unnawut / licensir Goto Github PK

An Elixir mix task that lists all the licenses used by your Mix project dependencies.

Home Page: https://hex.pm/packages/licensir

License: MIT License

Elixir 100.00%

elixir elixir-lang mix-tasks mix license license-scan legal hacktoberfest

licensir's Introduction

Notice: This repository is now archived. Thank you for over 192,000 downloads since December 2017. While I think Elixir is an awesome ecosystem, I no longer have the chance to be developing using Elixir on a regular basis. :'(

Licensir

An Elixir mix task that list the license(s) of all installed packages in your project.

Installation

The package can be installed by adding :licensir to your list of dependencies in mix.exs:

def deps do
  [
    {:licensir, "~> 0.7", only: :dev, runtime: false}
  ]
end

This mix task in most cases only needs to be run on a development machine and independent from the runtime applications, hence the only: dev, runtime: false options.

Install locally

If you do not wish to include this tool as part of your dependencies, you may also install it locally by running:

$ mix archive.install hex licensir 0.7.0

Now you can access this tool from any path on your local machine that has access to mix.

Usage

Run mix licenses to get the list of packages and their licenses:

$ mix licenses
+---------------------+---------+--------------------------------------------------------+
| Package             | Version | License                                                |
+---------------------+---------+--------------------------------------------------------+
| certifi             |         | BSD                                                    |
| earmark             | 1.3.2   | Apache 2.0                                             |
| ex_doc              | 0.20.2  | Apache 2.0                                             |
| excoveralls         |         | Unsure (found: MIT, Unrecognized license file content) |
| hackney             |         | Apache 2.0                                             |
| idna                |         | Unsure (found: BSD, MIT)                               |
| jason               |         | Apache 2.0                                             |
| makeup              | 0.8.0   | Unsure (found: BSD, Unrecognized license file content) |
| makeup_elixir       | 0.13.0  | BSD                                                    |
| metrics             |         | BSD                                                    |
| mimerl              |         | MIT                                                    |
| nimble_parsec       | 0.5.0   | Apache 2.0                                             |
| ssl_verify_fun      |         | MIT                                                    |
| table_rex           | 2.0.0   | MIT                                                    |
| unicode_util_compat |         | Unsure (found: Apache 2.0, BSD)                        |
+---------------------+---------+--------------------------------------------------------+

Run mix licenses --csv to output in csv format:

Package,Version,License
certifi,,BSD
earmark,1.3.2,Apache 2.0
ex_doc,0.20.2,Apache 2.0
excoveralls,,"Unsure (found: MIT, Unrecognized license file content)"
hackney,,Apache 2.0
idna,,"Unsure (found: BSD, MIT)"
jason,,Apache 2.0
makeup,0.8.0,"Unsure (found: BSD, Unrecognized license file content)"
makeup_elixir,0.13.0,BSD
metrics,,BSD
mimerl,,MIT
nimble_parsec,0.5.0,Apache 2.0
ssl_verify_fun,,MIT
unicode_util_compat,,"Unsure (found: Apache 2.0, BSD)"

Flags

--top-level-only - Only fetch license information from top level dependencies (e.g. packages that are directly listed in your application's mix.exs). Excludes transitive dependencies.

Usage as a library

You may call the function Licensir.Scanner.scan() from your Elixir application to get a list of license data per dependency.

iex> Licensir.Scanner.scan([])
[
  %Licensir.License{
    app: :jason,
    dep: %Mix.Dep{
      app: :jason,
      deps: ...
    },
    file: "Apache 2",
    hex_metadata: ["Apache 2.0"],
    license: "Apache 2.0",
    mix: nil,
    name: "jason",
    version: nil
  },
  %Licensir.License{...},
  ...
]

Copyright and License

This library is released under the MIT License. See the LICENSE.md file for further details.

This project contains 3rd party work as follow:

ASCII table rendering: a partial copy of djm/table_rex.
CSV rendering: a partial copy of beatrichartz/csv.

licensir's People

Contributors

Stargazers

Watchers

licensir's Issues

Installing it locally results in TableRex error

I used mix archive.install hex licensir 0.5.0 to install licensir locally, and while that completed successfully, when I try to run mix licenses in an Elixir project, I get the following error:

** (UndefinedFunctionError) function TableRex.quick_render!/2 is undefined (module TableRex is not available)
    TableRex.quick_render!([["artificery", nil, "Apache 2.0"], ["bunt", nil, "Unsure (found: MIT, Unrecognized license file content)"], ["certifi", nil, "BSD"], ["combine", nil, "MIT"], ["confex", nil, "Unsure (found: LISENSE.md, MIT)"], ["connection", nil, "Apache 2.0"], ["cowboy", nil, "ISC"], ["cowlib", nil, "ISC"], ["credo", nil, "Unsure (found: MIT, Unrecognized license file content)"], ["crontab", nil, "Unsure (found: MIT, Unrecognized license file content)"], ["db_connection", nil, "Apache 2.0"], ["decimal", nil, "Apache 2.0"], ["dialyxir", nil, "Apache 2.0"], ["distillery", nil, "MIT"], ["double_metaphone", nil, "MIT"], ["ecto", nil, "Apache 2.0"], ["ecto_sql", nil, "Apache 2.0"], ["ex_aws", nil, "MIT"], ["ex_aws_kinesis", nil, "MIT"], ["ex_aws_s3", nil, "MIT"], ["excoveralls", nil, "Unsure (found: MIT, Unrecognized license file content)"], ["exjsx", nil, "Unsure (found: MIT, Unrecognized license file content)"], ["gen_stage", nil, "Apache 2.0"], ["gen_state_machine", nil, "Apache 2.0"], ["gettext", nil, "Apache 2.0"], ["hackney", nil, "Apache 2.0"], ["httpoison", nil, "Unsure (found: MIT, Unrecognized license file content)"], ["idna", nil, "Unsure (found: BSD, MIT)"], ["jason", nil, "Apache 2.0"], ["jsx", nil, "MIT"], ["lazy_agent", nil, "MIT"], ["libring", nil, "MIT"], ["litmus", nil, "MIT"], ["logger_elixir", nil, "MIT"], ["metrics", nil, "BSD"], ["metrics_elixir", nil, "MIT"], ["mime", nil, "Apache 2.0"], ["mimerl", nil, "MIT"], ["parse_trans", nil, "Apache 2.0"], ["plug", nil, "Apache 2.0"], ["poison", nil, "CC0-1.0"], ["postgrex", nil, "Apache 2.0"], ["quantum", nil, "Unsure (found: Apache License 2.0, Apache 2.0)"], ["ranch", nil, "ISC"], ["redix", nil, "MIT"], ["remodel", nil, "Apache 2.0"], ["sentry", nil, "MIT"], ["simetric", nil, ...], ["ssl_verify_fun", ...], [...], ...], ["Package", "Version", "License"])
    lib/mix/tasks/licenses.ex:23: Mix.Tasks.Licenses.run/1
    (mix) lib/mix/task.ex:331: Mix.Task.run_task/3
    (mix) lib/mix/cli.ex:79: Mix.CLI.run_task/2

I'm using the following versions:

Erlang/OTP 22 [erts-10.4.4] [source] [64-bit] [smp:12:12] [ds:12:12:10] [async-threads:1] [hipe] [dtrace]

Elixir 1.9.1 (compiled with Erlang/OTP 22)

Thanks!

Add more license detections

Thanks to @pdobacz for the output dump. Some of these Undefined should be detectable. Also there're a lot of duplicates that can be removed.

abi 0.1.12              -> MIT
binary 0.0.4            -> MIT
blockchain 0.1.7        -> MIT
certifi 2.3.1           -> Undefined
eleveldb 2.2.20         -> Undefined
erlexec 1.7.5           -> Undefined
ethereumex 0.3.2        -> MIT
evm 0.1.14              -> MIT
ex_rlp 0.2.1            -> MIT
ex_unit_fixtures        -> MIT
exexec 0.1.0            -> Unsure (found: Apache 2.0, Apache 2)
exleveldb 0.11.1        -> Unsure (found: Apache v2.0, Apache 2)
exth_crypto 0.1.4       -> MIT
hackney 1.12.1          -> Apache 2
hex_prefix 0.1.0        -> MIT
httpoison 1.1.1         -> MIT
idna 5.1.1              -> Undefined
jsonrpc2 1.0.3          -> Unsure (found: Apache 2.0, Apache 2)
keccakf1600 2.0.0       -> Undefined
libsecp256k1 0.1.4      -> MIT
merkle_patricia_tree 0.2.6-> MIT
merkle_tree 1.3.0       -> MIT
metrics 1.0.1           -> Undefined
mimerl 1.0.2            -> Undefined
parse_trans 3.2.0       -> Undefined
phoenix_pubsub 1.0.2    -> MIT
plasma_mvp_contracts    -> Undefined
poison 3.1.0            -> CC0-1.0
ssl_verify_fun 1.1.1    -> Undefined
unicode_util_compat 0.3.1-> Undefined
abi 0.1.12              -> MIT
binary 0.0.4            -> MIT
blockchain 0.1.7        -> MIT
certifi 2.3.1           -> Undefined
cowboy 1.1.2            -> Undefined
cowlib 1.0.2            -> Undefined
eleveldb 2.2.20         -> Undefined
erlexec 1.7.5           -> Undefined
ethereumex 0.3.2        -> MIT
evm 0.1.14              -> MIT
ex_rlp 0.2.1            -> MIT
exexec 0.1.0            -> Unsure (found: Apache 2.0, Apache 2)
exleveldb 0.11.1        -> Unsure (found: Apache v2.0, Apache 2)
exth_crypto 0.1.4       -> MIT
hackney 1.12.1          -> Apache 2
hex_prefix 0.1.0        -> MIT
httpoison 1.1.1         -> MIT
idna 5.1.1              -> Undefined
jsonrpc2 1.0.3          -> Unsure (found: Apache 2.0, Apache 2)
keccakf1600 2.0.0       -> Undefined
libsecp256k1 0.1.4      -> MIT
merkle_patricia_tree 0.2.6-> MIT
merkle_tree 1.3.0       -> MIT
metrics 1.0.1           -> Undefined
mime 1.3.0              -> Apache 2
mimerl 1.0.2            -> Undefined
parse_trans 3.2.0       -> Undefined
phoenix_pubsub 1.0.2    -> MIT
plasma_mvp_contracts    -> Undefined
plug 1.5.0              -> Apache 2
poison 3.1.0            -> CC0-1.0
ranch 1.3.2             -> Undefined
ssl_verify_fun 1.1.1    -> Undefined
unicode_util_compat 0.3.1-> Undefined
abi 0.1.12              -> MIT
binary 0.0.4            -> MIT
blockchain 0.1.7        -> MIT
certifi 2.3.1           -> Undefined
cowboy 1.1.2            -> Undefined
cowlib 1.0.2            -> Undefined
eleveldb 2.2.20         -> Undefined
erlexec 1.7.5           -> Undefined
ethereumex 0.3.2        -> MIT
evm 0.1.14              -> MIT
ex_rlp 0.2.1            -> MIT
exexec 0.1.0            -> Unsure (found: Apache 2.0, Apache 2)
exleveldb 0.11.1        -> Unsure (found: Apache v2.0, Apache 2)
exth_crypto 0.1.4       -> MIT
hackney 1.12.1          -> Apache 2
hex_prefix 0.1.0        -> MIT
httpoison 1.1.1         -> MIT
idna 5.1.1              -> Undefined
jsonrpc2 1.0.3          -> Unsure (found: Apache 2.0, Apache 2)
keccakf1600 2.0.0       -> Undefined
libsecp256k1 0.1.4      -> MIT
merkle_patricia_tree 0.2.6-> MIT
merkle_tree 1.3.0       -> MIT
metrics 1.0.1           -> Undefined
mime 1.3.0              -> Apache 2
mimerl 1.0.2            -> Undefined
parse_trans 3.2.0       -> Undefined
phoenix_pubsub 1.0.2    -> MIT
plasma_mvp_contracts    -> Undefined
plug 1.5.0              -> Apache 2
poison 3.1.0            -> CC0-1.0
ranch 1.3.2             -> Undefined
ssl_verify_fun 1.1.1    -> Undefined
unicode_util_compat 0.3.1-> Undefined
abi 0.1.12              -> MIT
binary 0.0.4            -> MIT
blockchain 0.1.7        -> MIT
certifi 2.3.1           -> Undefined
connection 1.0.4        -> Unsure (found: Apache 2.0, Apache 2)
cowboy 1.1.2            -> Undefined
cowlib 1.0.2            -> Undefined
db_connection 1.1.3     -> Apache 2.0
decimal 1.5.0           -> Apache 2.0
ecto 2.2.10             -> Apache 2.0
eleveldb 2.2.20         -> Undefined
erlexec 1.7.5           -> Undefined
esqlite                 -> Apache 2
ethereumex 0.3.2        -> MIT
evm 0.1.14              -> MIT
ex_rlp 0.2.1            -> MIT
exexec 0.1.0            -> Unsure (found: Apache 2.0, Apache 2)
exleveldb 0.11.1        -> Unsure (found: Apache v2.0, Apache 2)
exth_crypto 0.1.4       -> MIT
gettext 0.15.0          -> Apache 2.0
hackney 1.12.1          -> Apache 2
hex_prefix 0.1.0        -> MIT
httpoison 1.1.1         -> MIT
idna 5.1.1              -> Undefined
jsonrpc2 1.0.3          -> Unsure (found: Apache 2.0, Apache 2)
keccakf1600 2.0.0       -> Undefined
libsecp256k1 0.1.4      -> MIT
merkle_patricia_tree 0.2.6-> MIT
merkle_tree 1.3.0       -> MIT
metrics 1.0.1           -> Undefined
mime 1.3.0              -> Apache 2
mimerl 1.0.2            -> Undefined
parse_trans 3.2.0       -> Undefined
phoenix 1.3.2           -> MIT
phoenix_ecto 3.3.0      -> Apache 2.0
phoenix_pubsub 1.0.2    -> MIT
plasma_mvp_contracts    -> Undefined
plug 1.5.0              -> Apache 2
poison 3.1.0            -> CC0-1.0
poolboy 1.5.1           -> Undefined
postgrex 0.13.5         -> Apache 2.0
ranch 1.3.2             -> Undefined
sbroker                 -> Apache 2
socket 0.3.13           -> WTFPL
sqlite_ecto2            -> MIT
sqlitex                 -> MIT
ssl_verify_fun 1.1.1    -> Undefined
unicode_util_compat 0.3.1-> Undefined

Catch up on tests and setup CI

Tests are lagging behind the code changes and no build status. Need to do those.

Error when running it as a an archive task

Installed it using archive.install

➜  hello_web git:(master) mix archive.install hex licensir 0.5.0
Resolving Hex dependencies...
Dependency resolution completed:
New:
  licensir 0.5.0
  table_rex 2.0.0
* Getting licensir (Hex package)
* Getting table_rex (Hex package)
Resolving Hex dependencies...
Dependency resolution completed:
Unchanged:
  table_rex 2.0.0
All dependencies are up to date
==> table_rex
Compiling 7 files (.ex)
warning: Map.size/1 is deprecated. Use Kernel.map_size/1 instead
  lib/table_rex/renderer/text.ex:344

Generated table_rex app
==> licensir
Compiling 7 files (.ex)
Generated licensir app
Generated archive "licensir-0.5.0.ez" with MIX_ENV=prod
Are you sure you want to install "licensir-0.5.0.ez"? [Yn] 
* creating /Users/johanna/.asdf/installs/elixir/1.9.1-otp-22/.mix/archives/licensir-0.5.0

then ran mix licenses

➜  hello_web git:(master) mix licenses


Notice: This is not a legal advice. Use the information below at your own risk.
** (UndefinedFunctionError) function TableRex.quick_render!/2 is undefined (module TableRex is not available)
    TableRex.quick_render!([["cowboy", "2.6.3", "ISC"], ["cowlib", "2.7.3", "ISC"], ["file_system", "0.2.7", "WTFPL"], ["gettext", "0.16.1", "Apache 2.0"], ["hex_core", "0.6.1", "Unsure (found: Apache-2.0, Apache 2.0)"], ["jason", "1.1.2", "Apache 2.0"], ["mime", "1.3.1", "Apache 2.0"], ["phoenix", "1.4.9", "Unsure (found: MIT, Unrecognized license file content)"], ["phoenix_html", "2.13.2", "Unsure (found: MIT, Unrecognized license file content)"], ["phoenix_live_reload", "1.2.1", "MIT"], ["phoenix_live_view", "0.1.1", "Unsure (found: MIT, Unrecognized license file content)"], ["phoenix_pubsub", "1.1.2", "Unsure (found: MIT, Unrecognized license file content)"], ["plug", "1.8.3", "Apache 2.0"], ["plug_cowboy", "2.1.0", "Apache 2.0"], ["plug_crypto", "1.0.0", "Apache 2.0"], ["ranch", "1.7.1", "ISC"], ["telemetry", "0.4.0", "Apache 2.0"]], ["Package", "Version", "License"])
    lib/mix/tasks/licenses.ex:23: Mix.Tasks.Licenses.run/1
    (mix) lib/mix/task.ex:331: Mix.Task.run_task/3
    (mix) lib/mix/cli.ex:79: Mix.CLI.run_task/2

Check for allowed licenses

It would be nice to have file like .licenses.exs that would contain list of allowed licenses and list of packages that are explicitly allowed. If there would be incompatible license and that package would be outside allowed scope the task should exit with exit code different from 0.

Such change would allow to integrate this tool into CI pipelines and would allow to provide quick review of dependencies licensing.

--csv flag

Would be super awesome if there was a flag for exporting to CSV format.

Thanks for the tool!

Publish to hex

Hey,
can you publish it to hex ?
The readme states one can use it from hex :)

cheers

Error when empty hex and nil file

When hex is [] and file is nil I get an error running the guesser:

** (ArgumentError) argument error
    :erlang.byte_size(nil)
    Licensir.Guesser.guess/2
    lib/licensir/guesser.ex:18: Licensir.Guesser.guess/1
    (elixir 1.12.1) lib/enum.ex:1553: Enum."-map/2-lists^map/1-0-"/2
    (elixir 1.12.1) lib/enum.ex:1553: Enum."-map/2-lists^map/1-0-"/2
    lib/mix/tasks/licenses.ex:22: Mix.Tasks.Licenses.run/1
    (mix 1.12.1) lib/mix/task.ex:394: anonymous fn/3 in Mix.Task.run_task/3
    (mix 1.12.1) lib/mix/cli.ex:84: Mix.CLI.run_task/2

I think it's happening when I have a path dependency, but I can't remember and can't be bothered to check, now that I've got a fix.

Support guessing from README

As far as I can see, there is no implementation or work-in-progress for guessing information based on licenses pasted into README or README.md, is this correct?

Especially in Elixir, I've seen a lot of projects do this and I think it should be supported. Would be ready to write a PR for that functionality, if desired.

tests which use scanner programmatically cannot run async

I have a test in my project which uses the scanner programmatically to ensure the project is only using allowed licenses. When attempting to use the async: true option with ExUnit.Case on this test, compilation fails on a random test file in the project with the error:

== Compilation error in file test/some_random_test.exs ==
** (MatchError) no match of right hand side value: {:error, :enoent}
    (elixir 1.11.3) lib/kernel/parallel_compiler.ex:416: Kernel.ParallelCompiler.require_file/2
    (elixir 1.11.3) lib/kernel/parallel_compiler.ex:316: anonymous fn/4 in Kernel.ParallelCompiler.spawn_workers/7

After doing some research this appears to be due to some function changing directory. I suspect Mix.Dep.loaded or Mix.Dep.load_on_environment but I have not confirmed. Here are the relevant issues which describe what I believe to be the underlying problem:

elixir-lang/elixir#7699
getsentry/sentry-elixir#232
https://elixirforum.com/t/parallel-compiler-cannot-find-files-sometimes/12363/3

The short-term fix for my particular case is to set async: false on my test. That said, it would be nice to be able to run this test module in parallel with others.

Licensir causes compilation file in any project with dependency on TableRex

The vendorized copy of TableRex is not namespaced, leading to module name collisions. I stumbled over this when updating ecto_psql_extras to the latest version which now has TableRex as a dependency. This is addressed in pr #23

License discovery issues

There are license discovery issues with licensir. The issue is basically the same as pivotal/LicenseFinder#465, except inverted. Some of the licenses appear to be found by LicenseFinder that are not found by licensir.

Note that the licensir output is truncated because LicenseFinder does not include (in its action items command) anything that has been whitelisted or otherwise ignored. There are a number of Elixir dependencies that LicenseFinder correctly finds as MIT, Apache 2.0, or ISC and does not output in the results. Licensir shows more unknown types than are shown in the output in pivotal/LicenseFinder#465.

Include licenses in SPDX

Just found out about SPDX. Will look into including their comprehensive list into this tool.