licensezero quote
and licensezero buy
share the same subroutine for creating an inventory of packages with License Zero metadata. At its most basic level, the subroutine recurses the current working directory, parsing and verifying every licensezero.json
file it finds. When it finds a licensezero.json
file, it looks in the same directory for files that indicate a particular kind of package, like package.json
or setup.py
, and attempts to extract package name, package scope (user or group), and package version.
For packages installed at the system or user level, like RubyGems and Go packages, the subroutine shells out to language-specific development tools to list dependencies, and tries to find their paths.
The relevant source files are in ./inventory
.
- Finds dependencies by recursing the working directory.
- Reads name and version from any
composer.json
file in the same directory as anylicensezero.json
.
- Finds dependencies by running
go list -f '{{ join .Deps "\n" }}'
. - Finds dependency names, paths, and standard-library status by running
go list -f "$TEMPLATE" $name
. - See #10
- Finds dependencies by recursing the working directory.
- Reads name and version from any
pom.xml
file in the same directory as anylicensezero.json
.
- Finds dependencies by recursing the working directory, including
node_modules
. - Reads name, scope, and version from any
package.json
file in the same directory as anylicensezero.json
. - Does not parse
require()
orimport
statements to find dependencies outside the working directory.
Incomplete Support
- Finds dependencies by recursing the working directory.
- Reads name and version by running
python setup.py --name --version
in the same directory as anylicensezero.json
. - See #3
- Finds dependencies by running
bundle show
. - Reads name and version from
bundle show
output. - Finds dependency paths by running
bundle show --paths
. - Does not parse
require
statements to find non-Bundler dependencies.
Rudimentary Support
- Finds dependencies by recursing the working directory.
- Does not read name or version.
- Does not identify packages as Rust packages.