decisions
|
392
|
+
```bash
|
393
|
+
license_finder inherited_decisions add DECISION_FILE
|
394
|
+
```
|
395
|
+
|
396
|
+
Remove one or more decision files from the inherited decisions
|
397
|
+
```bash
|
398
|
+
license_finder inherited_decisions remove DECISION_FILE
|
399
|
+
```
|
400
|
+
|
401
|
+
List all the inherited decision files
|
402
|
+
```bash
|
403
|
+
license_finder inherited_decisions list
|
404
|
+
```
|
405
|
+
|
406
|
+
## Configuration
|
407
|
+
|
408
|
+
Be default, `license_finder` expects the decisions file to be stored at
|
409
|
+
`doc/dependency_decisions.yml`. All commands can be passed `--decisions_file`
|
410
|
+
to override this location.
|
411
|
+
|
412
|
+
### Package Manager Configuration
|
413
|
+
|
414
|
+
If you have a gradle project, you can invoke gradle with a custom script by
|
415
|
+
passing (for example) `--gradle_command gradlew` to `license_finder` or
|
416
|
+
`license_finder report`.
|
417
|
+
|
418
|
+
Similarly you can invoke a custom rebar script with `--rebar_command rebar`.
|
419
|
+
If you store rebar dependencies in a custom directory (by setting `deps_dir` in
|
420
|
+
`rebar.config`), set `--rebar_deps_dir`.
|
421
|
+
|
422
|
+
You can also invoke a custom Mix script `remix` with `--mix_command remix` and
|
423
|
+
set `--mix_deps_dir` to fetch Mix dependencies from a custom directory.
|
424
|
+
|
425
|
+
### Narrow down Package Manager
|
426
|
+
|
427
|
+
By default, license_finder will check for all supported package managers,
|
428
|
+
but you can narrow it down to use only those you pass to `--enabled-package-managers`.
|
429
|
+
For example,
|
430
|
+
|
431
|
+
```
|
432
|
+
$ license_finder --enabled-package-managers bundler npm
|
433
|
+
```
|
434
|
+
|
435
|
+
### Saving Configuration
|
436
|
+
|
437
|
+
It may be difficult to remember to pass command line options to every command.
|
438
|
+
In some of these cases you can store default values in a YAML formatted config
|
439
|
+
file. `license_finder` looks for this file in `config/license_finder.yml`.
|
440
|
+
|
441
|
+
As an example, the file might look like this:
|
442
|
+
|
443
|
+
```yaml
|
444
|
+
---
|
445
|
+
decisions_file: './some_path/decisions.yml'
|
446
|
+
gradle_command: './gradlew'
|
447
|
+
rebar_command: './rebarw'
|
448
|
+
rebar_deps_dir: './rebar_deps'
|
449
|
+
mix_command: './mixw'
|
450
|
+
mix_deps_dir: './mix_deps'
|
451
|
+
enabled_package_managers:
|
452
|
+
- bundler
|
453
|
+
- gradle
|
454
|
+
- rebar
|
455
|
+
- mix
|
456
|
+
```
|
457
|
+
|
458
|
+
### Gradle Projects
|
459
|
+
|
460
|
+
`license_finder` supports both Gradle 1.x and Gradle 2.x. You need to have installed
|
461
|
+
the license-gradle-plugin in your project:
|
462
|
+
[https://github.com/hierynomus/license-gradle-plugin](https://github.com/hierynomus/license-gradle-plugin)
|
463
|
+
|
464
|
+
By default, `license_finder` will report on Gradle's "runtime" dependencies. If
|
465
|
+
you want to generate a report for some other dependency configuration (e.g.
|
466
|
+
Android projects will sometimes specify their meaningful dependencies in the
|
467
|
+
"compile" group), you can specify it in your project's `build.gradle`:
|
468
|
+
|
469
|
+
```
|
470
|
+
// Must come *after* applying the appropriate plugin from [https://github.com/hierynomus/license-gradle-plugin](https://github.com/hierynomus/license-gradle-plugin)
|
471
|
+
|
472
|
+
downloadLicenses {
|
473
|
+
dependencyConfiguration "compile"
|
474
|
+
}
|
475
|
+
```
|
476
|
+
|
477
|
+
### Conan Projects
|
478
|
+
|
479
|
+
`license_finder` supports Conan. You need to have the following lines in your conanfile.txt for `license_finder` to retrieve dependencies' licenses.
|
480
|
+
Ensure that `conan install` does not generate an error.
|
481
|
+
|
482
|
+
```
|
483
|
+
[imports]
|
484
|
+
., license* -> ./licenses @ folder=True, ignore_case=True
|
485
|
+
```
|
486
|
+
|
487
|
+
### SBT Projects
|
488
|
+
|
489
|
+
`license_finder` supports SBT. You need to have installed the sbt-license-report in your project:
|
490
|
+
[https://github.com/sbt/sbt-license-report](https://github.com/sbt/sbt-license-report)
|
491
|
+
|
492
|
+
By default, `license_finder` will report on SBT's "compile" and "test" dependencies. If
|
493
|
+
you want to generate a report for some other dependency configuration, you can specify
|
494
|
+
it in your projects's `build.sbt`
|
495
|
+
|
496
|
+
```
|
497
|
+
licenseConfigurations := Set("compile", "provided")
|
498
|
+
```
|
499
|
+
|
500
|
+
## Requirements
|
501
|
+
|
502
|
+
`license_finder` requires ruby >= 1.9.3, or jruby.
|
503
|
+
|
504
|
+
|
505
|
+
## Upgrading
|
506
|
+
|
507
|
+
To upgrade to `license_finder` version >= 6.0, you have to replace the terminology `whitelist` with `permit` and `blacklist` with `restrict` in your `dependency_decisions.yml`. See [Changelog](https://github.com/pivotal/LicenseFinder/blob/master/CHANGELOG.md#600--2020-01-22) for more details.
|
508
|
+
|
509
|
+
To upgrade from `license_finder` version 1.2 to 2.0, see
|
510
|
+
[`license_finder_upgrade`](https://github.com/mainej/license_finder_upgrade).
|
511
|
+
To upgrade to 2.0 from a version lower than 1.2, first upgrade to 1.2, and run
|
512
|
+
`license_finder` at least once. This will ensure that the `license_finder`
|
513
|
+
database is in a state which `license_finder_upgrade` understands.
|
514
|
+
|
515
|
+
|
516
|
+
## A Plea to Package Authors and Maintainers
|
517
|
+
|
518
|
+
Please add a license to your package specs! Most packaging systems
|
519
|
+
allow for the specification of one or more licenses.
|
520
|
+
|
521
|
+
For example, Ruby Gems can specify a license by name:
|
522
|
+
|
523
|
+
```ruby
|
524
|
+
Gem::Specification.new do |s|
|
525
|
+
s.name = "my_great_gem"
|
526
|
+
s.license = "MIT"
|
527
|
+
end
|
528
|
+
```
|
529
|
+
|
530
|
+
And save a `LICENSE` file which contains your license text in your repo.
|
531
|
+
|
532
|
+
## Known issues with specific package managers
|
533
|
+
|
534
|
+
* Bundler
|
535
|
+
* When using `--project-path`, Bundler cannot find the Gemfile.
|
536
|
+
|
537
|
+
* Yarn
|
538
|
+
* A module that is incompatible with the platform on which
|
539
|
+
license_finder is run will always be reported to have a license type
|
540
|
+
of "unknown". ([#456](https://github.com/pivotal/LicenseFinder/issues/456))
|
541
|
+
|
542
|
+
## Support
|
543
|
+
|
544
|
+
* Send an email to the list: [license-finder@googlegroups.com](license-finder@googlegroups.com)
|
545
|
+
* View the project backlog at Pivotal Tracker: [https://www.pivotaltracker.com/n/projects/234851](https://www.pivotaltracker.com/n/projects/234851)
|
546
|
+
|
547
|
+
|
548
|
+
## Contributing
|
549
|
+
|
550
|
+
See [CONTRIBUTING.md](https://github.com/pivotal/LicenseFinder/blob/master/CONTRIBUTING.md).
|
551
|
+
|
552
|
+
|
553
|
+
## License
|
554
|
+
|
555
|
+
LicenseFinder is released under the MIT License. http://www.opensource.org/licenses/mit-license
|
data/Rakefile
ADDED
@@ -0,0 +1,77 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'bundler'
|
4
|
+
Bundler::GemHelper.install_tasks
|
5
|
+
|
6
|
+
require './lib/license_finder/platform'
|
7
|
+
require 'rspec/core/rake_task'
|
8
|
+
|
9
|
+
desc 'Run all specs in spec/'
|
10
|
+
RSpec::Core::RakeTask.new(:spec) do |t|
|
11
|
+
t.fail_on_error = true
|
12
|
+
t.pattern = './spec/**/*_spec.rb'
|
13
|
+
t.rspec_opts = %w[--color]
|
14
|
+
end
|
15
|
+
|
16
|
+
namespace :features do
|
17
|
+
desc 'Run test tagged \'focus\''
|
18
|
+
RSpec::Core::RakeTask.new(:focus) do |t|
|
19
|
+
t.fail_on_error = true
|
20
|
+
t.pattern = './features/**/*_spec.rb'
|
21
|
+
opts = %w[--color --format d --tag focus]
|
22
|
+
opts += LicenseFinder::Platform.darwin? ? [] : %w[--tag ~ios]
|
23
|
+
t.rspec_opts = opts
|
24
|
+
end
|
25
|
+
end
|
26
|
+
|
27
|
+
desc 'Run all specs in features/'
|
28
|
+
RSpec::Core::RakeTask.new(:features) do |t|
|
29
|
+
t.fail_on_error = true
|
30
|
+
t.pattern = './features/**/*_spec.rb'
|
31
|
+
opts = %w[--color --format d]
|
32
|
+
opts += LicenseFinder::Platform.darwin? ? [] : %w[--tag ~ios]
|
33
|
+
t.rspec_opts = opts
|
34
|
+
end
|
35
|
+
|
36
|
+
desc 'Check for non-Ruby development dependencies.'
|
37
|
+
task :check_dependencies do
|
38
|
+
require './lib/license_finder'
|
39
|
+
satisfied = true
|
40
|
+
LicenseFinder::Scanner::PACKAGE_MANAGERS.each do |package_manager|
|
41
|
+
satisfied = false unless package_manager.new(project_path: Pathname.new('')).installed?(LicenseFinder::Logger.new(LicenseFinder::Logger::MODE_INFO))
|
42
|
+
end
|
43
|
+
STDOUT.flush
|
44
|
+
exit 1 unless satisfied
|
45
|
+
end
|
46
|
+
|
47
|
+
desc 'Configure LF and LF PR pipeline'
|
48
|
+
task :update_pipeline, [:slack_url, :slack_channel] do |_, args|
|
49
|
+
slack_url = args[:slack_url]
|
50
|
+
slack_channel = args[:slack_channel]
|
51
|
+
|
52
|
+
unless slack_url || slack_channel
|
53
|
+
puts 'Warning: skipping slack notifications setup'
|
54
|
+
puts 'Warning: You should provide slack channel and url to receive slack notifications on build failures'
|
55
|
+
end
|
56
|
+
|
57
|
+
ruby_versions = %w[2.7.1 2.6.5 2.5.7 2.4.9 2.3.8 jruby-9.2.14.0]
|
58
|
+
|
59
|
+
params = []
|
60
|
+
params << "ruby_versions=#{ruby_versions.join(',')}"
|
61
|
+
params << "slack_url=#{slack_url}" if slack_url
|
62
|
+
params << "slack_channel=#{slack_channel}" if slack_channel
|
63
|
+
|
64
|
+
vars = params.join(' ')
|
65
|
+
|
66
|
+
cmd = "bash -c \"fly -t osl set-pipeline -n -p LicenseFinder --config <(erb #{vars} ci/pipelines/release.yml.erb)\""
|
67
|
+
system(cmd)
|
68
|
+
|
69
|
+
cmd = "bash -c \"fly -t osl set-pipeline -n -p LicenseFinder-pr --config <(erb #{vars} ci/pipelines/pull-request.yml.erb)\""
|
70
|
+
system(cmd)
|
71
|
+
end
|
72
|
+
|
73
|
+
task default: %i[spec features]
|
74
|
+
task spec: :check_dependencies
|
75
|
+
task features: :check_dependencies
|
76
|
+
task 'spec:focus': :check_dependencies
|
77
|
+
task 'features:focus': :check_dependencies
|
data/TODO.md
ADDED
data/VERSION
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
6.14.2.1
|
data/appveyor.yml
ADDED
@@ -0,0 +1,21 @@
|
|
1
|
+
environment:
|
2
|
+
HOME: $(HOMEDRIVE)$(HOMEPATH)
|
3
|
+
GOPATH: $(HOME)\go
|
4
|
+
PATH: $(PATH);$(GOPATH)\bin;$(HOME)\rebar;$(HOME)\gradle\bin
|
5
|
+
|
6
|
+
install:
|
7
|
+
- bundle install
|
8
|
+
|
9
|
+
build_script:
|
10
|
+
- rake build
|
11
|
+
|
12
|
+
# Prerequisites for running tests.
|
13
|
+
before_test:
|
14
|
+
- rake install
|
15
|
+
- bash --login -c "ci/install_godep.sh"
|
16
|
+
- bash --login -c "ci/install_bower.sh"
|
17
|
+
- bash --login -c "ci/install_rebar.sh"
|
18
|
+
- bash --login -c "ci/install_gradle.sh"
|
19
|
+
|
20
|
+
test_script:
|
21
|
+
- rake spec
|