main | ||
dev |
tools-licenses
A Clojure tools.build task library related to dependency licenses. Somewhat inspired by the (discontinued) lein-licenses
Leiningen plugin, but with the added benefit of license canonicalisation (leveraging the excellent Software Package Data Exchange (SPDX) standard), and with the ability to check your project against the Apache Software Foundation's 3rd Party License Policy.
Tasks
licenses
- attempt to display the licenses used by all transitive dependencies of the projectcheck-asf-policy
- attempt to check your project's compliance with the ASF's 3rd Party License Policy
Using the library
Documentation
API documentation is available here, though since the refactoring out of the license detection and ASF policy validation code, that's not very interesting or useful any longer.
Dependency
Express the correct maven dependencies in your deps.edn
, for a build tool alias:
:aliases
:build
{:deps {com.github.pmonks/tools-licenses {:mvn/version "LATEST_CLOJARS_VERSION"}
io.github.seancorfield/build-clj {:git/tag "v0.6.7" :git/sha "22c2d09"}}
:ns-default your.build.ns}
Note that you must express an explicit dependency on io.github.seancorfield/build-clj
, as that project doesn't publish artifacts to Clojars yet, and transitive git coordinate dependencies are not supported by tools.deps.
Require the namespace
(ns your.build.ns
(:require [tools-licenses.tasks :as lic]))
Add one or more of the build tasks to your build
(defn licenses
"Attempts to list all licenses for the transitive set of dependencies of the project, using SPDX license expressions."
[opts]
(-> opts
(set-opts)
(lic/licenses)))
(defn check-asf-policy
"Checks this project's dependencies' licenses against the ASF's 3rd party license policy (https://www.apache.org/legal/resolved.html)."
[opts]
(-> opts
(set-opts)
(lic/check-asf-policy)))
Use the build tasks
licenses
task
Example summary output:
$ clj -T:build licenses
This project: Apache-2.0
License Number of Deps
---------------------------------------- --------------
Apache-2.0 72
BSD-3-Clause 1
CDDL-1.0 1
EPL-1.0 35
GPL-2.0-with-classpath-exception 2
LGPL-2.1 2
MIT 6
NON-SPDX-Public-Domain 1
Use clj -T:build licenses :output :detailed
to get detailed, per-dependency output (too long to reasonably include here).
If you see NON-SPDX-Unknown
license identifiers, and/or the task displays a list of dependencies with unknown licenses, please raise an issue here.
check-asf-policy
task
Example summary output:
$ clj -T:build check-asf-policy
Category Number of Deps
------------------------------ --------------
Category A 79
Category A (with caveats) 1
Category B 32
Creative Commons Licenses 0
Category X 0
Uncategorised 0
For more information, please see https://github.com/pmonks/tools-licenses/wiki/FAQ
Use clj -T:build check-asf-policy :output :detailed
to get detailed, per-dependency output (too long to reasonably include here).
Contributor Information
Developer Workflow
This project uses the git-flow branching strategy, with the caveat that the permanent branches are called main
and dev
, and any changes to the main
branch are considered a release and auto-deployed (JARs to Clojars, API docs to GitHub Pages, etc.).
For this reason, all development must occur either in branch dev
, or (preferably) in temporary branches off of dev
. All PRs from forked repos must also be submitted against dev
; the main
branch is only updated from dev
via PRs created by the core development team. All other changes submitted to main
will be rejected.
Build Tasks
tools-licenses
uses tools.build
. You can get a list of available tasks by running:
clojure -A:deps -T:build help/doc
Of particular interest are:
clojure -T:build test
- run the unit testsclojure -T:build lint
- run the linters (clj-kondo and eastwood)clojure -T:build ci
- run the full CI suite (check for outdated dependencies, run the unit tests, run the linters)clojure -T:build install
- build the JAR and install it locally (e.g. so you can test it with downstream code)
Please note that the deploy
task is restricted to the core development team (and will not function if you run it yourself).
License
Copyright © 2021 Peter Monks
Distributed under the Apache License, Version 2.0.
SPDX-License-Identifier: Apache-2.0