Internal audit tool to check our repositories for compliance of open source licensing with company policy.
This Ruby script runs through a list of repositories to audit and runs the LicenseFinder tool against them. With appropriate permitted licenses and pre-approved packages checked-in and maintained in this repository, this audit should succeed with no unexpected licenses.
Checkout the code and run:
bundle install
Check the content of config/license_audit.yml
for the repositories to clone, checkout, build and audit.
Run the tool on all repositories in the file:
bundle exec license_audit
Or all the repositories in a build environment:
bundle exec license_audit audit --env=js
Or just an individual one:
bundle exec license_audit audit --app=bugsnag-js
Each repo will be cloned into the apps
directory and LicenseFinder is run from this location.
Build output from stdout
/stderr
is stored in build
and audit report files are in report
.
For full options usage see:
bundle exec license_audit audit --help
The audit can be run with docker-compose
which creates an image for each build environment and allows them to be executed individually:
docker-compose build
docker-compose run ruby
docker-compose run java
docker-compose run js
docker-compose run php
docker-compose run python
docker-compose down -v
The docker-compose.yml
file parameterises the base image and APK's required. It also volumes the apps
, build
and reports
directories so they are shared by each run and produce a single report. Most builds use a single Dockerfile
in the dockerfiles
directory, but more complex environments (e.g. Android) can use a custom Dockerfile
by putting the path into the docker-compoose.yml
.
You can pass in options to the tool using environment variables:
docker-compose run -e app=bugsnag-python -e wait=after python
The above command runs just bugsnag-python
and waits without terminating afterwards. This allows you to SSH to the running container to diagnosing issues:
docker exec -it license-audit_python_run_e341c453727e /bin/sh
(The container name can be obtained using docker ps
.)
See the LicenseFinder documentation for instructions on adding packages approvals or permitted licenses.
These decisions are stored (by default) in doc/dependency_decisions.yml
in the repo. This script makes a temporary file in the cloned repository in /apps
that is concatenated from a company-wide file at /config/decision_files/global.yml
and a repository-specific file at /config/decision_files/<repo_name>.yml
. This means the decisions are maintained in one place and is kept private from the public repositories.