Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scan licenses of dependencies #3828

Open
6 tasks
shengy90 opened this issue Jun 25, 2024 · 1 comment
Open
6 tasks

Scan licenses of dependencies #3828

shengy90 opened this issue Jun 25, 2024 · 1 comment
Labels
new feature

Comments

@shengy90
Copy link

Short Description

Detect licenses of dependencies too.

Possible Labels

dependencies
improve-license-detection

  • new feature

Select Category

  • [x ] Enhancement
  • Add License/Copyright
  • Scan Feature
  • Packaging
  • Documentation
  • Expand Support
  • Other

Describe the Update

ScanCode right now looks like it's only scanning for explicit copyright text or license texts in the existing code base. I would like to also be able to pick up licenses of dependencies, and set up flags and where the flagged dependencies have been used in the code base.

For example (this repo for inspiration: https://github.com/raimon49/pip-licenses):

  • Set flag to detect GPL licenses
  • Pick up all dependencies in my project that uses GPL licenses
  • Then spot in my code base where this package was used so I can determine what to do with them etc.

How This Feature will help you/your organization

Identify GPL packages used and where in the code based it was used, so we can detect how we want to handle them, to avoid issues with GPLs.

Possible Solution/Implementation Details

Example/Links if Any

Can you help with this Feature
@pombredanne
Copy link
Member

Just a bit of updates there:

  1. we detect direct dependencies in manifests and lockfiles now in ScanCode toolkit
  2. deplock in https://github.com/nexB/dependency-inspector/ can generate missing dependency lockfiles for parsing with 1.
  3. PurlDB can scan and store scan results for source and binaries for the packages
  4. ScanCode.io can detect the dependencies like ScanCode toolkit parsing the lockfile eventually generated by deplock
  5. We can also match other non-documented dependencies using matchcode (backed by PurlDB signatures)
  6. ScanCode.io can also find "hidden" dependencies in binaries using the "map deploy to devel" pipeline.

A simple process to scan all the dependencies:

  1. run deplock
  2. then scan your project in ScanCode.io to detect the packages
  3. add also the populate purldb pipeline: this will trigger a full source and binary scan of all the dependencies
  4. enrich the scan results with a purldb lookup

@pombredanne pombredanne mentioned this issue Aug 14, 2024
Open
@mattmccutchen mattmccutchen mentioned this issue Nov 8, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
new feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pombredanne @shengy90