Open tiagobento opened 1 year ago
From the root of kie-tools:
license-checker --csv
"module name","license","repository"
"@babel/core@7.16.12","MIT","https://github.com/babel/babel"
"@babel/preset-env@7.16.11","MIT","https://github.com/babel/babel"
"@eslint/eslintrc@0.4.1","MIT","https://github.com/eslint/eslintrc"
"@kie-tools-scripts/bootstrap@0.0.0","UNLICENSED",""
"@kie-tools-scripts/build-env@0.0.0","Apache-2.0","https://github.com/kiegroup/kie-tools"
"@kie-tools-scripts/check-junit-report-results@0.0.0","UNLICENSED",""
"@kie-tools-scripts/run-script-if@0.0.0","Apache-2.0","https://github.com/kiegroup/kie-tools"
"@kie-tools-scripts/sparse-checkout@0.0.0","UNLICENSED",""
"@kie-tools-scripts/update-version@0.0.0","UNLICENSED",""
"@nice-move/prettier-plugin-package-json@0.6.1","MIT","https://github.com/nice-move/prettier-plugin-package-json"
"@pnpm/filter-workspace-packages@5.0.27","MIT","https://github.com/pnpm/pnpm/blob/main/packages/filter-workspace-packages"
"@pnpm/find-workspace-packages@4.0.27","MIT","https://github.com/pnpm/pnpm/blob/main/packages/find-workspace-packages"
"@pnpm/logger@4.0.0","MIT","https://github.com/pnpm/logger"
"@types/eslint-scope@3.7.3","MIT","https://github.com/DefinitelyTyped/DefinitelyTyped"
"@types/eslint@7.2.10","MIT","https://github.com/DefinitelyTyped/DefinitelyTyped"
"@types/node@18.13.0","MIT","https://github.com/DefinitelyTyped/DefinitelyTyped"
"@types/prettier@2.2.3","MIT","https://github.com/DefinitelyTyped/DefinitelyTyped"
"@typescript-eslint/eslint-plugin@4.24.0","MIT","https://github.com/typescript-eslint/typescript-eslint"
"@typescript-eslint/experimental-utils@4.24.0","MIT","https://github.com/typescript-eslint/typescript-eslint"
"@typescript-eslint/parser@4.24.0","BSD-2-Clause","https://github.com/typescript-eslint/typescript-eslint"
"@typescript-eslint/scope-manager@4.24.0","MIT","https://github.com/typescript-eslint/typescript-eslint"
"@typescript-eslint/types@4.24.0","MIT","https://github.com/typescript-eslint/typescript-eslint"
"@typescript-eslint/typescript-estree@4.24.0","BSD-2-Clause","https://github.com/typescript-eslint/typescript-eslint"
"@typescript-eslint/visitor-keys@4.24.0","MIT","https://github.com/typescript-eslint/typescript-eslint"
"eslint-config-prettier@8.3.0","MIT","https://github.com/prettier/eslint-config-prettier"
"eslint-plugin-react-hooks@4.2.0","MIT","https://github.com/facebook/react"
"eslint-plugin-react@7.23.2","MIT","https://github.com/yannickcr/eslint-plugin-react"
"eslint-scope@5.1.1","BSD-2-Clause","https://github.com/eslint/eslint-scope"
"eslint-utils@2.1.0","MIT","https://github.com/mysticatea/eslint-utils"
"eslint-visitor-keys@2.1.0","Apache-2.0","https://github.com/eslint/eslint-visitor-keys"
"eslint@7.26.0","MIT","https://github.com/eslint/eslint"
"fast-xml-parser@4.1.2","MIT","https://github.com/NaturalIntelligence/fast-xml-parser"
"filemanager-webpack-plugin@7.0.0","MIT","https://github.com/gregnb/filemanager-webpack-plugin"
"graph-data-structure@2.0.0","MIT","https://github.com/datavis-tech/graph-data-structure"
"graphviz@0.0.9","GPL-3.0","https://github.com/glejeune/node-graphviz"
"husky@6.0.0","MIT","https://github.com/typicode/husky"
"jest-junit@14.0.0","Apache-2.0","https://github.com/jest-community/jest-junit"
"jest@26.6.3","MIT","https://github.com/facebook/jest"
"kie-tools-root@0.0.0","UNLICENSED",""
"markdown-table@3.0.2","MIT","https://github.com/wooorm/markdown-table"
"postinstall-postinstall@2.1.0","MIT","https://github.com/ds300/postinstall-postinstall"
"prettier@2.3.0","MIT","https://github.com/prettier/prettier"
"pretty-quick@3.1.0","MIT","https://github.com/azz/pretty-quick"
"rimraf@3.0.2","ISC","https://github.com/isaacs/rimraf"
"run-script-os@1.1.6","MIT","https://github.com/charlesguse/run-script-os"
"typescript@4.5.4","Apache-2.0","https://github.com/Microsoft/TypeScript"
"yargs@17.3.1","MIT","https://github.com/yargs/yargs"
There's a lot more.... working on those.
Surprisingly, the only dependency that I have found that's a problem for us is node-graphviz. It says MIT in the repo, the package.json file says GPL-3, and there is one file that contains a GPL-3 header.
You can run the same thing I did using some bash and https://www.npmjs.com/package/license-checker
MEND gives us what we need. I suggest we use MEND going forward.
@LightGuard @porcelli Not sure who should be reviewing this.
@LightGuard do we have at least a list based on current codebase of the libraries that we need work to replace?
@LightGuard I can review.. but I'm going to need instructions on where to look.
Understood. I'll get those instructions to you.
On Tue, Apr 4, 2023 at 10:11 AM Tiago Bento @.***> wrote:
@LightGuard https://github.com/LightGuard I can review.. but I'm going to need instructions on where to look.
— Reply to this email directly, view it on GitHub https://github.com/IBM/kie-roadmap/issues/24#issuecomment-1496246431, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAHKE25GTK2MOGGEA6USATW7RBZXANCNFSM6AAAAAAUTBKBJQ . You are receiving this because you were mentioned.Message ID: @.***>
-- Jason Porter http://en.gravatar.com/lightguardjp
@LightGuard @porcelli FYI, Mend has an utility to export found licenses in excel:
IBM_Business_Automation_Manager_Open_Editions_kie-tools-inventory-report_Page_1.xlsx
@gitgabrio Would you like to manage this one? I never figured out how to get the right permissions to MEND. We'll need it for Apache. Of course, there seem to be a lot of duplications in the spreadsheet, but we can get that figured out.
@LightGuard What exactly would be required ? There is already some code bit, in our pipeline, that downloads all the licences for a given repo. I also have some postman script to do that. Sad note: right today we find out that the kie-tools repo/dashboard has some issue
@gitgabrio What we really need to know are if we have any dependencies we ship the source code for (probably JavaScript) that are in category B (so we can document them) and anything in category X (we need to find replacements). The categories can be found at https://www.apache.org/legal/resolved.html
@LightGuard Here's kie-tools-9 inventory, with artifact type, license, etc... kietools-9-inventory.xlsx
Done? :D
There are several items listed as "Requires Review." We'll need to get those sorted out. A quick check looked like many of those are our jars, but we'll need to ensure we have those licenses figured out, but this is a great start. I wouldn't call it finished just yet though.
what is remaining on this task?
From an Apache perspective, we need to know if the licenses we're using are Category A, B, or X. If there are any Category X, we need to find alternatives.
I'm good to move this to done. We can reopen or create a new ticket if we need to address this again for an ASF release.
Due to the Apache move and productization process, we need to know the licenses of all our dependencies on
kie-tools
.Open questions: