Article summary
At Atomic, we build custom software for our clients. When working on projects, we often look for existing open source code/libraries to leverage. We don’t want to waste time and money reinventing the wheel.
This is where software licensing comes into play. However, keeping track of the licenses for the different libraries you are using can be tricky. Luckily, I recently came across LicenseFinder, a tool that helps you audit and track the licenses of the third party code your project is using.
Assuming that you are including third party code using a package manager (as most projects do) such as RubyGems or npm, LicenseFinder can crawl your project and create a report detailing the license(s) associated with each dependency. It fully supports the following four package management types:
- RubyGems
- Python Eggs
- npm
- Bower
It also supports a handful of other types, though they are listed as experimental and may not work completely. For example, LicenseFinder claims to experimentally support CocoaPods; however, I wasn’t able to get it to work with the Swift iOS project that I’m currently working on.
While I have mostly used LicenseFinder’s reporting feature, it also supports a more advanced set of features. For example, you can define a target license (or set of licenses) and integrate license management into your continuous integration workflow. This would allow you to configure your CI build to fail if someone includes a dependency with an unsupported license.
For this post, I’m not going to discuss these more advanced features. I will, however, explain how to install and run LicenseFinder and review the reporting options that it provides.
Installation and Report Usage
LicenseFinder is a Ruby Gem. It can be installed via
gem install license_finder
Once installed, you can run a basic report by typing license_finder
. Assuming that you’ve installed dependencies with your dependency manager, you should see some output. As an example, I cloned the Ruby on Rails source code and generated a license report against its dependencies. The default report will print to stdout
. The beginning of the report for Rails looks like:
actioncable, 5.0.0.beta2, MIT actionmailer, 5.0.0.beta2, MIT actionpack, 5.0.0.beta2, MIT actionview, 5.0.0.beta2, MIT activejob, 5.0.0.beta2, MIT activemodel, 5.0.0.beta2, MIT activerecord, 5.0.0.beta2, MIT activesupport, 5.0.0.beta2, MIT amq-protocol, 2.0.1, MIT arel, 7.0.0, MIT backburner, 1.2.0, MIT bcrypt, 3.1.10, MIT beaneater, 1.0.0, MIT ...
This report includes the name of each Rails Gem, the Gem version, and the Gem’s license. To generate a more verbose CSV report, the flag --format=csv
can be used. You can customize the columns used in the report with the --columns
flag. For example, the following command
license_finder --format=csv --columns=name licenses summary homepage
will print the following CSV report to stdout:
... resque,MIT,Resque is a Redis-backed queueing system.,http://github.com/defunkt/resque resque-scheduler,MIT,Light weight job scheduling on top of Resque,http://github.com/resque/resque-scheduler rufus-scheduler,MIT,"job scheduler for Ruby (at, cron, in and every jobs)",http://github.com/jmettraux/rufus-scheduler sass,MIT,A powerful but elegant CSS compiler that makes CSS fun again.,http://sass-lang.com/ sdoc,MIT,rdoc html with javascript search index.,http://github.com/voloko/sdoc sequel,MIT,The Database Toolkit for Ruby,http://sequel.jeremyevans.net serverengine,Apache 2.0,ServerEngine - multiprocess server framework,https://github.com/fluent/serverengine sidekiq,LGPL,"Simple, efficient background processing for Ruby",http://sidekiq.org sinatra,MIT,Classy web-development dressed in a DSL,http://sinatra.rubyforge.org ...
That’s the central functionality behind the reporting feature that LicenseFinder provides. If you’re looking for a way to track and audit the licenses of your project dependencies, I would recommend giving it a try.
Talking about licence and not reinventing the wheel … would be nice to add one there : https://github.com/atomicobject/hex_string ;)