This tool ships as a
dotnet global tool and can be installed like so:
dotnet tool install -g dotnet-delice
You can then use it like so:
dotnet delice [folder, sln, csproj, fsproj]
-?|-h|--helpBoolean. Show help.
-j|--jsonBoolean. Output results as JSON rather than pretty-print.
--json-output [path]String. Path to file that the JSON should be written to. Note: Only in use if you use
--check-githubBoolean. If the license URL (for a legacy package) points to a GitHub hosted file, use the GitHub API to try and retrieve the license type.
--github-token <token>String. A GitHub Personal Access Token (PAT) to use when checking the GitHub API for license types. This avoids being rate limited when checking a project.
--check-license-contentBoolean. When provided the contents of the license file will be compared to known templates.
--refresh-spdxBoolean. When provided the tool will also refresh the SPDX license cache used for conformance infomation.
- Project Name
- The name of the project that was checked
- License Expression
- A license expression found when parsing references
- Some packages may result in an undetermined license. See Undetermined Licenses for more information
- The name(s) of the packages found for that license
The following is an example of pretty-printed output:
Project dotnet-delice License Expression: MIT ├── There are 10 occurances of MIT ├─┬ Conformance: │ ├── Is OSI Approved: true │ ├── Is FSF Free/Libre: true │ └── Included deprecated IDs: false └─┬ Packages: ├── FSharp.Core ├── Microsoft.NETCore.App ├── Microsoft.NETCore.DotNetAppHost ├── Microsoft.NETCore.DotNetHostPolicy ├── Microsoft.NETCore.DotNetHostResolver ├── Microsoft.NETCore.Platforms ├── Microsoft.NETCore.Targets ├── NETStandard.Library ├── Newtonsoft.Json └── System.ComponentModel.Annotations
- Ability to filter for only a particular license
- Anything you'd like? Open an issue
At the end of 2018 the
licenseUrl field in the nuspec file was deprecated to be replaced with a richer license metadata field. You can read more about it in the annuncement, the documentation and Spec wiki.
This new metadata makes it possible to determine from the package what the license in use by a package is, rather than relying on navigating through to the referred license file.
Some NuGet packages have moved over to the new format, but many of them are still using the legacy approach which makes it difficult for delice to determine what the license is of a package.
By default these packages will be reported with an "Unable to determine" license type with the URL of the license URL included in the output but there are two options that can be set at the CLI to help attempt to discover what the license is.
Using GitHub's API to Check Licenses
Projects hosted on GitHub will often have their license shown on the repository header, which is done by GitHub scanning the license file in the repository and determine the appropriate type. This can be accessed via GitHub's API and
delice provides an integration to it.
--check-github flag is set
delice will check if the projects license URL points to a GitHub-hosted file, if it does, it'll attempt to get the owner and repo name from the URL to then call the GitHub API. If the API returns a detected license the license information will be updated in the response from
It's recommended to also use the
--github-token <token> CLI option to provide a GitHub Personal Access Token to authenticate the requests (they are anonymous by default) as this will avoid rate-limiting happening with the API.
Checking License Contents
delice also supports doing this via the
--check-license-contents flag. When provided
delice will download the contents of the
licenseUrl in the nuspec and compare it to known templates stored within itself. The comparison requires that the license and template be at least 90% the same for it to be considered a match (this is lower than Licensee, which uses 98%, but experiments against .NET showed it was better to be a bit looser), so there is still some potential misses.
Also, only certain license templates are stored within
delice, but feel free to add more via PR's.
This can work in conjunction with the GitHub API test, but will be run after the API check is done, and only if it fails.
Common License Cache
LicenseCache.fs contains a map of commonly used packages and the license file that they have. This means that delice can determine more licenses out of the box.
If you're coming across packages that you think should be in there, open a Pull Request with the updates.