Closed jspaaks closed 3 years ago
For reference, run it on clone of pivotal/LicenseFinder
lfdockerized license_finder
LicenseFinder::Bundler: is active
Resolving dependencies...
ERROR: /scan/features/fixtures/gopath_dep/src/foo-dep/vendor/a/b/LICENSE does not exists
Dependencies that need approval:
addressable, 2.7.0, "Apache 2.0"
ast, 2.4.2, MIT
bundler, 2.2.16, MIT
capybara, 3.15.1, MIT
coderay, 1.1.3, MIT
crack, 0.4.5, MIT
diff-lcs, 1.4.4, "Artistic-2.0, GPL-2.0+, MIT"
fakefs, 1.2.3, MIT
hashdiff, 1.0.1, MIT
jaro_winkler, 1.5.4, MIT
license_finder, 6.13.0, MIT
method_source, 1.0.0, MIT
mime-types, 3.3.1, MIT
mime-types-data, 3.2021.0225, MIT
mini_mime, 1.1.0, MIT
nokogiri, 1.11.3, MIT
parallel, 1.20.1, MIT
parser, 3.0.1.0, MIT
pry, 0.14.1, MIT
public_suffix, 4.0.6, MIT
racc, 1.5.2, "Simplified BSD, ruby"
rack, 2.2.3, MIT
rack-test, 1.1.0, MIT
rainbow, 3.0.0, MIT
rake, 13.0.3, MIT
regexp_parser, 1.8.2, MIT
rexml, 3.2.5, "Simplified BSD"
rspec, 3.10.0, MIT
rspec-core, 3.10.1, MIT
rspec-expectations, 3.10.1, MIT
rspec-its, 1.3.0, MIT
rspec-mocks, 3.10.2, MIT
rspec-support, 3.10.2, MIT
rubocop, 0.81.0, MIT
rubocop-performance, 1.5.2, MIT
ruby-progressbar, 1.11.0, MIT
rubyzip, 2.3.0, "Simplified BSD"
thor, 1.0.1, MIT
tomlrb, 2.0.1, MIT
unicode-display_width, 1.7.0, MIT
webmock, 3.12.2, MIT
with_env, 1.1.0, MIT
xml-simple, 1.1.8, MIT
xpath, 3.2.0, MIT
I think the README says it only supports Pipenv
-based Python projects.
tool This issue list some initial results with LicenseFinder
repository
https://github.com/pivotal/LicenseFinder
how to install
Here's how I installed it
what was tested
Here are some tests with various setups (all Python projects, but different in what mechanism is used for dependency management):
setup.py
setup.cfg
requirements.txt
Same as above, with extra argument
--python-version 3
:environment.yml
Overall, it seems this tool is more geared towards getting insight in projects that you own and do development on, so whoever is running the analysis knows how to resolve dependencies, what configurations to use, which python to use, etc. You can pass it a list of blacklisted licenses, approve/deny specific licenses, in an iterative process. The tool seems less suitable to performing the analysis on projects whose contents are a surprise (such as what you may find when all you have is a list of urls to github repositories).
Pros
Cons
Questions that need answers:
git clone && run the tool
Can tool/service return compliance status as a color?
no, doesnt return status:
Can tool/service return machine readable output, if so please show example?
CSV output if it works: