search

pilosus / pip-license-checker

Check license types for third-party dependencies: permissive, copyleft, proprietory, etc.
https://blog.pilosus.org/posts/2021/09/07/pip-license-checker/
Other
69 stars 3 forks source link

Cannot get package meta when requirement file uses git+https #107

Closed 0ssigeno closed 2 years ago

0ssigeno commented 2 years ago

To reproduce:

  1. Create a requirements.txt

    git+https://github.com/jazzband/django-silk.git

  2. Pass in to the checker and get an error

    lein run --requirements requirements.txt
git+https://github.com/jazzband/django-silk.git                    Error                                                   Error
pilosus commented 2 years ago

Hey, thanks for raising this.

Unfortunately, the checker doesn't support license name fetching for packages outside of PyPI package index, as the checker relies heavily on PyPI JSON API.

In your case you need some sort of third-party tool to fetch license name from packages local meta first, and the pass it to the license checker.

This is how it can be done with pip-licenses:

# 1. Install your packages you want to check licenses for, in venv, docker whatever
$ pip install -r requirements.txt

# 2. Install pip-licenses tool
$ pip install -U pip-licenses

# 3. Dump packages/licenses as a CSV file:
$ pip-licenses --with-systems --format=csv

# 4. Pass in to the checker
$ lein run --external ~/pip-licenses.csv --external-format=csv --external-options '{:package-column-index 0 :license-column-index 2}'

Hope that helps.

Cheers

0ssigeno commented 2 years ago

Thank you for the detailed answer! I hoped that this could have been supported in the action itself, so that an user could just import this action in its own CI and be done, but I can see the technical issues that this would involve.

Closing the issue, since there is a solution for this problem