licensed 0.11.0

# Licensed Licensed is a Ruby gem to cache and verify the licenses of dependencies. ## Installation Add this line to your application's Gemfile: ```ruby gem 'licensed', :group => 'development' ``` And then execute: $ bundle ## Usage - `licensed cache`: Cache licenses and metadata in `vendor/licenses` - `licensed verify`: Check for issues with the licenses of dependencies. For example: ``` $ bundle exec licensed verify Verifying licenses for 3 dependencies Warnings: vendor/licenses/rubygem/bundler.txt: - license needs reviewed: mit. vendor/licenses/rubygem/licensee.txt: - missing license data vendor/licenses/bower/jquery.txt: - license needs reviewed: mit. - cached license data out of date 3 dependencies checked, 3 warnings found. ``` ### Configuration Configuration is managed by `vendor/licenses/config.yml`. ```yml # Dependencies with these licenses are approved by default. whitelist: - mit - apache-2.0 - bsd-2-clause - bsd-3-clause - cc0-1.0 # These dependencies are explicitly ignored. ignored: rubygem: - some-internal-gem bower: - some-internal-package # These dependencies have been reviewed. reviewed: rubygem: - bcrypt-ruby bower: - classlist # public domain - octicons ``` ### Sources Dependencies will be automatically detected for 1. Bundler (rubygem) 2. NPM 3. Bower 4. HaskellStack 5. Cabal 6. Go 7. Manifest lists You can disable any of them in `vendor/licenses/config.yml`: ```yml sources: rubygem: false npm: false bower: false stack: false ``` #### Special Considerations for Sources ##### rubygem The rubygem source will explicitly exclude gems in the `:development` and `:test` groups. Be aware that if you have a local bundler configuration (e.g. `.bundle`), that configuration will be respected as well. For example, if you have a local configuration set for `without: [':server']`, the rubygem source will exclude all gems in the `:server` group. ##### cabal Cabal sourced dependencies are found exclusively through `ghc-pkg`. `licensed` makes no assumptions on where `ghc` package dbs are found. As a result, it is up to the caller to set `GHC_PACKAGE_PATHS` to all package db directories prior to calling into `licensed`. ##### manifests Manifests are intended to be a stopgap if no package managers are available. The manifest is a JSON file that should be placed in the same directory as `config.yml` and should have the following format ```JSON { "file1": "package1", "path/to/file2": "package1", "other/file3": "package2" } ``` Paths to files are expected to be relative to the git repository root. Package names will match 1:1 with metadata files at `<licenses directory>/manifest/*.txt`. It is the responsibility of the repository owner to maintain the manifest file. ## Development After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment. To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org). #### Adding sources When adding new dependency sources, ensure that `bin/setup` scripting and tests are only run if the required tooling is available on the development machine. * See `bin/setup` for examples of gating scripting based on whether tooling executables are found. * Use `tool_available?` when writing test files to gate running a test suite when tooling executables aren't available. ```ruby if tool_available?('bundle') describe Licensed::Source::Bundler do ... end end ``` ## Contributing Bug reports and pull requests are welcome on GitHub at https://github.com/github/licensed. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org/) code of conduct. ## License The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).