Code Monkey home page Code Monkey logo

apache2-license-checker's Introduction

Apache2 License Checker

Automated license checker for validating project dependencies for compatible Apache2 licenses.

Use with your project

  • Run npm install @bbc/apache2-license-checker --save-dev
  • Modify your package.json to include apache2-license-checker as part of your test script

For example:

...
  "scripts": {
    "test": "mocha && npm run check-licenses",
    "check-licenses": "apache2-license-checker"
  },
...

The license checker will fail with an exit code of 1 if there are any problems with the license, and will pass with an exit code of 0 if all checks are ok.

A temporary file licenses.json will be created containing a full license analysis based on output from the license-checker tool. You will probably want to .gitignore this file.

Creating Exceptions

If the license checker throws errors, and you've verified the errors as acceptable risks, then you may want to create an exceptions file in your local project. For example:

license-exceptions.json

{
  "exceptions": {
    "cosmos-deploy@*": {
      "reason": "Not required, acceptable use for BBC internal deployments"
    },
    "[email protected]": {
      "reason": "Public Domain; see: https://github.com/dscape/cycle/"
    },
    "[email protected]": {
      "reason": "MIT License; see: https://github.com/dominictarr/map-stream"
    },
    "[email protected]": {
      "reason": "Public Domain; see https://github.com/faisalman/ua-parser-js"
    }
  }
}

Development

To support

  • Check out the code
  • Run npm install
  • Run npm test

Modify scripts/whitelist.js to allow additional licenses or license combinations.

Modify scripts/exceptions.js to allow specific modules for a given reason.

Please push to a branch and raise a pull request, or fork and do the same.

Example output

In normal usage running npm run check-licenses produces an output similar to:

Acceptable project licenses (uses):
  (MIT AND CC-BY-3.0) (1)
  Apache-2.0 (3)
  BSD-2-Clause (1)
  BSD-3-Clause (1)
  ISC (15)
  MIT (23)
  Unlicense (1)
  WTFPL (1)

Acceptable project license exceptions:
  [email protected]
    Reason: Not required, acceptable use for BBC internal deployments
  [email protected]
    Reason: Public Domain; see: https://github.com/dscape/cycle/
  [email protected]
    Reason: MIT License; see: https://github.com/dominictarr/map-stream

All licenses ok Licensed (46) Exceptions (0) Problems (0)

If there is a problem with the licenses, then expect an output similar to:

Acceptable project licenses (uses):
  Apache-2.0 (3)
  BSD-2-Clause (1)
  BSD-3-Clause (1)
  CC-BY-3.0 (1)
  CC0-1.0 (1)
  ISC (16)
  MIT (25)

Acceptable project license exceptions:
  [email protected]
    Reason: Public Domain; see https://github.com/kemitchell/spdx-exceptions.json

Problems with the licenses for these dependencies:
  [email protected]
    License:     CC0-1.0
    Repository:  https://github.com/shinnn/spdx-license-ids
    Publisher:   Shinnosuke Watanabe
    Url:         https://github.com/shinnn


Licenses not ok Licensed (46) Exceptions (1) Problems (1)

apache2-license-checker's People

Contributors

johnbeech avatar nobleemutea avatar thomascgray avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

iptvreleaseonly

apache2-license-checker's Issues

Error when running `apache2-license-checker`

Tried running against https://github.com/bbc/simorgh.

$ apache2-license-checker
Checked for local license-exceptions.json; but no file was found.
/Users/ashtoc03/Sites/bbc/simorgh/node_modules/@bbc/apache2-license-checker/scripts/check-licenses.js:16
  return exceptions[key] || exceptions[anyVersionKey]
                   ^

TypeError: Cannot read property '[email protected]' of undefined
    at inExceptionList (/Users/ashtoc03/Sites/bbc/simorgh/node_modules/@bbc/apache2-license-checker/scripts/check-licenses.js:16:20)
    at Object.keys.forEach (/Users/ashtoc03/Sites/bbc/simorgh/node_modules/@bbc/apache2-license-checker/scripts/check-licenses.js:34:25)
    at Array.forEach (<anonymous>)
    at checkLicenses (/Users/ashtoc03/Sites/bbc/simorgh/node_modules/@bbc/apache2-license-checker/scripts/check-licenses.js:28:25)
    at ChildProcess.command.on (/Users/ashtoc03/Sites/bbc/simorgh/node_modules/@bbc/apache2-license-checker/run.js:23:3)
    at emitTwo (events.js:126:13)
    at ChildProcess.emit (events.js:214:7)
    at maybeClose (internal/child_process.js:925:16)
    at Socket.stream.socket.on (internal/child_process.js:346:11)
    at emitOne (events.js:116:13)

Generic license compatibility checker?

Following on from #5 (comment), if we're expanding the API to take an exceptions.js, does it make sense to expose the whitelist.js as an overridable parameter too?

However, I think the value in apache2-license-checker vs something like license-checker or npm-license-crawler is that it's opinionated. tldrlegal (on top of legally) attempts to provide some legal clarity to license usage, but may not be quite what we're looking for.

Looking at it with naiive eyes, I'd imagine the most useful functionality would be to lose the whitelist and to simply specify what license we need to comply to (e.g. --license=MIT), and the tool would then parse the licenses of your dependencies and be opinionated about which licenses are compatible with which.

...at which point, this becomes a generic license checker and would probably want renaming from apache2-license-checker to something like license-compatibility-checker?

Has this conversation been had already? I'd be interested to hear your thoughts!

Whitelist licenses used by spdx-exceptions and spdx-license-ids

I think the CC-BY-3.0 and CC0-1.0 licenses should be whitelisted:

This is inline the suggestion of removing the exceptions list #5

[email protected]
    License:     CC-BY-3.0
    Repository:  https://github.com/kemitchell/spdx-exceptions.json
    Publisher:   The Linux Foundation
    Url:         undefined

  [email protected]
    License:     CC0-1.0
    Repository:  https://github.com/shinnn/spdx-license-ids
    Publisher:   Shinnosuke Watanabe
    Url:         https://github.com/shinnn

Two requirements of this project fail the license checker - causing noise on the output

The same two dependencies appear each time I run the license checker. Using npm ls I determined these were dependencies of the license checker itself.

  [email protected]
    License:     undefined
    Repository:  https://github.com/kemitchell/spdx-exceptions.json
    Publisher:   The Linux Foundation
    Url:         undefined

  [email protected]
    License:     undefined
    Repository:  https://github.com/shinnn/spdx-license-ids
    Publisher:   Shinnosuke Watanabe
    Url:         https://github.com/shinnn

$ npm ls spdx-exceptions
[email protected] /Users/bradim02/workspace/act-client
└─┬ [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └─┬ [email protected]
        └─┬ [email protected]
          └─┬ [email protected]
            └─┬ [email protected]
              └── [email protected] 

$ npm ls spdx-license-ids
[email protected] /Users/bradim02/workspace/act-client
└─┬ [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └─┬ [email protected]
        └─┬ [email protected]
          └─┬ [email protected]
            ├─┬ [email protected]
            │ └── [email protected] 
            └─┬ [email protected]
              └── [email protected]  deduped

Remove exception list, make exceptions optional

With reference to the Licence Dependency Aggregator tool:
https://github.com/bbc/licence-dependency-aggregator

I spoke with @RichardTribe and we agreed that there are separate valid use cases for an external analysis tool, and an integrated pipeline tool (this checker) that are strongly opinionated about correct and valid licenses to use with a project.

However, maintaining an exception list makes no sense - it should be down to the to the user of the library which exceptions they want to make, and not maintained as part of this tool.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.