goliscan

command module
v0.6.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 8, 2016 License: MIT Imports: 6 Imported by: 0

README

GoLiScan

License MIT Build status Coverage report

License scanner and checker written in GO and designed to use with GO projects using /vendor directory.

The tool was inspired by and includes a part of https://github.com/frapposelli/wwhrd project by Fabio Rapposelli.

Table of Contents

Installation

Download a compiled binary

You can download the current stable version of the project from https://artifacts.maczukin.pl/goliscan/${RELEASE}/index.html, where ${RELEASE} is one of:

Release Description
release_stable The current stable version of the project
release_unstable The current unstable version of the project
vX.Y.Z The vX.Y.Z version of the project, eg. v0.1.0
branch/name Version from the branch/name branch in git tree

Examples:

  1. If you want to install the latest stable version - whichever it will be at the moment - you can find the download page at: https://artifacts.maczukin.pl/goliscan/release_stable/index.html.

    To install the binary for Linux OS and amd64 platform:

    $ sudo wget -O /usr/local/bin/goliscan https://artifacts.maczukin.pl/goliscan/release_stable/binaries/goliscan-linux-amd64
$ sudo chmod +x /usr/local/bin/goliscan

  2. If you want to install the v0.1.0 version, you can find the download pave at: https://artifacts.maczukin.pl/goliscan/v0.3.0/index.html.

    To install the binary for Linux OS and amd64 platform:

    $ sudo wget -O /usr/local/bin/goliscan https://artifacts.maczukin.pl/goliscan/v0.3.0/binaries/goliscan-linux-amd64
$ sudo chmod +x /usr/local/bin/goliscan
Install from source

Notice: You need to have a configured GO environment for this

To install GoLiScan from sourcec simply execute command:

$ go install gitlab.com/tmaczukin/goliscan

This will download current sources and install the binary in your $GOPATH/bin.

Usage

GoLiScan is a quite simple command line tool. It has two main commands:

  • list - to list all of found repositories with their licenses
  • check - to check if those licenses meet the acceptance criteria
List used licenses

This command is used to find all dependencies declared in the source code and vendorized in /vendor directory. The tool - for each dependency - tries to find one of well-known license files and then to determine the license type.

License file names and type patterns are determined using the ryanuber/go-license project.

To list licenses simply execute:

$ goliscan list
[    INFO]  Found license               license = MIT             package = github.com/codegangsta/cli
[    INFO]  Found license               license = MIT             package = github.com/ryanuber/go-license
[    INFO]  Found license               license = Apache-2.0      package = gopkg.in/yaml.v2
Output settings

JSON

The output can be printed in JSON format:

$ goliscan list --json
[
  {
    "Type": "INFO",
    "Message": "Found license",
    "PkgName": "github.com/codegangsta/cli",
    "License": "MIT"
  },
  {
    "Type": "INFO",
    "Message": "Found license",
    "PkgName": "github.com/ryanuber/go-license",
    "License": "MIT"
  },
  {
    "Type": "INFO",
    "Message": "Found license",
    "PkgName": "gopkg.in/yaml.v2",
    "License": "Apache-2.0"
  }
]

Output template

The output can be also formatted using an output template:

$ goliscan list -t '{{.Package | printf "%-30s"}} :: {{.License}}'
github.com/codegangsta/cli     :: MIT
github.com/ryanuber/go-license :: MIT
gopkg.in/yaml.v2               :: Apache-2.0

The --output-template parameter sets a template that will be used to print each line with one package/license pair. It uses the GO templates feature.

In the template one can use following variables:

Variable Description
Type Type of entry. For list command it will be only INFO. But for check command it can be OK, WARNING or CRITICAL
Message Message related with operation, eg. Found Approved license
Package The name of the package (dependency)
License The ID of the license, eg. MIT or GPL-2.0
Check licenses

This command is used to check if licenses of project dependencies, that can be found with the list command, are meeting the acceptance criteria configured in the licenses configuration file.

Each checked license can be in one of three states:

State Description
OK License meets acceptance criteria
WARNING License doesn't meet acceptance criteria, but package was added to exceptions list (see configuration file section for more details)
CRITICAL License doesn't meet acceptance criteria

Licenses in OK and WARNING states are both treat as accepted. The warning is only a printed information. But if there is at least one license in CRITICAL state - the test will be failed and the command will exit with an exit code 1. This makes this tool usable in CI scripts.

To check licenses simply execute:

$ goliscan check
[      OK]  Found accepted license      license = MIT             package = github.com/codegangsta/cli
[      OK]  Found accepted license      license = MIT             package = github.com/ryanuber/go-license
[CRITICAL]  Found unaccepted license    license = Apache-2.0      package = gopkg.in/yaml.v2
Exiting with error:
         At least one unaccepted license was found!

Output of the command can be configured in the same way as the output of the list command - for reference please read the output settings section.

Configuration file

As it was noticed above, check command will check licenses against acceptance criteria set in configuration file.

By default the command will read the criteria from the .licenses.yaml file which should be present in the root directory of the project. However one can use other file name. In such case the -c|--config option for check command should be used:

$ goliscan check --config .licenses-configuration.yaml
[      OK]  Found accepted license      license = MIT             package = github.com/codegangsta/cli
[      OK]  Found accepted license      license = MIT             package = github.com/ryanuber/go-license
[ WARNING]  Found exceptioned package   license = Apache-2.0      package = gopkg.in/yaml.v2
Configuration file format

Configuration file is a simple YAML file with three lists:

List Description
accepted List of dependencies license IDs that are accepted for the project, ex. MIT, GPL-3.0. Look at ryanuber/go-license for a reference
unaccepted List of dependencies license IDs that are unaccepted for the project
exceptions List of packages that are allowed to have a license that is on the unaccepted list, eg. github.com/ryanuber/go-license

In situation when:

  • both accepted and unaccepted are not configured, or
  • both accepted and unaccepted are configured, or
  • only unaccepted is configured,

GoLiScan will automatically enable a AllowUnknown mode.

Acceptance criteria are checked in following way:

  • if dependencie's license is on the unaccepted list but dependency is on the exceptions list - WARNING state is set,
  • if dependencie's license is on the unaccepted list and dependency is not on the exceptions list or dependencie's license is not on the accepted list and AllowUnknown mode is not enabled - CRITICAL state is set,
  • if dependencie's license is on the accepted list - the OK state is set,
  • in other case the WARNING state with "Criteria for license unknown" is set.

If the license will be listed in both accepted and unaccepted lists, then a conflict error will be raised:

$ goliscan check
Exiting with error:
         Configuration conflict! Following licenses were found in both `accepted` and `unaccepted` lists: MIT

License

This is a free software licensed under MIT license. See LICENSE file.

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.