search

tortellini-tools / action

GH action to check dependency licence issues using ort
https://github.com/marketplace/actions/tortellini-action
Apache License 2.0
3 stars 6 forks source link

deplic #16

Closed sverhoeven closed 3 years ago

sverhoeven commented 3 years ago

https://github.com/abduhbm/dep-license aka deplic

  1. describes pros and cons of the tool.
    • Pros:
      • No installation needed, so quick
      • Only checks direct dependencies
    • Cons:
      • Does not return compliance
      • Does not detect license of software itself
      • Only checks pip deps in conda.yml
      • Only does Python / PyPI
  2. answers the following questions:
    1. Does the tool work based on a (list of) URL(s) or do you need a local copy?
      • Yes, can use git url or local dir
    2. Does the tool depend on an existing installation of the software in order to do the analysis?
      • Nope, parses dependency file and uses pypi api to get license name + classifier
    3. Show example of the kind of feedback the tool returns about compliance
      • Only lists found deps with their license
    4. Provide a list of (dependency file, software registry) combinations that the tool supports, e.g.:
      • requirements.txt - PyPI
      • Pipfile - PyPI
      • Pipfile.lock - PyPI
      • setup.cfg - PyPI
      • setup.py - PyPI
      • conda.yml:dependencies:pip - PyPI
    5. Can the tool handle dependencies that have multiple licenses?
      • If dep has multiple license classifiers then concat, see docutils in howfairis
    6. Does the tool differentiate between runtime and other sets of dependencies? Or, can it be forced to check runtime only?
      • Nope will combine install, setup and extras. Can not be forced to return just runtime.
sverhoeven commented 3 years ago

howfairis

deplic -f csv  https://github.com/fair-software/howfairis.git
Found dependencies: 24

Name,Meta,Classifier
sphinx-rtd-theme,MIT,OSI Approved::MIT License
docutils,public domain, Python, 2-Clause BSD, GPL 3 (see COPYING.txt),Public Domain
sphinx-click,MIT License,OSI Approved::MIT License
twine,,OSI Approved::Apache Software License
prospector,GPLv2,OSI Approved::GNU General Public License v2 or later (GPLv2+)
bumpversion,MIT,OSI Approved::MIT License
recommonmark,MIT,OSI Approved::MIT License
requests,Apache 2.0,OSI Approved::Apache Software License
pytest-runner,,OSI Approved::MIT License
pycodestyle,Expat license,OSI Approved::MIT License
backoff,MIT,OSI Approved::MIT License
pygments,BSD License,OSI Approved::BSD License
voluptuous,BSD,OSI Approved::BSD License
sphinx,BSD,OSI Approved::BSD License
ruamel.yaml,MIT license,OSI Approved::MIT License
colorama,BSD,OSI Approved::BSD License
pytest-cov,MIT,OSI Approved::BSD License
wheel,MIT,OSI Approved::MIT License
pytest,MIT,OSI Approved::MIT License
requests-mock,Apache-2,OSI Approved::Apache Software License
ratelimit,MIT,OSI Approved::MIT License
click,BSD-3-Clause,OSI Approved::BSD License
beautifulsoup4,MIT,OSI Approved::MIT License
yapf,Apache License, Version 2.0,OSI Approved::Apache Software License

List from setup.py from install_requires and all extras_require dicts

sverhoeven commented 3 years ago

Sygma, requires RDKit to be installed.

deplic https://github.com/3D-e-Chem/sygma.git
run_setup: RDKit with INCHI support is required
Found dependencies: 4

| Name             | Meta     | Classifier                                                        |
|------------------|----------|-------------------------------------------------------------------|
| nose             | GNU LGPL | OSI Approved::GNU Library or Lesser General Public License (LGPL) |
| sphinx-argparse  | MIT      | OSI Approved::MIT License                                         |
| sphinx_rtd_theme | MIT      | OSI Approved::MIT License                                         |
| sphinx           | BSD      | OSI Approved::BSD License                                         |

It tried to run setup.py, but failed and used requirements.txt instead.

sverhoeven commented 3 years ago

zenodo-upload

deplic https://github.com/iomega/zenodo-upload.git
no dependencies found

Does not understand package.json

sverhoeven commented 3 years ago

Test on https://github.com/eWaterCycle/ewatercycle needs conda install before setup.py

deplic -f pipe https://github.com/eWaterCycle/ewatercycle.git
Found dependencies: 22

| Name                     | Meta                        | Classifier                                                    |
|:-------------------------|:----------------------------|:--------------------------------------------------------------|
| pytest-cov               | MIT                         | OSI Approved::BSD License                                     |
| prospector               | GPLv2                       | OSI Approved::GNU General Public License v2 or later (GPLv2+) |
| yapf                     | Apache License, Version 2.0 | OSI Approved::Apache Software License                         |
| pytest-runner            |                             | OSI Approved::MIT License                                     |
| sphinx-rtd-theme         | MIT                         | OSI Approved::MIT License                                     |
| hydrostats               | MIT                         |                                                               |
| esmvaltool               | Apache License, Version 2.0 | OSI Approved::Apache Software License                         |
| isort                    | MIT                         | OSI Approved::MIT License                                     |
| recommonmark             | MIT                         | OSI Approved::MIT License                                     |
| numpy                    | BSD                         | OSI Approved::BSD License                                     |
| deepdiff                 | MIT                         | OSI Approved::MIT License                                     |
| sphinx                   | BSD                         | OSI Approved::BSD License                                     |
| pytest                   | MIT                         | OSI Approved::MIT License                                     |
| pyoos                    | GPLv3                       | OSI Approved::GNU General Public License v3 (GPLv3)           |
| basic-modeling-interface | MIT                         | OSI Approved::MIT License                                     |
| pytest-mypy              | MIT                         | OSI Approved::MIT License                                     |
| xarray                   | Apache                      | OSI Approved::Apache Software License                         |
| grpc4bmi                 | Apache License, Version 2.0 | OSI Approved::Apache Software License                         |
| pandas                   | BSD                         |                                                               |
| matplotlib               | PSF                         | OSI Approved::Python Software Foundation License              |
| pycodestyle              | Expat license               | OSI Approved::MIT License                                     |
| ruamel.yaml              | MIT license                 | OSI Approved::MIT License                                     |

Again list from setup.py from install_requires and all extras_require

sverhoeven commented 3 years ago

Matchms

git clone --depth 1 https://github.com/matchms/matchms.git
deplic matchms/
Found dependencies: 19

| Name                 | Meta                                               | Classifier                                                    |
|----------------------|----------------------------------------------------|---------------------------------------------------------------|
| pytest-cov           | MIT                                                | OSI Approved::BSD License                                     |
| yapf                 | Apache License, Version 2.0                        | OSI Approved::Apache Software License                         |
| scipy                | BSD                                                | OSI Approved::BSD License                                     |
| matplotlib           | PSF                                                | OSI Approved::Python Software Foundation License              |
| sphinxcontrib-apidoc |                                                    | OSI Approved::BSD License                                     |
| prospector           | GPLv2                                              | OSI Approved::GNU General Public License v2 or later (GPLv2+) |
| pytest               | MIT                                                | OSI Approved::MIT License                                     |
| bump2version         | MIT                                                | OSI Approved::MIT License                                     |
| pyteomics            | License :: OSI Approved :: Apache Software License |                                                               |
| sphinx               | BSD                                                | OSI Approved::BSD License                                     |
| numba                | BSD                                                | OSI Approved::BSD License                                     |
| networkx             |                                                    | OSI Approved::BSD License                                     |
| requests             | Apache 2.0                                         | OSI Approved::Apache Software License                         |
| deprecated           | MIT                                                | OSI Approved::MIT License                                     |
| lxml                 | BSD                                                | OSI Approved::BSD License                                     |
| sphinx-rtd-theme     | MIT                                                | OSI Approved::MIT License                                     |
| isort                | MIT                                                | OSI Approved::MIT License                                     |
| rdkit                | BSD                                                | OSI Approved::BSD License                                     |
| numpy                | BSD                                                | OSI Approved::BSD License                                     |

Deplic looks for conda.yml, try it

cp matchms/conda/environment.yml matchms/conda.yml
deplic -n conda.yml matchms/
no dependencies found

Seems it only checks pip subsection.

cp matchms/conda/environment-dev.yml matchms/conda.yml
deplic -n conda.yml matchms/
Found dependencies: 11

| Name                 | Meta                        | Classifier                                                    |
|----------------------|-----------------------------|---------------------------------------------------------------|
| sphinx-rtd-theme     | MIT                         | OSI Approved::MIT License                                     |
| sphinxcontrib-apidoc |                             | OSI Approved::BSD License                                     |
| bump2version         | MIT                         | OSI Approved::MIT License                                     |
| pytest-cov           | MIT                         | OSI Approved::BSD License                                     |
| isort                | MIT                         | OSI Approved::MIT License                                     |
| yapf                 | Apache License, Version 2.0 | OSI Approved::Apache Software License                         |
| pytest               | MIT                         | OSI Approved::MIT License                                     |
| deprecated           | MIT                         | OSI Approved::MIT License                                     |
| sphinx               | BSD                         | OSI Approved::BSD License                                     |
| prospector           | GPLv2                       | OSI Approved::GNU General Public License v2 or later (GPLv2+) |
| lxml                 | BSD                         | OSI Approved::BSD License                                     |

Deplic found deps from conda.yml:dependencies:pip. To parse conda file needed to copy file to conda.yml and force it to read it.

sverhoeven commented 3 years ago

spec2vec

deplic https://github.com/iomega/spec2vec.git
Found dependencies: 14

| Name                 | Meta                        | Classifier                                                    |
|----------------------|-----------------------------|---------------------------------------------------------------|
| prospector           | GPLv2                       | OSI Approved::GNU General Public License v2 or later (GPLv2+) |
| bump2version         | MIT                         | OSI Approved::MIT License                                     |
| sphinx-rtd-theme     | MIT                         | OSI Approved::MIT License                                     |
| tqdm                 | MPLv2.0, MIT Licences       | OSI Approved::Mozilla Public License 2.0 (MPL 2.0)            |
| sphinx               | BSD                         | OSI Approved::BSD License                                     |
| isort                | MIT                         | OSI Approved::MIT License                                     |
| pytest-cov           | MIT                         | OSI Approved::BSD License                                     |
| sphinxcontrib-apidoc |                             | OSI Approved::BSD License                                     |
| yapf                 | Apache License, Version 2.0 | OSI Approved::Apache Software License                         |
| pytest               | MIT                         | OSI Approved::MIT License                                     |
| gensim               | LGPL-2.1-only               |                                                               |
| matchms              | Apache Software License 2.0 | OSI Approved::Apache Software License                         |
| numpy                | BSD                         | OSI Approved::BSD License                                     |
| numba                | BSD                         | OSI Approved::BSD License                                     |

Again parses setup.py

sverhoeven commented 3 years ago

https://github.com/sverhoeven/justatest2

deplic -f json https://github.com/sverhoeven/justatest2.git
Found dependencies: 14

[
    {
        "Name": "twine",
        "Meta": "",
        "Classifier": "OSI Approved::Apache Software License"
    },
    {
        "Name": "sphinx-autoapi",
        "Meta": "MIT",
        "Classifier": "OSI Approved::MIT License"
    },
    {
        "Name": "isort",
        "Meta": "MIT",
        "Classifier": "OSI Approved::MIT License"
    },
    {
        "Name": "pytest",
        "Meta": "MIT",
        "Classifier": "OSI Approved::MIT License"
    },
    {
        "Name": "pytest-cov",
        "Meta": "MIT",
        "Classifier": "OSI Approved::BSD License"
    },
    {
        "Name": "bump2version",
        "Meta": "MIT",
        "Classifier": "OSI Approved::MIT License"
    },
    {
        "Name": "pandas",
        "Meta": "BSD",
        "Classifier": ""
    },
    {
        "Name": "setuptools",
        "Meta": "",
        "Classifier": "OSI Approved::MIT License"
    },
    {
        "Name": "sphinx-rtd-theme",
        "Meta": "MIT",
        "Classifier": "OSI Approved::MIT License"
    },
    {
        "Name": "wheel",
        "Meta": "MIT",
        "Classifier": "OSI Approved::MIT License"
    },
    {
        "Name": "requests",
        "Meta": "Apache 2.0",
        "Classifier": "OSI Approved::Apache Software License"
    },
    {
        "Name": "prospector",
        "Meta": "GPLv2",
        "Classifier": "OSI Approved::GNU General Public License v2 or later (GPLv2+)"
    },
    {
        "Name": "numpy",
        "Meta": "BSD",
        "Classifier": "OSI Approved::BSD License"
    },
    {
        "Name": "sphinx",
        "Meta": "BSD",
        "Classifier": "OSI Approved::BSD License"
    }
]

Was able to find deps from setup.cfg