From 065398a9b4c65b7757144ba135fb030eaafbc356 Mon Sep 17 00:00:00 2001 From: ory-bot <60093411+ory-bot@users.noreply.github.com> Date: Thu, 2 Jan 2025 15:13:44 +0000 Subject: [PATCH] autogen: update license overview --- .bin/license-engine.sh | 119 ++++++++++++++++++++++++++++++++++++++ .bin/licenses | 8 +++ .bin/list-licenses | 40 +++++++++++++ .reports/dep-licenses.csv | 0 4 files changed, 167 insertions(+) create mode 100755 .bin/license-engine.sh create mode 100755 .bin/licenses create mode 100755 .bin/list-licenses create mode 100644 .reports/dep-licenses.csv diff --git a/.bin/license-engine.sh b/.bin/license-engine.sh new file mode 100755 index 0000000..42a5951 --- /dev/null +++ b/.bin/license-engine.sh @@ -0,0 +1,119 @@ +#!/bin/bash + +# This script detects non-compliant licenses in the output of language-specific license checkers. + +# These licenses are allowed. +# These are the exact and complete license strings for 100% legal certainty, no regexes. +ALLOWED_LICENSES=( + '0BSD' + 'AFLv2.1' + 'AFLv2.1,BSD' + '(AFL-2.1 OR BSD-3-Clause)' + 'Apache 2.0' + 'Apache-2.0' + '(Apache-2.0 OR MPL-1.1)' + 'Apache-2.0 AND MIT' + 'Apache License, Version 2.0' + 'Apache*' + 'Artistic-2.0' + 'BlueOak-1.0.0' + 'BSD' + 'BSD*' + 'BSD-2-Clause' + '(BSD-2-Clause OR MIT OR Apache-2.0)' + 'BSD-3-Clause' + '(BSD-3-Clause OR GPL-2.0)' + 'BSD-3-Clause OR MIT' + 'CC0-1.0' + 'CC-BY-3.0' + 'CC-BY-4.0' + '(CC-BY-4.0 AND MIT)' + 'ISC' + 'ISC*' + 'LGPL-2.1' # LGPL allows commercial use, requires only that modifications to LGPL-protected libraries are published under a GPL-compatible license + 'MIT' + 'MIT*' + 'MIT-0' + 'MIT AND ISC' + '(MIT AND BSD-3-Clause)' + '(MIT AND Zlib)' + '(MIT OR Apache-2.0)' + '(MIT OR CC0-1.0)' + '(MIT OR GPL-2.0)' + 'MPL-2.0' + '(MPL-2.0 OR Apache-2.0)' + 'Public Domain' + 'Python-2.0' # the Python-2.0 is a permissive license, see https://en.wikipedia.org/wiki/Python_License + 'Unlicense' + 'WTFPL' + 'WTFPL OR ISC' + '(WTFPL OR MIT)' + '(MIT OR WTFPL)' + 'LGPL-3.0-or-later' # Requires only that modifications to LGPL-protected libraries are published under a GPL-compatible license which is not the case at Ory +) + +# These modules don't work with the current license checkers +# and have been manually verified to have a compatible license (regex format). +APPROVED_MODULES=( + 'https://github.com/ory-corp/cloud/' # Ory IP + 'github.com/ory/hydra-client-go' # Apache-2.0 + 'github.com/ory/hydra-client-go/v2' # Apache-2.0 + 'github.com/ory/kratos-client-go' # Apache-2.0 + 'github.com/gobuffalo/github_flavored_markdown' # MIT + 'buffers@0.1.1' # MIT: original source at http://github.com/substack/node-bufferlist is deleted but a fork at https://github.com/pkrumins/node-bufferlist/blob/master/LICENSE contains the original license by the original author (James Halliday) + 'https://github.com/iconify/iconify/packages/react' # MIT: license is in root of monorepo at https://github.com/iconify/iconify/blob/main/license.txt + 'github.com/gobuffalo/.*' # MIT: license is in root of monorepo at https://github.com/gobuffalo/github_flavored_markdown/blob/main/LICENSE + 'github.com/ory-corp/cloud/.*' # Ory IP + 'github.com/golang/freetype/.*' # FreeType license: https://freetype.sourceforge.net/FTL.TXT + 'go.opentelemetry.io/otel/exporters/jaeger/internal/third_party/thrift/lib/go/thrift' # Incorrect detection, actually Apache-2.0: https://github.com/open-telemetry/opentelemetry-go/blob/exporters/jaeger/v1.17.0/exporters/jaeger/internal/third_party/thrift/LICENSE + 'go.uber.org/zap/exp/.*' # MIT license is in root of exp folder in monorepo at https://github.com/uber-go/zap/blob/master/exp/LICENSE + 'github.com/ory/client-go' # Apache-2.0 + 'github.com/ian-kent/linkio' # BSD - https://github.com/ian-kent/linkio/blob/97566b8728870dac1c9863ba5b0f237c39166879/linkio.go#L1-L3 + 'github.com/t-k/fluent-logger-golang/fluent' # Apache-2.0 https://github.com/t-k/fluent-logger-golang/blob/master/LICENSE + 'github.com/jmespath/go-jmespath' # Apache-2.0 https://github.com/jmespath/go-jmespath/blob/master/LICENSE + 'github.com/ory/keto/proto/ory/keto/opl/v1alpha1' # Apache-2.0 - submodule of keto + 'github.com/ory/keto/proto/ory/keto/relation_tuples/v1alpha2' # Apache-2.0 - submodule of keto +) + +# These lines in the output should be ignored (plain text, no regex). +IGNORE_LINES=( + '"module name","licenses"' # header of license output for Node.js +) + +echo_green() { + printf "\e[1;92m%s\e[0m\n" "$@" +} + +echo_red() { + printf "\e[0;91m%s\e[0m\n" "$@" +} + +# capture STDIN +input=$(cat -) + +# remove ignored lines +for ignored in "${IGNORE_LINES[@]}"; do + input=$(echo "$input" | grep -vF "$ignored") +done + +# remove pre-approved modules +for approved in "${APPROVED_MODULES[@]}"; do + input=$(echo "$input" | grep -vE "\"${approved}\"") + input=$(echo "$input" | grep -vE "\"Custom: ${approved}\"") +done + +# remove allowed licenses +for allowed in "${ALLOWED_LICENSES[@]}"; do + input=$(echo "$input" | grep -vF "\"${allowed}\"") +done + +# anything left in the input at this point is a module with an invalid license + +# print outcome +if [ -z "$input" ]; then + echo_green "Licenses are okay." +else + echo_red "Unknown licenses found!" + echo "$input" + exit 1 +fi diff --git a/.bin/licenses b/.bin/licenses new file mode 100755 index 0000000..25d3c9d --- /dev/null +++ b/.bin/licenses @@ -0,0 +1,8 @@ +#!/bin/sh +set -e + +# Get the directory where this script is located +bin_dir="$(cd "$(dirname "$0")" && pwd)" + +{ echo "Checking licenses ..."; } 2>/dev/null +"${bin_dir}/list-licenses" | "${bin_dir}/license-engine.sh" diff --git a/.bin/list-licenses b/.bin/list-licenses new file mode 100755 index 0000000..b10e0d0 --- /dev/null +++ b/.bin/list-licenses @@ -0,0 +1,40 @@ +#!/bin/sh +set -e + +bin_dir="$(cd "$(dirname "$0")" && pwd)" + +# list Node licenses +if [ -f package.json ]; then + if jq -e '.dependencies and (.dependencies | keys | length > 0)' package.json >/dev/null; then + npm install >/dev/null 2>&1 + npm exec --yes license-checker -- --production --csv --excludePrivatePackages --customPath "${bin_dir}"/license-template-node.json | grep -v '^$' + { echo; } 2>/dev/null + else + echo "No dependencies found in package.json" >&2 + { echo; } 2>/dev/null + fi +fi + +# list Go licenses +if [ -f go.mod ]; then + # List all direct Go module dependencies, transform their paths to root module paths + # (e.g., github.com/ory/x instead of github.com/ory/x/foo/bar), and generate a license report + # for each unique root module. This ensures that the license report is generated for the root + # module of a repository, where licenses are typically defined. + go_modules=$( + go list -f "{{if not .Indirect}}{{.Path}}{{end}}" -m ... | + sort -u | + awk -F/ '{ if ($1 == "github.com" && NF >= 3) { print $1"/"$2"/"$3 } else { print } }' | + sort -u + { echo; } 2>/dev/null + ) + if [ -z "$go_modules" ]; then + echo "No Go modules found" >&2 + else + # Workaround until https://github.com/google/go-licenses/issues/307 is fixed + # .bin/go-licenses report "$module_name" --template .bin/license-template-go.tpl 2>/dev/null + # + echo "$go_modules" | xargs -I {} sh -c '.bin/go-licenses report --template .bin/license-template-go.tpl {}' 2>/dev/null | grep -v '^$' + { echo; } 2>/dev/null + fi +fi diff --git a/.reports/dep-licenses.csv b/.reports/dep-licenses.csv new file mode 100644 index 0000000..e69de29