-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature/#75 add support for project license auditing #76
Open
Nicoretti
wants to merge
7
commits into
main
Choose a base branch
from
feature/#75-add-support-for-project-license-auditing
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from 6 commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
679224d
Update lockfile
Nicoretti 2efdc2a
Add pip-licenses as dependency
Nicoretti da05dd9
Clearly seperate dev from normal dependencies
Nicoretti 41698b8
Add license module
Nicoretti 3462103
Remove unused imports
Nicoretti c694042
Add audit task to nox
Nicoretti 4e7826d
Add license check job to ci checks
Nicoretti File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
from collections import defaultdict | ||
from dataclasses import dataclass | ||
from typing import ( | ||
Dict, | ||
List, | ||
Tuple, | ||
) | ||
|
||
|
||
@dataclass(frozen=True) | ||
class Package: | ||
name: str | ||
license: str | ||
version: str | ||
|
||
|
||
def _packages(package_info): | ||
for p in package_info: | ||
kwargs = {key.lower(): value for key, value in p.items()} | ||
yield Package(**kwargs) | ||
|
||
|
||
def _normalize(license): | ||
def is_mulit_license(l): | ||
return ";" in l | ||
|
||
def select_most_permissive(l): | ||
licenses = [_normalize(l.strip()) for l in l.split(";")] | ||
priority = defaultdict( | ||
lambda: 9999, | ||
{"Unlicense": 0, "BSD": 1, "MIT": 2, "MPLv2": 3, "LGPLv2": 4, "GPLv2": 5}, | ||
) | ||
priority_to_license = defaultdict( | ||
lambda: "Unknown", {v: k for k, v in priority.items()} | ||
) | ||
selected = min(*[priority[lic] for lic in licenses]) | ||
return priority_to_license[selected] | ||
|
||
mapping = { | ||
"BSD License": "BSD", | ||
"MIT License": "MIT", | ||
"The Unlicense (Unlicense)": "Unlicense", | ||
"Mozilla Public License 2.0 (MPL 2.0)": "MPLv2", | ||
"GNU Lesser General Public License v2 (LGPLv2)": "LGPLv2", | ||
"GNU General Public License v2 (GPLv2)": "GPLv2", | ||
} | ||
if is_mulit_license(license): | ||
return select_most_permissive(license) | ||
|
||
if license not in mapping: | ||
return license | ||
|
||
return mapping[license] | ||
|
||
|
||
def audit( | ||
licenses: List[Dict[str, str]], acceptable: List[str], exceptions: Dict[str, str] | ||
) -> Tuple[List[Package], List[Package]]: | ||
""" | ||
Audit package licenses. | ||
|
||
Args: | ||
licenses: a list of dictionaries containing license information for packages. | ||
This information e.g. can be obtained by running `pip-licenses --format=json`. | ||
|
||
example: [{"License": "BSD License", "Name": "Babel", "Version": "2.12.1"}, ...] | ||
|
||
acceptable: A list of licenses which shall be accepted. | ||
example: ["BSD License", "MIT License", ...] | ||
|
||
exceptions: A dictionary containing package names and justifications for packages to ignore/skip. | ||
example: {'packagename': 'justification why this is/can be an exception'} | ||
|
||
Returns: | ||
Two lists containing found violations and ignored packages. | ||
""" | ||
packages = list(_packages(licenses)) | ||
acceptable = [_normalize(a) for a in acceptable] | ||
ignored = [p for p in packages if p.name in exceptions and exceptions[p.name]] | ||
violations = [ | ||
p | ||
for p in packages | ||
if _normalize(p.license) not in acceptable and p not in ignored | ||
] | ||
return violations, ignored |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -1,6 +1,7 @@ | ||||||
from __future__ import annotations | ||||||
|
||||||
from dataclasses import dataclass | ||||||
from inspect import cleandoc | ||||||
from pathlib import Path | ||||||
from typing import ( | ||||||
Any, | ||||||
|
@@ -18,6 +19,26 @@ class Config: | |||||
version_file: Path = Path(__file__).parent / "exasol" / "toolbox" / "version.py" | ||||||
path_filters: Iterable[str] = ("dist", ".eggs", "venv") | ||||||
|
||||||
audit_licenses = ["Apache Software License"] | ||||||
audit_exceptions = { | ||||||
"pylint": cleandoc( | ||||||
""" | ||||||
The project only makes use of pylint command line. | ||||||
|
||||||
It only was added as normal dependency to save the "clients" the step | ||||||
of manually adding it as dependency. | ||||||
|
||||||
Note(s): | ||||||
|
||||||
Pylint could be marked, added as optional (extra) dependency to make it obvious | ||||||
that it is an opt in, controlled by the "user/client". | ||||||
|
||||||
Replacing pylint with an alternative (like `ruff <https://github.com/astral-sh/ruff>`_) | ||||||
with a more would remove the ambiguity and need for justification. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
""" | ||||||
) | ||||||
} | ||||||
|
||||||
@staticmethod | ||||||
def pre_integration_tests_hook( | ||||||
_session: Session, _config: Config, _context: MutableMapping[str, Any] | ||||||
|
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in that case you must hope, that you don't have more packages as the command line allows parameters.https://www.cyberciti.biz/faq/linux-unix-arg_max-maximum-length-of-arguments/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://learn.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/command-line-string-limitation