senseyeio / diligent Goto Github PK

Scoped packages like @angular/upgrade are not working.

Allow users to specify why category of license they will allow. This could feature copyfree and copyleft. Could further allow specification of features of the licenses, like allowing commercial usage, network redistribution and source redistribution

NPM supports:

• tarball URLs
• git URLs
• github owner/repo identifiers
• local file paths

We could maybe support git and github in future, but as of now, it is not supported. Throw a suitable error message.

For example gopkg.in/mgo.v2

Currently diligent will accept all licenses if a whitelist is not provided. Change this behaviour.

To allow users to allow all, introduce a -w all flag.

Currently always logs unknown license even though there isn't a license in NPM

At the moment if all repositories cannot be processed, it will not throw an error. Change this.

This could be made more general by Reporters taking an io.Writer as an argument, and adding a -o flag to direct output to a file (where output defaults to stdout). This would allow any Reporter's output to be directed either to a file or to stdout.

for instance https://registry.npmjs.org/bluebird/%5E2.9.34

Although there are no tests in the code base, we should be atleast checking that it compiles.

Introduce travis CI. Introduce a build and go test step.

Implement a github license provider for other package manager implementations to pull on

Allow Depers to receive any command line flags. This will allow the behavior to be adjusted.
For example, the npm deper does not currently gather development dependencies, a flag could decide whether it should include them or not.

• Remove godoc badge
• Show output
• Show local + docker usage together
• Fix local install instructions (go install)
• Add contributing section
• Install before usage?
• Explain docker volume
• Exit code 0 and stderr+stdout behaviour
• Ordering
• Show help output? or include details of output formats

Others from https://gist.github.com/alcortesm/f45a5f6b5e1543be3f1f88dde43cdecd

Thanks @rossmcf and @alcortesm

For example github.com/davecgh/go-xdr

Explain in the readme how to build locally

• How much should be logged?
• What should Deper return if they fail?
• How does it play with stdout output?

See https://docs.npmjs.com/files/package.json#license. Need to support ORs and ANDs. This may have wider implications.

When an unknown file is provided, instead of just outputting unknown file, include the filename of the provided file and explain why it is unknown. Something like Diligent does not know how to process 'Gopkg.toml' files.

Thanks @alcortesm

Given a directory, automatically find dependency manager files in the directory

Thanks @rossmcf

Currently only the first library which failed the whitelist is shown. Should show all the failures to make it clear to users.

Thanks @rossmcf

Many companies have internal libraries which are not exposed to the internet and do not have associated licenses. Regex whitelisting on package identifier could be used to ignore libraries you don't want to check.

Thanks @rossmcf

The output to stdout would be easier to read if it was tabulated.

Current output is:

github.com/inconshreveable/mousetrap -> Apache License 2.0
github.com/pelletier/go-toml -> MIT License
github.com/ryanuber/go-license -> MIT License
github.com/spf13/cobra -> Apache License 2.0
github.com/spf13/pflag -> BSD-3-Clause

Proposed output:

github.com/inconshreveable/mousetrap	Apache License 2.0
github.com/pelletier/go-toml		MIT License
github.com/ryanuber/go-license		MIT License
github.com/spf13/cobra			Apache License 2.0
github.com/spf13/pflag			BSD-3-Clause

For running on a build server we need an output mode which returns a non zero result if a license is found which is not compatible with the product/software.

Initially the user should be able to specify a whitelist of allowed license identifiers. In future this can be improved.

When no GOPATH is set, obtaining the license from the package's files fails.

Introduce a list command and a validate command. This helps it cover two use cases without confusion and clearly says what it is going to do.

I would have split the functionality of listing licenses and checking them in two commands: a list command that only list the subprojects and their licenses and a whitelist command that only reports if the subprojects comply with the whitelist or not, that returns a single line ("pass" or "fail", in addition to the exit value).

Thanks @alcortesm

In particular NewBSD and FreeBSD

diligent doesn't work with NPM scoped packages (eg. @angular/cli).

This is because 44419b8 changed the NPM registry URL from https://registry.npmjs.org/{package}/{version} to https://registry.npmjs.org/{package}?version={version}, which for some weird reason doesn't support scoped packages, even if the slash (/) is URL encoded as %2F.

I've sent an email to NPM support about this behavior, but its unlikely that they will address it anytime soon.

To revert back to using https://registry.npmjs.org/{package}/{version}, we need to strip any symbols before the version, as https://registry.npmjs.org/{package}/{version} only supports exact versions, unlike https://registry.npmjs.org/{package}?version={version}.

Would be useful to handle requirements.txt files - https://pypi.python.org/pypi/numpy/1.13.3/json allows for access to license data.

Replace go-license with https://github.com/src-d/go-license-detector

Currently alphabetical, but the use case is about identifying the licenses

Thanks @rossmcf

Document code. May also need some renaming.

We only expect a string, this does not always seem to be the case, for example https://registry.npmjs.org/@ng-bootstrap%2Fng-bootstrap/=1.0.0-beta.5

Introduce a concept of an output. This will allow users to select what form of output they would like. Current ideas, JSON, csv, html

Given that https://github.com/golang/dep is going to be the new standard for go dependency management, add support to diligent