Auditing Third Party Code Licenses with LicenseFinder

At Atomic, we build custom software for our clients. When working on projects, we often look for existing open source code/libraries to leverage. We don’t want to waste time and money reinventing the wheel.

This is where software licensing comes into play. However, keeping track of the licenses for the different libraries you are using can be tricky. Luckily, I recently came across LicenseFinder, a tool that helps you audit and track the licenses of the third party code your project is using.

Assuming that you are including third party code using a package manager (as most projects do) such as RubyGems or npm, LicenseFinder can crawl your project and create a report detailing the license(s) associated with each dependency. It fully supports the following four package management types:

  • RubyGems
  • Python Eggs
  • npm
  • Bower

It also supports a handful of other types, though they are listed as experimental and may not work completely. For example, LicenseFinder claims to experimentally support CocoaPods; however, I wasn’t able to get it to work with the Swift iOS project that I’m currently working on.

While I have mostly used LicenseFinder’s reporting feature, it also supports a more advanced set of features. For example, you can define a target license (or set of licenses) and integrate license management into your continuous integration workflow. This would allow you to configure your CI build to fail if someone includes a dependency with an unsupported license.

For this post, I’m not going to discuss these more advanced features. I will, however, explain how to install and run LicenseFinder and review the reporting options that it provides.

Installation and Report Usage

LicenseFinder is a Ruby Gem. It can be installed via


gem install license_finder

Once installed, you can run a basic report by typing license_finder. Assuming that you’ve installed dependencies with your dependency manager, you should see some output. As an example, I cloned the Ruby on Rails source code and generated a license report against its dependencies. The default report will print to stdout. The beginning of the report for Rails looks like:

actioncable, 5.0.0.beta2, MIT
actionmailer, 5.0.0.beta2, MIT
actionpack, 5.0.0.beta2, MIT
actionview, 5.0.0.beta2, MIT
activejob, 5.0.0.beta2, MIT
activemodel, 5.0.0.beta2, MIT
activerecord, 5.0.0.beta2, MIT
activesupport, 5.0.0.beta2, MIT
amq-protocol, 2.0.1, MIT
arel, 7.0.0, MIT
backburner, 1.2.0, MIT
bcrypt, 3.1.10, MIT
beaneater, 1.0.0, MIT
...

This report includes the name of each Rails Gem, the Gem version, and the Gem’s license. To generate a more verbose CSV report, the flag --format=csv can be used. You can customize the columns used in the report with the --columns flag. For example, the following command


license_finder --format=csv --columns=name licenses summary homepage

will print the following CSV report to stdout:

...
resque,MIT,Resque is a Redis-backed queueing system.,http://github.com/defunkt/resque
resque-scheduler,MIT,Light weight job scheduling on top of Resque,http://github.com/resque/resque-scheduler
rufus-scheduler,MIT,"job scheduler for Ruby (at, cron, in and every jobs)",http://github.com/jmettraux/rufus-scheduler
sass,MIT,A powerful but elegant CSS compiler that makes CSS fun again.,http://sass-lang.com/
sdoc,MIT,rdoc html with javascript search index.,http://github.com/voloko/sdoc
sequel,MIT,The Database Toolkit for Ruby,http://sequel.jeremyevans.net
serverengine,Apache 2.0,ServerEngine - multiprocess server framework,https://github.com/fluent/serverengine
sidekiq,LGPL,"Simple, efficient background processing for Ruby",http://sidekiq.org
sinatra,MIT,Classy web-development dressed in a DSL,http://sinatra.rubyforge.org
...

That’s the central functionality behind the reporting feature that LicenseFinder provides. If you’re looking for a way to track and audit the licenses of your project dependencies, I would recommend giving it a try.

Conversation
  • Paul REBOH says:

    Talking about licence and not reinventing the wheel … would be nice to add one there : https://github.com/atomicobject/hex_string ;)

  • Comments are closed.