LicenseFinder works with your package managers to find dependencies, detect the licenses of the packages in them, compare those licenses against a user-defined whitelist, and give you an actionable exception report.
- code: https://github.com/pivotal/LicenseFinder
- support:
- backlog: https://www.pivotaltracker.com/s/projects/234851
- Ruby Gems (via
bundler
) - Python Eggs (via
pip
) - Node.js (via
npm
) - Bower
- Java (via
maven
) - Java (via
gradle
) - Objective-C (+ CocoaPods)
The easiest way to use license_finder
is to install it as a command
line tool, like brew, awk, gem or bundler:
$ gem install license_finder
Though it's less preferable, if you are using bundler in a Ruby
project, you can add license_finder
to your Gemfile:
gem 'license_finder', :group => :development
This approach helps you remember to install license_finder
, but can
pull in unwanted dependencies, including bundler
. To mitigate this
problem, see ignored_groups in Configuration.
license_finder
will generate reports of action items; i.e.,
dependencies that do not fall within your license "whitelist".
$ license_finder
Or, if you installed with bundler:
$ bundle exec license_finder
If you don't wish to see progressive output "dots", use the --quiet
option.
If you'd like to see debugging output, use the --debug
option. license_finder
will then output info about packages, their
dependencies, and where and how each license was discovered. This can
be useful when you need to track down an unexpected package or
license.
Run license_finder help
to see other available commands, and
license_finder help [COMMAND]
for detailed help on a specific
command.
license_finder
will find and include packages for all supported
languages, as long as that language has a package definition in the project directory:
Gemfile
(forbundler
)requirements.txt
(forpip
)package.json
(fornpm
)pom.xml
(formaven
)build.gradle
(forgradle
)bower.json
(forbower
)Podfile
(for CocoaPods)
license_finder
will also return a non-zero exit status if there are
unapproved dependencies. This can be useful for inclusion in a CI
environment to alert you if someone adds an unapproved dependency to
the project.
On a Rails project, you could expect license_finder
to output
something like the following (assuming you whitelisted the MIT license
-- see Configuration):
Dependencies that need approval:
highline, 1.6.14, ruby
json, 1.7.5, ruby
mime-types, 1.19, ruby
rails, 3.2.8, other
rdoc, 3.12, other
rubyzip, 0.9.9, ruby
xml-simple, 1.1.1, other
The executable task will also write out a dependencies.db
,
dependencies.csv
, and dependencies.html
file (in the doc/
directory by default -- see Configuration).
The latter two files are human-readable reports that you could send to your non-technical business partners, lawyers, etc.
The HTML report generated by license_finder
shows a summary of the
project's dependencies and dependencies which need to be approved. The
project name at the top of the report can be set in
config/license_finder.yml
.
When license_finder
reports that a dependency's license is 'other',
you should manually research what the actual license is. When you
have established the real license, you can record it with:
$ license_finder license MIT my_unknown_dependency
This command would assign the MIT license to the dependency
my_unknown_dependency
.
Whenever you have a dependency that falls outside of your whitelist,
license_finder
will tell you. If your business decides that this is
an acceptable risk, you can manually approve the dependency by using
the license_finder approve
command.
For example, let's assume you've only whitelisted the "MIT" license in
your config/license_finder.yml
. You then add the awesome_gpl_gem
to your Gemfile, which we'll assume is licensed with the GPL
license. You then run license_finder
and see the gem listed in the
output:
awesome_gpl_gem, 1.0.0, GPL
Your business tells you that in this case, it's acceptable to use this gem. You now run:
$ license_finder approve awesome_gpl_gem
If you rerun license_finder
, you should no longer see
awesome_gpl_gem
in the output.
To record who approved the dependency and why:
$ license_finder approve awesome_gpl_gem --approver CTO --message "Go ahead"
Adding Hidden Dependencies
license_finder
can track dependencies that your package managers
don't know about (JS libraries that don't appear in your
Gemfile/requirements.txt/package.json, etc.)
$ license_finder dependencies add MIT my_js_dep 0.1.2
To automatically approve an unmanaged dependency when you add it, use:
$ license_finder dependencies add MIT my_js_dep 0.1.2 --approve
To record who approved the dependency when you add it, use:
$ license_finder dependencies add MIT my_js_dep 0.1.2 --approve --approver CTO --message "Go ahead"
The version is optional. Run license_finder dependencies help
for
additional documentation about managing these dependencies.
license_finder
cannot automatically detect when one of these
dependencies has been removed from your project, so you can use:
$ license_finder dependencies remove my_js_dep
The first time you run license_finder
it will create a default
configuration file ./config/license_finder.yml
, which will look
something like this:
---
whitelist:
#- MIT
#- Apache 2.0
ignore_groups:
#- test
#- development
ignore_dependencies:
#- bundler
dependencies_file_dir: './doc/'
project_name: My Project Name
gradle_command: # only meaningful if used with a Java/gradle project. Defaults to "gradle".
By modifying this file, you can configure license_finder
's behavior:
- Automatically approve licenses in the
whitelist
- Exclude test or development dependencies by setting
ignore_groups
. (Currently this only works for Bundler.) - Exclude specific dependencies by setting
ignore_dependencies
. (Think carefully before adding dependencies to this list. A likely item to exclude is bundler itself, to avoid noisy changes to the doc files when different people runlicense_finder
with different versions of bundler.) - Store the license database and text files in another directory by
changing
dependencies_file_dir
. - Set the HTML report title wih
project_name
, which defaults to the name of the working directory. - See below for explanation of "gradle_command".
You can also configure license_finder
through the command line. See
license_finder whitelist help
, license_finder ignored_bundler_groups help
and license_finder project_name help
for more details.
You need to install the license gradle plugin: https://github.com/hierynomus/license-gradle-plugin
LicenseFinder assumes that gradle is in your shell's command path and
can be invoked by just calling gradle
.
If you must invoke gradle some other way (e.g., with a custom
gradlew
script), set the gradle_command
option in your project's
license_finder.yml
:
# ... other configuration ...
gradle_command: ./gradlew
By default, license_finder
will report on gradle's "runtime"
dependencies. If you want to generate a report for some other
dependency configuration (e.g. Android projects will sometimes specify
their meaningful dependencies in the "compile" group), you can specify
it in your project's build.gradle
:
// Must come *after* the 'apply plugin: license' line
downloadLicenses {
dependencyConfiguration "compile"
}
If you wish to cleanup your root directory you can run:
$ license_finder move
This will move your dependencies.*
files to the doc/ directory and update the config.
license_finder
requires ruby >= 1.9, or jruby.
Please add a license to your package specs! Most packaging systems allow for the specification of one or more licenses.
For example, Ruby Gems may have a license specified by name:
Gem::Specification.new do |s|
s.name = "my_great_gem"
s.license = "MIT"
end
And add a LICENSE
file to your package that contains your license text.
- Send an email to the list: license-finder@googlegroups.com
- View the project backlog at Pivotal Tracker: https://www.pivotaltracker.com/s/projects/234851
- Fork the project from https://github.com/pivotal/LicenseFinder
- Create a feature branch.
- Make your feature addition or bug fix. Please make sure there is appropriate test coverage.
- Rebase on top of master.
- Send a pull request.
To successfully run the test suite, you will need node.js, python, pip
and gradle installed. If you run rake check_dependencies
, you'll see
exactly what you're missing.
You'll need a gradle version >= 1.8.
For the python dependency tests you will want to have virtualenv installed, to allow pip to work without sudo. For more details, see this post on virtualenv.
If you're running the test suite with jruby, you're probably going to want to set up some environment variables:
JAVA_OPTS='-client -XX:+TieredCompilation -XX:TieredStopAtLevel=1' JRUBY_OPTS='-J-Djruby.launch.inproc=true'
LicenseFinder is released under the MIT License. http://www.opensource.org/licenses/mit-license