search

IBM / bamoe-issues

this is a repository to track IBM work (Issues and Project) with the KIE community!
Apache License 2.0
5 stars 0 forks source link

Create a spreadsheet of all dependencies on `kie-tools` with their respective licenses #24

Open tiagobento opened 1 year ago

tiagobento commented 1 year ago

Due to the Apache move and productization process, we need to know the licenses of all our dependencies on kie-tools.

Open questions:

LightGuard commented 1 year ago

https://www.apache.org/legal/resolved.html

LightGuard commented 1 year ago

From the root of kie-tools:

license-checker --csv
"module name","license","repository"
"@babel/core@7.16.12","MIT","https://github.com/babel/babel"
"@babel/preset-env@7.16.11","MIT","https://github.com/babel/babel"
"@eslint/eslintrc@0.4.1","MIT","https://github.com/eslint/eslintrc"
"@kie-tools-scripts/bootstrap@0.0.0","UNLICENSED",""
"@kie-tools-scripts/build-env@0.0.0","Apache-2.0","https://github.com/kiegroup/kie-tools"
"@kie-tools-scripts/check-junit-report-results@0.0.0","UNLICENSED",""
"@kie-tools-scripts/run-script-if@0.0.0","Apache-2.0","https://github.com/kiegroup/kie-tools"
"@kie-tools-scripts/sparse-checkout@0.0.0","UNLICENSED",""
"@kie-tools-scripts/update-version@0.0.0","UNLICENSED",""
"@nice-move/prettier-plugin-package-json@0.6.1","MIT","https://github.com/nice-move/prettier-plugin-package-json"
"@pnpm/filter-workspace-packages@5.0.27","MIT","https://github.com/pnpm/pnpm/blob/main/packages/filter-workspace-packages"
"@pnpm/find-workspace-packages@4.0.27","MIT","https://github.com/pnpm/pnpm/blob/main/packages/find-workspace-packages"
"@pnpm/logger@4.0.0","MIT","https://github.com/pnpm/logger"
"@types/eslint-scope@3.7.3","MIT","https://github.com/DefinitelyTyped/DefinitelyTyped"
"@types/eslint@7.2.10","MIT","https://github.com/DefinitelyTyped/DefinitelyTyped"
"@types/node@18.13.0","MIT","https://github.com/DefinitelyTyped/DefinitelyTyped"
"@types/prettier@2.2.3","MIT","https://github.com/DefinitelyTyped/DefinitelyTyped"
"@typescript-eslint/eslint-plugin@4.24.0","MIT","https://github.com/typescript-eslint/typescript-eslint"
"@typescript-eslint/experimental-utils@4.24.0","MIT","https://github.com/typescript-eslint/typescript-eslint"
"@typescript-eslint/parser@4.24.0","BSD-2-Clause","https://github.com/typescript-eslint/typescript-eslint"
"@typescript-eslint/scope-manager@4.24.0","MIT","https://github.com/typescript-eslint/typescript-eslint"
"@typescript-eslint/types@4.24.0","MIT","https://github.com/typescript-eslint/typescript-eslint"
"@typescript-eslint/typescript-estree@4.24.0","BSD-2-Clause","https://github.com/typescript-eslint/typescript-eslint"
"@typescript-eslint/visitor-keys@4.24.0","MIT","https://github.com/typescript-eslint/typescript-eslint"
"eslint-config-prettier@8.3.0","MIT","https://github.com/prettier/eslint-config-prettier"
"eslint-plugin-react-hooks@4.2.0","MIT","https://github.com/facebook/react"
"eslint-plugin-react@7.23.2","MIT","https://github.com/yannickcr/eslint-plugin-react"
"eslint-scope@5.1.1","BSD-2-Clause","https://github.com/eslint/eslint-scope"
"eslint-utils@2.1.0","MIT","https://github.com/mysticatea/eslint-utils"
"eslint-visitor-keys@2.1.0","Apache-2.0","https://github.com/eslint/eslint-visitor-keys"
"eslint@7.26.0","MIT","https://github.com/eslint/eslint"
"fast-xml-parser@4.1.2","MIT","https://github.com/NaturalIntelligence/fast-xml-parser"
"filemanager-webpack-plugin@7.0.0","MIT","https://github.com/gregnb/filemanager-webpack-plugin"
"graph-data-structure@2.0.0","MIT","https://github.com/datavis-tech/graph-data-structure"
"graphviz@0.0.9","GPL-3.0","https://github.com/glejeune/node-graphviz"
"husky@6.0.0","MIT","https://github.com/typicode/husky"
"jest-junit@14.0.0","Apache-2.0","https://github.com/jest-community/jest-junit"
"jest@26.6.3","MIT","https://github.com/facebook/jest"
"kie-tools-root@0.0.0","UNLICENSED",""
"markdown-table@3.0.2","MIT","https://github.com/wooorm/markdown-table"
"postinstall-postinstall@2.1.0","MIT","https://github.com/ds300/postinstall-postinstall"
"prettier@2.3.0","MIT","https://github.com/prettier/prettier"
"pretty-quick@3.1.0","MIT","https://github.com/azz/pretty-quick"
"rimraf@3.0.2","ISC","https://github.com/isaacs/rimraf"
"run-script-os@1.1.6","MIT","https://github.com/charlesguse/run-script-os"
"typescript@4.5.4","Apache-2.0","https://github.com/Microsoft/TypeScript"
"yargs@17.3.1","MIT","https://github.com/yargs/yargs"
LightGuard commented 1 year ago

There's a lot more.... working on those.

LightGuard commented 1 year ago

Surprisingly, the only dependency that I have found that's a problem for us is node-graphviz. It says MIT in the repo, the package.json file says GPL-3, and there is one file that contains a GPL-3 header.

LightGuard commented 1 year ago

You can run the same thing I did using some bash and https://www.npmjs.com/package/license-checker

LightGuard commented 1 year ago

MEND gives us what we need. I suggest we use MEND going forward.

LightGuard commented 1 year ago

@LightGuard @porcelli Not sure who should be reviewing this.

porcelli commented 1 year ago

@LightGuard do we have at least a list based on current codebase of the libraries that we need work to replace?

tiagobento commented 1 year ago

@LightGuard I can review.. but I'm going to need instructions on where to look.

LightGuard commented 1 year ago

Understood. I'll get those instructions to you.

On Tue, Apr 4, 2023 at 10:11 AM Tiago Bento @.***> wrote:

@LightGuard https://github.com/LightGuard I can review.. but I'm going to need instructions on where to look.

— Reply to this email directly, view it on GitHub https://github.com/IBM/kie-roadmap/issues/24#issuecomment-1496246431, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAHKE25GTK2MOGGEA6USATW7RBZXANCNFSM6AAAAAAUTBKBJQ . You are receiving this because you were mentioned.Message ID: @.***>

-- Jason Porter http://en.gravatar.com/lightguardjp

gitgabrio commented 1 year ago

@LightGuard @porcelli FYI, Mend has an utility to export found licenses in excel:

IBM_Business_Automation_Manager_Open_Editions_kie-tools-inventory-report_Page_1.xlsx

LightGuard commented 1 year ago

@gitgabrio Would you like to manage this one? I never figured out how to get the right permissions to MEND. We'll need it for Apache. Of course, there seem to be a lot of duplications in the spreadsheet, but we can get that figured out.

gitgabrio commented 1 year ago

@LightGuard What exactly would be required ? There is already some code bit, in our pipeline, that downloads all the licences for a given repo. I also have some postman script to do that. Sad note: right today we find out that the kie-tools repo/dashboard has some issue

LightGuard commented 1 year ago

@gitgabrio What we really need to know are if we have any dependencies we ship the source code for (probably JavaScript) that are in category B (so we can document them) and anything in category X (we need to find replacements). The categories can be found at https://www.apache.org/legal/resolved.html

gitgabrio commented 1 year ago

@LightGuard Here's kie-tools-9 inventory, with artifact type, license, etc... kietools-9-inventory.xlsx

tiagobento commented 11 months ago

Done? :D

LightGuard commented 11 months ago

There are several items listed as "Requires Review." We'll need to get those sorted out. A quick check looked like many of those are our jars, but we'll need to ensure we have those licenses figured out, but this is a great start. I wouldn't call it finished just yet though.

eduardocerqueira commented 10 months ago

what is remaining on this task?

LightGuard commented 10 months ago

From an Apache perspective, we need to know if the licenses we're using are Category A, B, or X. If there are any Category X, we need to find alternatives.

LightGuard commented 7 months ago

I'm good to move this to done. We can reopen or create a new ticket if we need to address this again for an ASF release.