Licensed

Licensed is a Ruby gem to cache and verify the licenses of dependencies.

Installation

Add this line to your application's Gemfile:

gem 'licensed', :group => 'development'

And then execute:

$ bundle

Usage

licensed cache: Cache licenses and metadata in vendor/licenses
licensed verify: Check for issues with the licenses of dependencies. For example:

$ bundle exec licensed verify
Verifying licenses for 3 dependencies

Warnings:

vendor/licenses/rubygem/bundler.txt:
  - license needs reviewed: mit.

vendor/licenses/rubygem/licensee.txt:
  - missing license data

vendor/licenses/bower/jquery.txt:
  - license needs reviewed: mit.
  - cached license data out of date

3 dependencies checked, 3 warnings found.

Configuration

Configuration is managed by vendor/licenses/config.yml.

# Dependencies with these licenses are approved by default.
whitelist:
  - mit
  - apache-2.0
  - bsd-2-clause
  - bsd-3-clause
  - cc0-1.0

# These dependencies are explicitly ignored.
ignored:
  rubygem:
    - some-internal-gem

  bower:
    - some-internal-package

# These dependencies have been reviewed.
reviewed:
  rubygem:
    - bcrypt-ruby

  bower:
  - classlist # public domain
  - octicons

Sources

Dependencies will be automatically detected for

Bundler (rubygem)
NPM
Bower
HaskellStack
Cabal
Go
Manifest lists

You can disable any of them in vendor/licenses/config.yml:

sources:
  rubygem: false
  npm: false
  bower: false
  stack: false

Special Considerations for Sources

rubygem

The rubygem source will explicitly exclude gems in the :development and :test groups. Be aware that if you have a local bundler configuration (e.g. .bundle), that configuration will be respected as well. For example, if you have a local configuration set for without: [':server'], the rubygem source will exclude all gems in the :server group.

cabal

Cabal sourced dependencies are found exclusively through ghc-pkg. licensed makes no assumptions on where ghc package dbs are found. As a result, it is up to the caller to set GHC_PACKAGE_PATHS to all package db directories prior to calling into licensed.

manifests

Manifests are intended to be a stopgap if no package managers are available. The manifest is a JSON file that should be placed in the same directory as config.yml and should have the following format

{
  "file1": "package1",
  "path/to/file2": "package1",
  "other/file3": "package2"
}

Paths to files are expected to be relative to the git repository root. Package names will match 1:1 with metadata files at <licenses directory>/manifest/*.txt.

It is the responsibility of the repository owner to maintain the manifest file.

Development

After checking out the repo, run bin/setup to install dependencies. Then, run rake test to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Adding sources

When adding new dependency sources, ensure that bin/setup scripting and tests are only run if the required tooling is available on the development machine.

See bin/setup for examples of gating scripting based on whether tooling executables are found.
Use tool_available? when writing test files to gate running a test suite when tooling executables aren't available. ruby if tool_available?('bundle') describe Licensed::Source::Bundler do ... end end

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/github/licensed. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.

License

The gem is available as open source under the terms of the MIT License.