At Atomic, we build custom software for our clients. When working on projects, we often look for existing open source code/libraries to leverage. We don’t want to waste time and money reinventing the wheel.
This is where software licensing comes into play. However, keeping track of the licenses for the different libraries you are using can be tricky. Luckily, I recently came across LicenseFinder, a tool that helps you audit and track the licenses of the third party code your project is using.
Assuming that you are including third party code using a package manager (as most projects do) such as RubyGems or npm, LicenseFinder can crawl your project and create a report detailing the license(s) associated with each dependency. It fully supports the following four package management types:
- Python Eggs
It also supports a handful of other types, though they are listed as experimental and may not work completely. For example, LicenseFinder claims to experimentally support CocoaPods; however, I wasn’t able to get it to work with the Swift iOS project that I’m currently working on.
While I have mostly used LicenseFinder’s reporting feature, it also supports a more advanced set of features. For example, you can define a target license (or set of licenses) and integrate license management into your continuous integration workflow. This would allow you to configure your CI build to fail if someone includes a dependency with an unsupported license.
For this post, I’m not going to discuss these more advanced features. I will, however, explain how to install and run LicenseFinder and review the reporting options that it provides.
Installation and Report Usage
LicenseFinder is a Ruby Gem. It can be installed via
gem install license_finder
Once installed, you can run a basic report by typing
license_finder. Assuming that you’ve installed dependencies with your dependency manager, you should see some output. As an example, I cloned the Ruby on Rails source code and generated a license report against its dependencies. The default report will print to
stdout. The beginning of the report for Rails looks like:
actioncable, 5.0.0.beta2, MIT actionmailer, 5.0.0.beta2, MIT actionpack, 5.0.0.beta2, MIT actionview, 5.0.0.beta2, MIT activejob, 5.0.0.beta2, MIT activemodel, 5.0.0.beta2, MIT activerecord, 5.0.0.beta2, MIT activesupport, 5.0.0.beta2, MIT amq-protocol, 2.0.1, MIT arel, 7.0.0, MIT backburner, 1.2.0, MIT bcrypt, 3.1.10, MIT beaneater, 1.0.0, MIT ...
This report includes the name of each Rails Gem, the Gem version, and the Gem’s license. To generate a more verbose CSV report, the flag
--format=csv can be used. You can customize the columns used in the report with the
--columns flag. For example, the following command
license_finder --format=csv --columns=name licenses summary homepage
will print the following CSV report to
That’s the central functionality behind the reporting feature that LicenseFinder provides. If you’re looking for a way to track and audit the licenses of your project dependencies, I would recommend giving it a try.