Get License Information for Dependency - SDK-Style

[wgnf]

• License Type
• License Text

idk how this might work, i know of these locations where Licenses might be:

• NuGet-Property: PackageLicenseExpression
• NuGet-Property: PackageLicenseUrl
• LICENSE file embedded in NuGet

[wgnf]

To download a NuGet Package maybe use this command:

dotnet add package <NAME> -v -n --prerelease -f <TARGET FRAMEWORK> --package-directory <PACKAGE_DIRECTORY>

On a dummy project and use PACKAGE_DIRECTORY as a point to refer to the downloaded package

More information see here

[wgnf]

But what's with a possible nuget.config? For that I might need to add this dummy project in the actual source structure... But I also want to be non-invasive 🤔

[wgnf]

OH!

Maybe dotnet restore --packages <PACKAGE_DIRECTORY> might work?

This'll definitely utilize everything that there is (nuget.config, cached packages on the system, ...) and will be offered for the .NET (Core) CLI

Does this work non-SDK-Style projects too?

[wgnf]

Yes, dotnet restore works. Following needs to be done for downloading packages:

• Non-SDK-Style: nuget restore -Force -OutputDirectory <FOLDER> -Recursive
• SDK-Style: dotnet restore --packages <FOLDER> --force /p:DisableImplicitNuGetFallbackFolder=true

There are some catches, though:

• Structure:
  • dotnet restore: Package-Name (lower-case) --> Version --> All data (nupkg, nuspec, license, ...)
  • nuget restore: Package-Name + Version (i.e. Autofac.4.9.4) --> Some data (nupkg, license, ...)

[wgnf]

Getting the License-Text should also be "two-stepped"

1. Is there a License already embedded in the NuGet-Package?
2. Download from the URL-Source provided

Getting the License-Type should be done, by:

1. Has the nuspec a "License Expression"?
2. ...
3. Get it from the internal/manually provided URL to Type Mapping
4. Get it from the License-Text (Keywords, see #10)

[wgnf]

Yes, dotnet restore works. Following needs to be done for downloading packages:

• Non-SDK-Style: nuget restore -Force -OutputDirectory <FOLDER> -Recursive
• SDK-Style: dotnet restore --packages <FOLDER> --force /p:DisableImplicitNuGetFallbackFolder=true

There are some catches, though:

• Structure:
  • dotnet restore: Package-Name (lower-case) --> Version --> All data (nupkg, nuspec, license, ...)
  • nuget restore: Package-Name + Version (i.e. Autofac.4.9.4) --> Some data (nupkg, license, ...)

Problem with using restore is just that every package will be downloaded, even though we might just need a few, depending on the cache (see #1) and additionally restore might take pretty long in some cases (idk why)

Maybe looking for the package in the package file-package-sources

• %USERPROFILE%/dotnet/packages (or sth similar)
• packages folder in case of non SDK style
• ...

And then downloading directly might be a better option

Or really just using dotnet add or something on a dummy project (inside the obj folder maybe) for packages that are really needed might be the better option

[wgnf]

Maybe there's a package that can do this? 🤔

[wgnf]

These are the ways licenses can be specified (as far as i found out so far) - information are in the .nuspec file:

1:

• license tag with file attribute (/package/metadata/license[@file])
• license file in downloaded content (file containing "license" in the filename)
• get raw license text from specified file
• get license type from mapping (#11, #12) OR raw license text (#10 )

2:

• license tag with expression attribute (/package/metadata/license[@expression])
• licenseUrl tag (/package/metadata/licenseUrl)
• no license file in downloaded content
• get raw license text from specified url (licenseUrl tag)
• get license type from license tag

3:

• license tag with expression attribute (/package/metadata/license[@expression])
• licenseUrl tag (/package/metadata/licenseUrl)
• license file in downloaded content (file containing "license" in the filename)
• get raw license text from license file
• get license type from license tag

4:

• licenseUrl tag (/package/metadata/licenseUrl)
• no license tag
• no license file in downloaded content
• get the raw license text from the specified url (licenseUrl tag)
• get license type from mapping (#11, #12) OR raw license text (#10 )

5:

• licenseUrl tag (/package/metadata/licenseUrl)
• no license tag
• license file in downloaded content (file containing "license" in the filename)
• get raw license text from license file
• get license type from mapping (#11, #12) OR raw license text (#10 )

[wgnf]

Best way to do it would be to have a number of sources:

• [x] nuspec
  • [x] 'license'-element (license-type or raw license-text)
  • [x] 'licenseUrl'-element (license-url -> raw license-text)
• [x] any file that contains 'license' in it's name (raw license-text)
• [ ] mapping
  • [ ] internal mapping (any license information) see #11
  • [ ] external mapping (any license information) see #12
  • [ ] get license-type from raw license-text (license-type) see #10

... so that we get more and more information with each step/source, until we eventually, hopefully, have everything that we need

[wgnf]

Other TODOs:

• [x] Change PackageReference to have a LicenseInformation object? 🤔
• [x] dotnet package list also provides ProjectReferences which cannot be downloaded... this needs to be fixed