GithubHelp home page GithubHelp logo

mdczaplicki / python-license-check Goto Github PK

View Code? Open in Web Editor NEW

This project forked from dhatim/python-license-check

0.0 0.0 0.0 194 KB

Check python packages from requirement.txt and report issues

License: Apache License 2.0

Python 100.00%

python-license-check's Introduction

image

image

image

Python License Checker

Check python packages listed in a requirements.txt file and report license issues.

About

You can define a list of authorized licenses, unauthorized licenses and authorized packages.

The tool will check the requirements.txt file, check packages and their dependencies and return an error if some packages are not compliant against the given strategy.

The tool has 3 levels of checks to select from:

Standard (default):

A package is considered as compliant when at least one of its licenses is in the authorized license list, or if the package is in the list of authorized packages.

Cautious:

Same as Standard, but a package is not considered compliant when one or more of its licenses is in the unauthorized license list, even if it also has a license in the authorized license list. A package is still compliant if present in the authorized packages list.

Paranoid:

All licenses listed for a package must be in the authorised license list for the package to be considered compliant. A package is still compliant if present in the authorized packages list.

Assumption

The tool requires to be installed in the same python (virtual) environment as the packages. This, because it uses pkg_resources to access the packages resources and thus, their licenses information.

How to install

$ pip install liccheck

How to use

liccheck will read the requirements.txt and verify compliance of packages against a strategy defined in the ini file. If the requirements file is not specified on the command line, it will search for requirements.txt in the current folder. You have to setup an ini file with an authorized license list, unauthorized license list and authorized package list. The packages from your requirements.txt need to all be installed in the same python environment/virtualenv as liccheck. If the ini file is not specified on the command line, it will search for liccheck.ini in the current folder.

Here is an example of a liccheck.ini file: :

# Authorized and unauthorized licenses in LOWER CASE
[Licenses]
authorized_licenses:
    bsd
    new bsd
    bsd license
    new bsd license
    simplified bsd
    apache
    apache 2.0
    apache software license
    gnu lgpl
    lgpl with exceptions or zpl
    isc license
    isc license (iscl)
    mit
    mit license
    python software foundation license
    zpl 2.1

unauthorized_licenses:
    gpl v3

[Authorized Packages]
# Python software license (see http://zesty.ca/python/uuid.README.txt)
uuid: 1.30

Note: versions of authorized packages can be defined using PEP-0440 version specifiers, such as >=1.3,<1.4. The implementation uses the nice package semantic_version.

For demo purpose, let's say your requirements.txt file contains this: :

Flask>=0.12.1
flask_restful
jsonify
psycopg2>=2.7.1
nose
scipy
scikit-learn
pandas
numpy
argparse
uuid
sqlbuilder
proboscis
pyyaml>=3.12

The execution will output this: :

$ liccheck -s my_strategy.ini -r my_project/required.txt
gathering licenses...23 packages and dependencies.
check forbidden packages based on licenses...none
check authorized packages based on licenses...19 packages.
check authorized packages...4 packages.
check unknown licenses...none

If some dependencies are unknown or are not matching the strategy, the output will be something like: :

$ liccheck -s my_strategy.ini -r my_project/requirements.txt
gathering licenses...32 packages and dependencies.
check forbidden packages based on licenses...1 forbidden packages :
    Unidecode (0.4.21) : GPL ['GNU General Public License v2 or later (GPLv2+)']
      dependency:
          Unidecode << python-slugify << yoyo-migrations

check authorized packages based on licenses...24 packages.
check authorized packages...6 packages.
check unknown licenses...1 unknown packages :
    feedparser (5.2.1) : UNKNOWN []
      dependency:
          feedparser

Also supports pyproject.toml like: :

[project]
dependencies = [
    "Flask>=0.12.1",
    "flask_restful",
    "jsonify",
    "psycopg2>=2.7.1",
    "nose",
    "scipy",
    "scikit-learn",
    "pandas",
    "numpy",
    "argparse",
    "uuid",
    "sqlbuilder",
    "proboscis",
    "pyyaml>=3.12",
]

[project.optional-dependencies]
test = [
    "pytest>=3.6.3",
]

[tool.liccheck]
authorized_licenses = [
    "bsd",
    "new bsd",
    "bsd license",
    "new bsd license",
    "simplified bsd",
    "apache",
    "apache 2.0",
    "apache software license",
    "gnu lgpl",
    "lgpl with exceptions or zpl",
    "isc license",
    "isc license (iscl)",
    "mit",
    "mit license",
    "python software foundation license",
    "zpl 2.1",
]
unauthorized_licenses = [
    "gpl v3",
]
# strategy_ini_file = "./liccheck.ini"
# level = "STANDARD"
# requirement_txt_file = "./requirements.txt" # ignored if dependencies or optional_dependencies are defined
# reporting_txt_file = "path/to/reporting.txt file" # by default is None
# no_deps = false
dependencies = true # to load [project.dependencies]
optional_dependencies = ["test"] # to load extras from [project.optional-dependencies]

[tool.liccheck.authorized_packages]
uuid = "1.30"

By default, exact matching is required between each package's license and one of the license of the authorized or unauthorized list. You can also provide regular expressions to match licenses by using the as_regex boolean flag. For instance, to exclude GPL licenses, one could define the following configuration in pyproject.toml:

...

unauthorized_licenses = [
    '\bgpl'
]
as_regex = true

Using liccheck with pre-commit

Add this to your .pre-commit-config.yaml: :

- repo: https://github.com/dhatim/python-license-check
  rev: master
  hooks:
  - id: liccheck
    language: system

Contributing

To run the tests: :

$ tox -p all

Licensing

python-license-check's People

Contributors

abompard avatar atugushev avatar bagerard avatar camilledp avatar debrando avatar eganjs avatar fredericrous avatar graingert avatar hnykda avatar jarnorfb avatar jonasmpi avatar larsrinn avatar missimer avatar msauvee avatar nwilbert avatar ochedru avatar pypingou avatar rcoup avatar renovate[bot] avatar sdhiscocks avatar shakhat avatar ssbarnea avatar thehale avatar thomzoy avatar whisust avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.