Skip to content
This repository has been archived by the owner on Aug 1, 2021. It is now read-only.

Add support for .licensir.exs file #18

Closed
wants to merge 1 commit into from
Closed

Add support for .licensir.exs file #18

wants to merge 1 commit into from

Conversation

dbernheisel
Copy link

The .licensir.exs file will allow you to specify licenses that are allowed and denied, as well as dependencies that are allowed regardless of their license. If a denied license is found, the mix task will return with an exit status of 1, otherwise it will exit normally with a status of 0.

We're totally open to feedback; we did the minimum to make it work and wanted to get feedback before going much further.

Currently, the way it works for end-users would be for them to include a .licensir.exs file at the root of their project

# /.licensir.exs
%{
  allowlist: ["MIT"],
  denylist: ["Apache 2.0"],
  allow_deps: [:poison]
}

This updates the CSV and stdout output to include a new status column that indicates whether the license is allowed, not allowed, or unknown. For example:

Notice: This is not a legal advice. Use the information below at your own risk.
+---------------------+---------+--------------------------------------------------------+---------+
| Package             | Version | License                                                | Status  |
+---------------------+---------+--------------------------------------------------------+---------+
| apex                | 1.2.0   | The MIT License                                        | Allowed |
| certifi             | 2.5.1   | BSD                                                    | Unknown |
| earmark             | 1.2.5   | Apache 2.0                                             | Unknown |
| ex_aws              | 2.1.1   | MIT                                                    | Allowed |
| ex_aws_s3           | 2.0.2   | MIT                                                    | Allowed |
| ex_doc              | 0.18.3  | Apache 2.0                                             | Unknown |
| ex_syslogger        | 1.4.0   | MIT                                                    | Allowed |
| hackney             | 1.15.2  | Apache 2.0                                             | Unknown |
| honeybadger         | 0.10.2  | MIT                                                    | Allowed |
| idna                | 6.0.0   | Unsure (found: BSD, MIT)                               | Unknown |
| jason               | 1.1.0   | Apache 2.0                                             | Unknown |
| junit_formatter     | 3.1.0   | Apache 2.0                                             | Unknown |
| logger_json         | 4.0.0   | Unsure (found: MIT, LISENSE.md, MIT)                   | Unknown |
| metrics             | 1.0.1   | BSD                                                    | Unknown |
| mime                | 1.3.1   | Apache 2.0                                             | Unknown |
| mimerl              | 1.2.0   | MIT                                                    | Allowed |
| parse_trans         | 3.3.0   | Apache 2.0                                             | Unknown |
| plug                | 1.10.0  | Apache 2.0                                             | Unknown |
| plug_crypto         | 1.1.2   | Apache 2.0                                             | Unknown |
| plug_logger_json    | 0.6.0   | Apache 2.0                                             | Unknown |
| poison              | 3.1.0   | CC0-1.0                                                | Allowed |
| redix               | 0.10.2  | MIT                                                    | Allowed |
| ssl_verify_fun      | 1.1.5   | MIT                                                    | Allowed |
| sweet_xml           | 0.6.6   | Unsure (found: MIT, Unrecognized license file content) | Unknown |
| syslog              | 1.0.6   | Unsure (found: BSD, Unrecognized license file content) | Unknown |
| telemetry           | 0.4.1   | Apache 2.0                                             | Unknown |
| unicode_util_compat | 0.4.1   | Unsure (found: Apache 2.0, BSD)                        | Unknown |
+---------------------+---------+--------------------------------------------------------+---------+

I tested this on a normal mix project, and it worked as expected.
For an umbrella app, it would require the .licensir.exs file for each application included in the umbrella.

Resolves #6

@dbernheisel @tmr08c
Add support for .licensir file
234fa45 
This file will allow you to specify licenses that are allowed and denied
as well as dependencies that will be allowed regardless of their
license.
@coveralls
Copy link

coveralls commented Oct 13, 2020
edited
Loading

Pull Request Test Coverage Report for Build 50

  • 17 of 36 (47.22%) changed or added relevant lines in 4 files are covered.
  • 145 unchanged lines in 12 files lost coverage.
  • Overall coverage decreased (-49.5%) to 15.26%
Changes Missing Coverage Covered Lines Changed/Added Lines %
lib/mix/tasks/licenses.ex 1 6 16.67%
lib/licensir/scanner.ex 2 8 25.0%
lib/credo/exs_loader.ex 8 16 50.0%
Files with Coverage Reduction New Missed Lines %
lib/csv.ex 1 0%
lib/licensir/guesser.ex 1 88.89%
lib/table_rex/renderer/text/meta.ex 1 0%
lib/table_rex/cell.ex 3 0%
lib/table_rex.ex 3 0%
lib/licensir/scanner.ex 6 59.38%
lib/csv/encoding/encode.ex 7 0%
lib/mix/tasks/licenses.ex 7 14.29%
lib/csv/encoding/encoder.ex 9 0%
lib/licensir/file_analyzer.ex 9 0%
Totals Coverage Status
Change from base Build 47: -49.5%
Covered Lines: 47
Relevant Lines: 308
💛 - Coveralls

dbernheisel
dbernheisel commented Oct 13, 2020
View reviewed changes
lib/licensir/config_file.ex

@config_filename ".licensir.exs"

defstruct allowlist: [], denylist: [], allow_deps: []
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

change to :allow, :deny?

lib/licensir/config_file.ex
Parse a project's .licensir.exs file to determine what licenses are acceptable to the user, not acceptable, and projects that are allowed
"""

@config_filename ".licensir.exs"
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

original issue mentioned .licenses.exs but I used .licensir.exs instead. LMK which you prefer

lib/licensir/license.ex
@@ -21,6 +21,7 @@ defmodule Licensir.License do
license: nil,
certainty: 0.0,
mix: nil,
status: :unknown,
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm open to a better name here. This is also what would be in the csv and stdout output.

lib/mix/tasks/licenses.ex
defp exit_status(licenses) do
if Enum.any?(licenses, &(&1.status == :not_allowed)) do
exit({:shutdown, 1})
end
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't see a good way to test this since it would also shutdown the test, but running it manually proved it worked.

test/fixtures/licensir-config.exs
@@ -0,0 +1,5 @@
%{
allowlist: ["MIT", "Apache 2.0"],
denylist: ["GPLv2", "Licensir Mock License"],
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I opted for the human name since that's the output folks would see in their stdout/csv.

@unnawut
Copy link
Owner

unnawut commented Oct 13, 2020

Thanks! I'm on it now!

@unnawut unnawut self-requested a review October 13, 2020 11:00
@dbernheisel
Copy link
Author

After using GitHub's licensed library, I think I'd like to modify this to treat unknown licenses as a failure as well. Currently, it only exits with status 1 if there is a 'not_allowed' license, which isn't very practical for workflows because those libraries should not be used if not allowed, but moreso if a new library comes in that doesn't have a known license it needs to fail CI and be reviewed.

@hauleth
Copy link
Contributor

hauleth commented Oct 19, 2020

Any particular reason why make it additional file instead of configuration option in mix.exs?

@dbernheisel
Copy link
Author

@hauleth Mostly at your suggestion in the original issue; also there is precedence with other libraries like credo and dialyxir. I haven't looked yet, but would licensir have access to MyApp.MixProject if it itself is not a dependency, eg, if it's installed as a hex archive and run in a project's root?

@hauleth
Copy link
Contributor

hauleth commented Oct 20, 2020

Mostly at your suggestion in the original issue

Yeah, but now I think that mix.exs would be better, especially as if someone wants, they still can load that configuration from another file.

I haven't looked yet, but would licensir have access to MyApp.MixProject if it itself is not a dependency

I do not know, but I think that nothing should change there, as it is still ran within context of the project.

@rupurt
Copy link

rupurt commented Jul 29, 2021

@dbernheisel it doesn't look like this was ever merged. Was there any specific reason? This would be a super handy feature!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@unnawut unnawut Awaiting requested review from unnawut

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Check for allowed licenses
5 participants
@dbernheisel @coveralls @unnawut @hauleth @rupurt