Timestamp only when dependencies change about licensefinder HOT 7 CLOSED

This seems to have stopped on our workstation, but @gonzedge is having the same issue right now. Weird.

from licensefinder.

Possibly-related work done last year around not updating the database if there are no changes: 23f4cae

(This is just a note to myself)

from licensefinder.

Looking into this today.

• get a reproducible test case
• investigate if we're using UTC under the hood (Taavo's comment implies we're not)
• spike on how to fix this

from licensefinder.

Note there's a branch which provides a reproducible test failure: flavorjones-fix-timestamp-issue-114

from licensefinder.

@taavo take a look at #126, a PR which is a step towards resolving your problem. The main change that would affect you is that LF wouldn't write any reports to the file system unless explicitly asked to. So, here's a workflow I can imagine you would adopt...

1. When committing, run license_finder to see if there are any unapproved dependencies. You could have unapproved dependencies either because they are new and don't fall under your whitelist, or because you changed license_finder's configuration (e.g. removed a license from the whitelist) so old dependencies are no longer approved. This will not modify the file system in any way, so it will never change timestamps in the reports.
2. Check whether Gemfile.lock (or whatever files your package managers use) changed, to see whether the reports are likely to include new dependencies.
3. If step 1 or 2 report any changes, run license_finder report --format html > doc/dependencies.html to update the HTML. Timestamps will change, but this is expected and desired.

The PR is a major refactoring and so probably won't be merged for awhile (if at all) but if your problem is really urgent, you could point your Gemfile at the pull or at https://github.com/mainej/LicenseFinder/tree/decisions.

from licensefinder.

I thought about the workflow I laid out earlier. It wouldn't work very well in a rake command or pre-commit hook. The problem is that in #126 there was no longer a single place to check whether anything had changed - whether dependencies were added or removed, and whether more or fewer were approved.

Since merging that PR I've added a CSV report that will show all dependencies, including which are approved: license_finder report --format csv --columns approved name version licenses. This allows a reasonably simple script you could use in a rake task or pre-commit hook. The script is in a gist, so you can modify at will, but it's copied here for documentation:

#!/bin/bash

HTML_REPORT=doc/dependencies.html

STATUS_REPORT=doc/dependencies.csv
checksum_before=$(md5 -q < $STATUS_REPORT)
checksum_after=$(license_finder report --format csv --columns approved name version licenses | tee $STATUS_REPORT | md5 -q)

# # Alternatively
# CHECKSUM_FILE=doc/dependencies_status.md5
# checksum_before=$(cat $CHECKSUM_FILE)
# checksum_after=$(license_finder report --format csv --columns approved name version licenses | md5 -q | tee $CHECKSUM_FILE)

if [ "$checksum_before" != "$checksum_after" ]
then
  license_finder report --format html > $HTML_REPORT;
  exit 1
fi

from licensefinder.

Closing this with the release of 2.0. Fixing this kind of problem was a major motivation for the 2.0 work, so thanks for contributing to this discussion.

from licensefinder.