Licensebat - 🔐⛵ Effortless dependency compliance with your license policies

Overview

Licensebat

All docs here are temporary.

Thougths

For the moment, it seems it makes sense to have all the collectors sharing the same trait. That doesn't seem to scale for retrievers

Conventions

If you want to support a new language you must create a new crate named licensebat-<language>. It will be published to crates.io.

Normally, you should create a README.md file in the licensebat-<language> crate.

Generally speaking, these projects will contain, at least, a Collector, which will parse the dependency file (Cargo.toml or package.json) and retrieve information about the dependencies, most of the times using a Retriever. Note that a Collector doesn't necessarily need a Retriever or even parse the dependency file. There will be times where you'll probably can use a better strategy (e.g. using cargo metadata instead of parsing Cargo.lock and using crates.io API).

Comments
  • `licensebat-js` does not support lockfile-version 3

    `licensebat-js` does not support lockfile-version 3

    Trying out Licensebat on a repository of mine I ran into a problem (got the output No collector found for dependency file). From my investigation this is due to the fact that my project uses lockfile version 3. In contrast to versions 1 and 2, version 3 does not have "dependencies" field. Instead, it has "packages" (also present in version 2, not in version 1).

    enhancement Feature 
    opened by ericcornelissen 5
  • False reported

    False reported "No .licrc file found in the root of your repo" even following documentation.

    opened by rk0cc 5
  • Support for Rust

    Support for Rust

    Using [cargo-deny] as inspiration (not sure we can fully reuse it here), add support for Rust. They seem to use cargo-metadata.

    See https://github.com/EmbarkStudios/cargo-deny/blob/d0ea0a2e7d7376ee212faec756cb12ab05f55c4d/docs/src/checks/licenses/README.md

    Expression Source Precedence

    The source of the SPDX expression used to evaluate the crate by is obtained in the following order.

    1. If the crate in question has a Clarification applied to it, and the source file(s) in the crate's source still match, the expression from the clarification will be used.
    2. The license field from the crate's Cargo.toml manifest will be used if it exists.
    3. The license-file field, as well as all other LICENSE(-*)? files will be parsed to determine the SPDX license identifier, and then all of those identifiers will be joined with the AND operator, meaning that you must accept all of the licenses detected.

    Evaluation Precedence

    Currently, the precedence for determining whether a particular license is accepted or rejected is as follows:

    1. A license specified in the deny list is always rejected.
    2. A license specified in the allow list is always accepted.
    3. If the license is considered copyleft, the [licenses.copyleft] configuration determines its status
    4. If the license is OSI Approved or FSF Free/Libre, the [licenses.allow-osi-fsf-free] configuration determines its status, if it is neither the check continues
    5. If the license does not match any of the above criteria, the [licenses.default] configuration determines its status

    License files

    Example of crate with license file: https://github.com/briansmith/ring/blob/main/LICENSE

    opened by robertohuertasm 3
  • Distinguish between dev and non-dev dependencies

    Distinguish between dev and non-dev dependencies

    Hi,

    thanks for a great tool, it's been really helpful to us in our documentation process about usage of OSS libraries.

    One thing that we are missing is a clearer distinction between :

    • "non dev" dependencies : which end up as part of our final build product
    • "dev" dependencies : which only exist for tooling and during development process

    While the rules for license usage are usually strict for "non dev" dependencies (you don't want to build something that rely on viral licenses, that would force you to publish your product under the same license), they can sometimes be relaxed for "dev" dependencies.

    Some of the parts where it would be useful to be refect it :

    • listing of found dependencies : why is it listed ? "direct dev dependency" vs "direct prod dependency" ... (vs transitive dependency only for dev / transitive dependency only for prod / transitive dependency for both)
    • configuration : ignore dev dependencies from list / have difference rules for valid licenses for dev vs "non-dev"

    I hope I'm explaining myself 😅

    enhancement dependencies Feature 
    opened by tsimbalar 2
  • README not correct

    README not correct

    I don't want to sound like a zealot, but this sentence:

    Let's say, for instance, that you are building a commercial application. In that case, you may consider avoiding the use of some software with a restrictive license like GPL.

    is not correct. One wants to avoid GPL because one wants to write proprietary software, not commercial software. GPL software can perfectly be commercial. I understand that "commercial" may be easier to understand for many but, to GPL advocates, the issue is not the commercial nature of software but the fact it is proprietary... So replacing "commercial" by "proprietary" in the sentence would be correct.

    opened by wiz21b 1
  • chore(deps): bump thread_local from 1.1.3 to 1.1.4

    chore(deps): bump thread_local from 1.1.3 to 1.1.4

    Bumps thread_local from 1.1.3 to 1.1.4.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies rust 
    opened by dependabot[bot] 1
  • chore(deps): bump crossbeam-utils from 0.8.5 to 0.8.8

    chore(deps): bump crossbeam-utils from 0.8.5 to 0.8.8

    Bumps crossbeam-utils from 0.8.5 to 0.8.8.

    Release notes

    Sourced from crossbeam-utils's releases.

    crossbeam-utils 0.8.8

    • Fix a bug when unstable loom support is enabled. (#787)

    crossbeam-utils 0.8.7

    • Add AtomicCell<{i*,u*}>::{fetch_max,fetch_min}. (#785)
    • Add AtomicCell<{i*,u*,bool}>::fetch_nand. (#785)
    • Fix unsoundness of AtomicCell<{i,u}64> arithmetics on 32-bit targets that support Atomic{I,U}64 (#781)

    crossbeam-utils 0.8.6

    • Re-add AtomicCell<{i,u}64>::{fetch_add,fetch_sub,fetch_and,fetch_or,fetch_xor} that were accidentally removed in 0.8.0 0.7.1 on targets that do not support Atomic{I,U}64. (#767)
    • Re-add AtomicCell<{i,u}128>::{fetch_add,fetch_sub,fetch_and,fetch_or,fetch_xor} that were accidentally removed in 0.8.0 0.7.1. (#767)
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies rust 
    opened by dependabot[bot] 0
  • fix(no-license): removed no-license support

    fix(no-license): removed no-license support

    This was not working as expected and I think it's better to not confuse the user. If we have no information about a license, the user should manually check it and ignore the dependency if he feels ok with that.

    opened by robertohuertasm 0
  • Remove reqwest dependency from the collectors

    Remove reqwest dependency from the collectors

    Instead of passing the client to the collector just to create an instance of a retriever, we must inject the retriever itself as a trait object.

    By doing this, we can use one collector and use several retrievers. For instance, for Rust, we may want to use the crates.io retriever or the metadata retriever, which uses cargo metadata and it's better for cli executions where we have access to the whole source code.

    opened by robertohuertasm 0
  • Write abstraction around askalono Store

    Write abstraction around askalono Store

    The idea here is that we're able to easily mock the Store behaviour so we can test it properly without having to create one. For the moment, it's not really that critical as we can create askalono::Store quite easily.

    enhancement 
    opened by robertohuertasm 0
  • Mock http client requests to avoid running integration tests so often

    Mock http client requests to avoid running integration tests so often

    Use httpmock to mock the calls to different APIs. This implies changing the way we're using the different API urls. As they're absolute, we should be able to find a mechanism to change the base url:

    • Injection
    • Env var
    opened by robertohuertasm 0
  • Use spdx parser

    Use spdx parser

    https://github.com/EmbarkStudios/spdx https://choosealicense.com/appendix/ https://crates.io/crates/cargo_metadata https://github.com/cds-astro/get-license-helper

    This would help with AND and OR licenses

    opened by robertohuertasm 0
Releases(v0.16.0)
Owner
Licensebat
Effortless dependency compliance with your license policies
Licensebat
Runtime dependency injection in Rust

This library provides an easy to use dependency injection container with a focus on ergonomics and configurability at the cost of runtime performance. For a more performance-oriented container, look for a compile-time dependency injection library.

TehPers 16 Nov 28, 2022
Render cargo dependency tree in online

Cargo Tree Online Check out rendered page Render cargo dependency tree in online. Usage trunk serve Copy and paste the content of Cargo.lock file to

Kangwook Lee (이강욱) 2 Sep 23, 2021
Twidge is a fresh approach to productivity. It integrates with your workflow and allows you to be your most productive self.

Twidge A productivity app which is an extension to your mind Twidge is a cross platform productivity app, powered by rust, tauri, prisma-client-rust T

Twidge 187 Jun 28, 2023
Simple timer for your terminal

consoleTimer Simple timer that allows you to initiate countdown from N seconds. Usage: consoletimer [time in seconds] consoletimer [time in minutes]m

Arthur 20 Apr 4, 2022
🌲 Open the current remote repository in your browser

gitweb Some of the flags and options are subject to change in the future. Ideas are welcome. Ideas are bulletproof (V). gitweb is a command line inter

Yoann Fleury 26 Dec 17, 2022
Gather metadata about your S3 buckets

S3 Meta This tool has been migrated into s3-utils, please use that crate for future updates. A simple tool to gather data about an S3 bucket (or subse

Isaac Whitfield 48 Dec 27, 2022
A nifty commandline tool to manage your workstation.

workstation It's a nifty commandline rust tool to make you sit slightly away from your screen by blacking out the screen if you come too close and loc

Amar Lakshya (desi_tux) 16 May 6, 2022
Keep your dependencies up-to-date

Deps.rs - Dependency status at a glance Deps.rs is a service that shows you at a glance if any of your dependencies are out of date or insecure. This

deps.rs 369 Jan 5, 2023
Cross-platform bookmarks manager for your shell

shellmark: bookmark manager for shell THIS IS AN EARLY ALPHA. It works for me, but requires better UX and more polish. shellmark is a cross-platform b

Artem Pyanykh 25 Nov 10, 2022
Czkawka is a simple, fast and easy to use app to remove unnecessary files from your computer.

Multi functional app to find duplicates, empty folders, similar images etc.

Rafał Mikrut 9.2k Jan 4, 2023
🦸‍♂️ Recast migrates your old extensions to AndroidX, making them compatible with the latest version of Kodular.

Recast Recast helps make your old extensions compatible with Kodular Creator version 1.5.0 or above. Prerequisites To use Recast, you need to have Jav

Shreyash Saitwal 13 Dec 28, 2022
Add nice user-facing diagnostics to your errors without being weird about it.

thisdiagnostic is a Rust library for adding rich diagnostic metadata to errors, for some really fancy and customizable error reporting!

Kat Marchán 14 Feb 2, 2022
Combine internet connections, increase your download speed

dispatch A SOCKS proxy that balances traffic between network interfaces. Should work on macOS, Windows, and Linux. Only tested on macOS for now. This

Alexandre Kirszenberg 90 Jan 7, 2023
miette is a diagnostic library for Rust. It includes a series of traits/protocols that allow you to hook into its error reporting facilities, and even write your own error reports!

miette is a diagnostic library for Rust. It includes a series of traits/protocols that allow you to hook into its error reporting facilities, and even write your own error reports!

Kat Marchán 1.2k Jan 1, 2023
Awtomate your 🦀 microservices with awto

awto Awtomate your ?? microservices with awto What is awto? Awto treats your rust project as the source of truth for microservices, and generates data

Awto 22 Nov 4, 2022
Clean up the lines of files in your code repository

lineman Clean up the lines of files in your code repository NOTE: While lineman does have tests in place to ensure it operates in a specific way, I st

Joseph T. Lyons 4 Nov 25, 2021
A service for helping your cat find other cats

Check back later! Discord Self-hosting This is an open-source service! Feel free to host you own private instances. All we ask is you credit us and li

ibx34 4 Oct 31, 2021
Helps positioning your tauri windows.

Tauri plugin positioner A plugin for tauri that helps positioning you windows at well known locations. Install Rust [dependencies] tauri-plugin-positi

Jonas Kruckenberg 42 Jan 5, 2023
Ditch your status bar for some snazzy desktop notifications.

citron Ditch your panel for some snazzy desktop notifications. citron is: a non-intrusive alternative to status bars. on-demand, i.e. does not run in

Aziz Ben Ali 1 Jan 11, 2022