Licensed
Licensed is a Ruby gem to cache and verify the licenses of dependencies.
Installation
Add this line to your application's Gemfile:
gem 'licensed', :group => 'development'
And then execute:
$ bundle
Usage
licensed cache
: Cache licenses and metadata invendor/licenses
licensed verify
: Check for issues with the licenses of dependencies. For example:
$ bundle exec licensed verify
Verifying licenses for 3 dependencies
Warnings:
vendor/licenses/rubygem/bundler.txt:
- license needs reviewed: mit.
vendor/licenses/rubygem/licensee.txt:
- missing license data
vendor/licenses/bower/jquery.txt:
- license needs reviewed: mit.
- cached license data out of date
3 dependencies checked, 3 warnings found.
Configuration
Configuration is managed by vendor/licenses/config.yml
.
# Dependencies with these licenses are approved by default.
whitelist:
- mit
- apache-2.0
- bsd-2-clause
- bsd-3-clause
- cc0-1.0
# These dependencies are explicitly ignored.
ignored:
rubygem:
- some-internal-gem
bower:
- some-internal-package
# These dependencies have been reviewed.
reviewed:
rubygem:
- bcrypt-ruby
bower:
- classlist # public domain
- octicons
Sources
Dependencies will be automatically detected for
- Bundler (rubygem)
- NPM
- Bower
- HaskellStack
- Cabal
- Go
- Manifest lists
You can disable any of them in vendor/licenses/config.yml
:
sources:
rubygem: false
npm: false
bower: false
stack: false
Special Considerations for Sources
rubygem
The rubygem source will explicitly exclude gems in the :development
and :test
groups. Be aware that if you have a local
bundler configuration (e.g. .bundle
), that configuration will be respected as well. For example, if you have a local
configuration set for without: [':server']
, the rubygem source will exclude all gems in the :server
group.
cabal
Cabal sourced dependencies are found exclusively through ghc-pkg
. licensed
makes no assumptions on where ghc
package dbs are found.
As a result, it is up to the caller to set GHC_PACKAGE_PATHS
to all package db directories prior to calling into licensed
.
manifests
Manifests are intended to be a stopgap if no package managers are available. The manifest is a JSON file that should be placed in
the same directory as config.yml
and should have the following format
{
"file1": "package1",
"path/to/file2": "package1",
"other/file3": "package2"
}
Paths to files are expected to be relative to the git repository root. Package names will match 1:1 with metadata files at <licenses directory>/manifest/*.txt
.
It is the responsibility of the repository owner to maintain the manifest file.
Development
After checking out the repo, run bin/setup
to install dependencies. Then, run rake test
to run the tests. You can also run bin/console
for an interactive prompt that will allow you to experiment.
To install this gem onto your local machine, run bundle exec rake install
. To release a new version, update the version number in version.rb
, and then run bundle exec rake release
, which will create a git tag for the version, push git commits and tags, and push the .gem
file to rubygems.org.
Adding sources
When adding new dependency sources, ensure that bin/setup
scripting and tests are only run if the required tooling is available on the development machine.
- See
bin/setup
for examples of gating scripting based on whether tooling executables are found. - Use
tool_available?
when writing test files to gate running a test suite when tooling executables aren't available.ruby if tool_available?('bundle') describe Licensed::Source::Bundler do ... end end
Contributing
Bug reports and pull requests are welcome on GitHub at https://github.com/github/licensed. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.
License
The gem is available as open source under the terms of the MIT License.