Initial results for running dockerized licensefinder on setup.py, setup.cfg, requirements.txt, environment.yml

[jspaaks]

tool This issue list some initial results with LicenseFinder

repository

https://github.com/pivotal/LicenseFinder

how to install

Here's how I installed it

$ cd $WHERE_YOU_KEEP_YOUR_CLONED_REPOS
$ git clone https://github.com/pivotal/LicenseFinder
$ cd LicenseFinder

# add fullpath alias in ~/.bash_aliases, something like
alias lfdockerized='/home/myuser/github/pivotal/LicenseFinder/dlf'

# activate new alias
$ source ~/.bashrc

what was tested

Here are some tests with various setups (all Python projects, but different in what mechanism is used for dependency management):

setup.py

$ cd to a project that has a setup.py
$ cat setup.py
...
    install_requires=[
        "matplotlib >= 3.3",
        "numpy >= 1.19"
    ],
    setup_requires=[
    ],
    tests_require=[
    ],
    extras_require={
        "dev":  [
            "bumpversion",
            "isort",
            "prospector[with_pyroma]",
            "pycodestyle",
            "pytest-cov",
            "pytest-runner",
            "pytest",
            "recommonmark",
            "sphinx_rtd_theme",
            "sphinx",
            "yapf"
        ],
        "publishing": [
            "twine",
            "wheel"
        ]
    },
...
$ lfdockerized license_finder
# setup.py doesnt get recognized, outputs:
License Finder: No active and installed package managers found for project.

No dependencies recognized!

setup.cfg

$ cd to a project that has a setup.cfg
$ cat setup.cfg
...
[options]
zip_safe = False
include_package_data = True
packages =
install_requires =
    cookiecutter==1.7.2

[options.data_files]
# This section requires setuptools>=40.6.0
# It remains empty for now
# Check if MANIFEST.in works for your purposes

[options.extras_require]
dev =
    pytest<5.0.0,>=3.3.0
    pytest-cookies

...
$ lfdockerized license_finder
# setup.cfg doesnt get recognized, outputs:
License Finder: No active and installed package managers found for project.

No dependencies recognized!

requirements.txt

$ cd to a project that has a requirements.txt
$ cat requirements.txt 
sequgen==0.2.0
jupyterlab
pandas
$ lfdockerized license_finder
# requirements.txt gets recognized but tries to use Python2, outputs:
LicenseFinder::Pip: is active
pip2 install: did not succeed.
pip2 install: LicenseFinder command 'python /usr/share/rvm/gems/ruby-2.7.1/gems/license_finder-6.13.0/bin/license_finder_pip.py /scan/requirements.txt' failed:
    Traceback (most recent call last):
  File "/usr/share/rvm/gems/ruby-2.7.1/gems/license_finder-6.13.0/bin/license_finder_pip.py", line 39, in <module>
    in pkg_resources.working_set.resolve(requirements)]
  File "/usr/local/lib/python2.7/dist-packages/pip/_vendor/pkg_resources/__init__.py", line 784, in resolve
    raise DistributionNotFound(req, requirers)
pip._vendor.pkg_resources.DistributionNotFound: The 'pandas' distribution was not found and is required by the application
No dependencies recognized!

Same as above, with extra argument --python-version 3:

lfdockerized license_finder --python-version 3
LicenseFinder::Pip: is active
pip3 install: did not succeed.
pip3 install: LicenseFinder command 'python3 /usr/share/rvm/gems/ruby-2.7.1/gems/license_finder-6.13.0/bin/license_finder_pip.py /scan/requirements.txt' failed:
    Traceback (most recent call last):
  File "/usr/share/rvm/gems/ruby-2.7.1/gems/license_finder-6.13.0/bin/license_finder_pip.py", line 39, in <module>
    in pkg_resources.working_set.resolve(requirements)]
  File "/usr/local/lib/python3.5/dist-packages/pip/_vendor/pkg_resources/__init__.py", line 786, in resolve
    raise DistributionNotFound(req, requirers)
pip._vendor.pkg_resources.DistributionNotFound: The 'pandas' distribution was not found and is required by the application

No dependencies recognized!

environment.yml

$ cd to a project that has a environment.yml
$ cat environment.yml
--- 
channels: 
  - conda-forge
dependencies: 
  - nb_conda
name: matchms-notebooks

# doing or not doing this next step doesnt matter
$ conda env create
# doing or not doing this next step doesnt matter
$ conda activate matchms-notebooks
# doesnt recognize the env
$ lfdockerized license_finder
LicenseFinder::Conda: is active
conda list: did not succeed.
conda list: Could not find conda environment: matchms-notebooks
You can list all discoverable environments with `conda info --envs`.

No dependencies recognized!

Overall, it seems this tool is more geared towards getting insight in projects that you own and do development on, so whoever is running the analysis knows how to resolve dependencies, what configurations to use, which python to use, etc. You can pass it a list of blacklisted licenses, approve/deny specific licenses, in an iterative process. The tool seems less suitable to performing the analysis on projects whose contents are a surprise (such as what you may find when all you have is a list of urls to github repositories).

Pros

1. Aims to cover many types of projects, languages, dependency resolvers

Cons

1. Couldnt get it to work easily, could be due to my minimal energy investment
2. seems to want to install everything (why isnt just resolving the packages not enough to figure out license conflicts)
3. seems to want to install everything on your local installation
4. the abstraction that dockerization could yield is leaky, e.g. with respect to virtual envs
5. doesnt recognize all dependency file formats for python (environment.yml, requirements.txt, setup.cfg, setup.py, Pipfile, Pipfile.lock)

Questions that need answers:

1. Can tool/service be given multiple repository URLs to check?
   • no
2. Can tool/service be given a repostory URL to check, if not describe how to check repository?
   • I ran it with git clone && run the tool

3. Can tool/service return compliance status as a color?

   • no, doesnt return status:

     lfdockerized license_finder && echo $?
      License Finder: No active and installed package managers found for project.
     
      No dependencies recognized!
      0

4. Can tool/service return machine readable output, if so please show example?

   • CSV output if it works:

     addressable, 2.7.0, "Apache 2.0"
     ast, 2.4.2, MIT
     bundler, 2.2.16, MIT
     capybara, 3.15.1, MIT
     coderay, 1.1.3, MIT

5. Which programming language language(s) was used during evaluation? For example pure python
   • I only checked python projects
6. Which dependency resolver / build chain was use during evaluation? For example requirement.txt with pip or environment.yml with conda
   • requirements.txt, setup.cfg, setup.py, environement.yml, see examples

[jspaaks]

For reference, run it on clone of pivotal/LicenseFinder

lfdockerized license_finder
LicenseFinder::Bundler: is active
Resolving dependencies...
ERROR: /scan/features/fixtures/gopath_dep/src/foo-dep/vendor/a/b/LICENSE does not exists

Dependencies that need approval:
addressable, 2.7.0, "Apache 2.0"
ast, 2.4.2, MIT
bundler, 2.2.16, MIT
capybara, 3.15.1, MIT
coderay, 1.1.3, MIT
crack, 0.4.5, MIT
diff-lcs, 1.4.4, "Artistic-2.0, GPL-2.0+, MIT"
fakefs, 1.2.3, MIT
hashdiff, 1.0.1, MIT
jaro_winkler, 1.5.4, MIT
license_finder, 6.13.0, MIT
method_source, 1.0.0, MIT
mime-types, 3.3.1, MIT
mime-types-data, 3.2021.0225, MIT
mini_mime, 1.1.0, MIT
nokogiri, 1.11.3, MIT
parallel, 1.20.1, MIT
parser, 3.0.1.0, MIT
pry, 0.14.1, MIT
public_suffix, 4.0.6, MIT
racc, 1.5.2, "Simplified BSD, ruby"
rack, 2.2.3, MIT
rack-test, 1.1.0, MIT
rainbow, 3.0.0, MIT
rake, 13.0.3, MIT
regexp_parser, 1.8.2, MIT
rexml, 3.2.5, "Simplified BSD"
rspec, 3.10.0, MIT
rspec-core, 3.10.1, MIT
rspec-expectations, 3.10.1, MIT
rspec-its, 1.3.0, MIT
rspec-mocks, 3.10.2, MIT
rspec-support, 3.10.2, MIT
rubocop, 0.81.0, MIT
rubocop-performance, 1.5.2, MIT
ruby-progressbar, 1.11.0, MIT
rubyzip, 2.3.0, "Simplified BSD"
thor, 1.0.1, MIT
tomlrb, 2.0.1, MIT
unicode-display_width, 1.7.0, MIT
webmock, 3.12.2, MIT
with_env, 1.1.0, MIT
xml-simple, 1.1.8, MIT
xpath, 3.2.0, MIT

[LourensVeen]

I think the README says it only supports Pipenv-based Python projects.