release | ||
dev |
A Clojure library for software license detection. It does this by combing through tools.deps and Leiningen dependencies (i.e. artifacts hosted on Maven repositories), directory structures, and JAR & ZIP files, attempting to detect what license(s) they reference and/or contain, and then normalising them into SPDX license expressions.
This library leverages, and is inspired by, the excellent SPDX project. It's a great shame that it doesn't have greater traction in the Java & Clojure (and wider open source) communities. If you're new to SPDX and would prefer to read a primer rather than dry specification documents, David A. Wheeler's SPDX Tutorial is a good (albeit slightly outdated) intro.
The author and contributors to lice-comb
are not lawyers, and neither they nor lice-comb
itself provides legal advice. This is nothing more than logic to assist in finding license information. If you need a primer on the legal aspects of open source software, the author has found the Blue Oak Council to be a useful resource.
-
lice-comb
(v2.0+) requires JDK 11 or higher. -
lice-comb
(all versions) requires an internet connection. -
lice-comb
(all versions) assumes Maven is installed and in thePATH
(but has fallback logic if it isn't available).
lice-comb
is available as a Maven artifact from Clojars.
$ clj -Sdeps '{:deps {com.github.pmonks/lice-comb {:mvn/version "RELEASE"}}}'
$ lein try com.github.pmonks/lice-comb
$ deps-try com.github.pmonks/lice-comb
;; Core matching functionality
(require '[lice-comb.matching :as lcm])
; Initialise the matching namespace
; Notes:
; 1. This is slow the first time it's run, due to Spdx-Java-Library downloading SPDX files
; from the internet and caching them (it takes ~1 minute on my laptop). It's substantially
; faster on subsequent invocations however.
; 2. This step is optional, though initialisation will still happen regardless, and when it
; does you'll incur the same cost
(lcm/init!)
(lcm/name->expressions "Apache")
;=> #{"Apache-2.0"}
(lcm/name->expressions "GNU Public License 2.0 w/ the GNU Classpath Exception")
;=> #{"GPL-2.0-only WITH Classpath-exception-2.0"}
(lcm/uri->expressions "https://www.apache.org/licenses/LICENSE-2.0.txt")
;=> #{"Apache-2.0"}
(lcm/text->expressions (slurp "https://www.apache.org/licenses/LICENSE-2.0.txt"))
;=> #{"Apache-2.0"}
;; License extraction from Maven GAVs and POMs, including ones that aren't locally downloaded
(require '[lice-comb.maven :as lcmvn])
(lcmvn/gav->expressions "commons-io" "commons-io" "2.15.0")
;=> #{"Apache-2.0"}
; Note: this looks up and uses the latest version of the given project (1.5.0-b01 at the time of
; writing), so the results you get may be different to what you see here
(lcmvn/gav->expressions "javax.mail" "mail")
;=> #{"CDDL-1.1 OR GPL-2.0-only WITH Classpath-exception-2.0"}
(lcmvn/pom->expressions (str (System/getProperty "user.home") "/.m2/repository/org/clojure/clojure/1.11.2/clojure-1.11.2.pom"))
;=> #{"EPL-1.0"}
(lcmvn/pom->expressions "https://repo1.maven.org/maven2/org/springframework/spring-core/6.0.11/spring-core-6.0.11.pom")
;=> #{"Apache-2.0"}
;; License extraction from tools.deps dependency maps
(require '[lice-comb.deps :as lcd])
(lcd/dep->expressions ['org.clojure/clojure {:deps/manifest :mvn :mvn/version "1.12.0-alpha5"}])
;=> #{"EPL-1.0"}
;; License extraction from Leiningen dependency vectors
(require '[lice-comb.lein :as lcl])
(lcl/dep->expressions ['aopalliance/aopalliance "1.0"])
;=> #{"LicenseRef-lice-comb-PUBLIC-DOMAIN"}
; Also shows how lice-comb handles "public domain" attestations (which are not supported
; directly by SPDX, since "public domain" is not a license)
;; Information about matches (useful for better understanding how lice-comb arrived at a given
;; set of expressions, and how confident it is in the values it's providing)
(lcm/name->expressions-info "Apache-2.0")
;=> {"Apache-2.0" ({:type :declared, :strategy :spdx-expression, :source ("Apache-2.0")})}
(lcm/name->expressions-info "GNU Public License 2.0 or later w/ the GNU Classpath Exception")
;=> {"GPL-2.0-or-later WITH Classpath-exception-2.0"
; ({:type :concluded, :confidence :low, :strategy :expression-inference,
; :source ("GNU Public License 2.0 or later w/ the GNU Classpath Exception")}
; {:id "GPL-2.0-or-later", :type :concluded, :confidence :high, :strategy :regex-matching,
; :source ("GNU Public License 2.0 or later w/ the GNU Classpath Exception"
; "GNU Public License 2.0 or later")}
; {:id "Classpath-exception-2.0", :type :concluded, :confidence :low, :strategy :regex-matching,
; :source ("GNU Public License 2.0 or later w/ the GNU Classpath Exception"
; "the GNU Classpath Exception"
; "Classpath Exception"),
; :confidence-explanations #{:missing-version}})}
(lcmvn/pom->expressions-info "https://repo.clojars.org/canvas/canvas/0.1.6/canvas-0.1.6.pom")
;=> {"EPL-2.0 OR GPL-2.0-or-later WITH Classpath-exception-2.0"
; ({:type :declared, :strategy :spdx-expression,
; :source ("https://repo.clojars.org/canvas/canvas/0.1.6/canvas-0.1.6.pom"
; "<licenses><license><name>"
; "EPL-2.0 OR GPL-2.0-or-later WITH Classpath-exception-2.0")})}
;; Pretty print expressions-info
(require '[lice-comb.utils :as lcu])
(println (lcu/expressions-info->string (lcmvn/gav->expressions-info "com.amazonaws" "aws-java-sdk-s3" "1.12.129")))
;=> Apache-2.0:
; Concluded
; Confidence: high
; Strategy: regular expression matching
; Source:
; > com.amazonaws/aws-java-sdk-s3@1.12.129
; > https://repo.maven.apache.org/maven2/com/amazonaws/aws-java-sdk-s3/1.12.129/aws-java-sdk-s3-1.12.129.pom
; > https://repo.maven.apache.org/maven2/com/amazonaws/aws-java-sdk-pom/1.12.129/aws-java-sdk-pom-1.12.129.pom
; > <licenses><license><name>
; > Apache License, Version 2.0
API documentation is available here, or here on cljdoc.
The implementation of issue #3 resulted in a number of unavoidable breaking changes, including:
- A wholesale change from returning sets of SPDX identifiers to returning sets of SPDX expressions
- The creation of a dedicated SPDX-specific library (
clj-spdx
) that leverages the official SPDX Java library
This project uses the git-flow branching strategy, and the permanent branches are called release
and dev
. Any changes to the release
branch are considered a release and auto-deployed (JARs to Clojars, API docs to GitHub Pages, etc.).
For this reason, all development must occur either in branch dev
, or (preferably) in temporary branches off of dev
. All PRs from forked repos must also be submitted against dev
; the release
branch is only updated from dev
via PRs created by the core development team. All other changes submitted to release
will be rejected.
lice-comb
uses tools.build
. You can get a list of available tasks by running:
clojure -A:deps -T:build help/doc
Of particular interest are:
clojure -T:build test
- run the unit testsclojure -T:build lint
- run the linters (clj-kondo and eastwood)clojure -T:build ci
- run the full CI suite (check for outdated dependencies, run the unit tests, run the linters)clojure -T:build install
- build the JAR and install it locally (e.g. so you can test it with downstream code)
Please note that the deploy
task is restricted to the core development team (and will not function if you run it yourself).
Copyright © 2021 Peter Monks
Distributed under the Apache License, Version 2.0.
SPDX-License-Identifier: Apache-2.0
The OSI "Keyhole Logo" is used as per the Open Source Initiative's trademark and logo usage policies.