cosmicrose

cosmicrose

Hex_license - check your dependency licenses and lint your own

I’ve recently been working on a Mix task to check dependency licenses.

There are a few mix tasks in this project:

mix licenses will print a summary of your dependencies and whether their licenses are valid SPDX identifiers.

$ mix licenses
Dependency  Status
ex_doc      all valid
httpoison   all valid
poison      all valid

mix licenses.explain will print the dependencies that have unidentifiable licenses.
License IDs defined by the package should be an identifier on the SPDX License List.
You can also pass the --osi flag to all these tasks in order to ensure all licenses are approved by the Open Source Initiative.

$ mix licenses.explain --osi
dependency_a has 1 unsafe licenses:
 - "MIT License" is not an SPDX ID.
dependency_b has 1 unsafe licenses:
 - "WTFPL" is not OSI-approved.

Lastly, mix licenses.lint will check the package info in your own project,
and returns an error code to your shell if the ID is not found.

$ mix licenses.lint
This project has 1 unsafe licenses:
 - "badid" is not an SPDX ID

This project is a lot like licensir, which I learned of today while reading the forum on this topic, and saw that it was recently archived. I think we have similar goals in mind, and of course we share the same mix task name, so please consider hex_licenses as a replacement.

I’d love if I could add more license-related functionality to this project, so please suggest something!

Most Liked

cosmicrose

cosmicrose

After some fabulous feedback, I’ve been able to change the tasks to get all their information locally. Now we’re getting license info directly from the hex metadata file in deps/, so you get feedback on the exact versions of the dependencies you’re using. This also means no more mess of HTTP calls to Hex.

Also, we are now caching a version of the SPDX license list locally. It’s possible that this may become out-of-date. However, the SPDX list does not change very often, so this is a good trade-off. If the list does update and you need that new information, give the --update flag to any task in order to pull fresh data.

I also made the remaining two prod dependencies optional, because they are now only used for the --update flag and nothing else. Might as well try to keep the number of dependencies down.

v0.3.0 - The Local Update

Added

  • All tasks now accept the --update flag to pull down a fresh copy of the license list instead of using the version checked into this repo.

Changed

  • No longer makes HTTP calls to Hex and SPDX, and instead uses locally-available information.
  • httpoison and poison deps are now optional, since using --update is optional.
cosmicrose

cosmicrose

I was going to do something similar, but I never had enough time. I am glad that someone done that.

I saw your fork when I was researching a little bit for this post! Small world! I’ve got a little too much free time on my hands so I’m happy to put it towards something useful like this.

:heart: for the project.

Thank you so much!

Maybe it could be somehow integrated with sbom?

I’m checking it out now. I think our purposes might be perfectly orthogonal, but I’d love to figure out a way to better support another tool. At the very least, there might be a new library we could share to better deal with Mix dependencies, since hex_licenses still needs a little improvement in that area.

Thank you for the support!

hauleth

hauleth

I was going to do something similar, but I never had enough time. I am glad that someone done that.

:heart: for the project.

Maybe it could be somehow integrated with sbom?

Where Next?

Popular in Discussions Top

blackode
Elixir Upgrading is so Simple in Ubuntu and It worked for me Ubuntu 16.04 git clone https://github.com/elixir-lang/elixir.git cd elixir...
New
AngeloChecked
What learn first? Rust or Elixir Hi Elixir community! I’m here because i want learn a new language. I’m a junior developer and mainly i ...
New
crabonature
I’m still quite new to Elixir. As I understand we got in Elixir “multi guards” as convention to simplify one large guard with or’s?: de...
New
New
Qqwy
I would like to spark a discussion about the static access operator: .. For whom does not know: it is used in Elixir to access fields of...
New
griffinbyatt
Sobelow Sobelow is a security-focused static analysis tool for the Phoenix framework. For security researchers, it is a useful tool for g...
New
AstonJ
Seen any cool LiveView demos, sample apps or examples? Please post them here! :003:
New
Fl4m3Ph03n1x
Background A few days ago I was listening to The future of Elixir from Elixir Talks, with Dave Thomas (@pragdave ) and Brian Mitchell. I...
New
kostonstyle
Hi all How can I compare haskell with elixir, included tools, webservices, ect. Thanks
New
slashdotdash
Phoenix Live View is now publicly available on GitHub. Here’s Chris McCord’s tweet announcing making it public.
New

Other popular topics Top

malloryerik
Hi, this is for people who, like me, have had some friction using .html.heex templates in VSCode. The solution seems to be, in a hyphena...
New
sen
Hi All, I set a environment variables in dev.exs , like below code. when i start server, how can i set the ${enable} value? thanks. d...
New
pmjoe
I have a relationship of love and hate with Elixir. Lots of things are just absolutely right, but there are some things that are kind of ...
New
freewebwithme
Using vs code and installed ElixirLS: support and debugger. And I got an error popped up on start up says Failed to run ‘elixir’ comma...
New
alice
Hey, Just curious what are the main benefits of Elixir compared to Clojure? When is Elixir more useful than Clojure and vice versa? Th...
New
jason.o
In the code below, if the create action is not set to accept “extra_key” as an input, it errors out with a message shown above. Is there ...
New
saif
Hello everyone, Long time lurker first time poster here. I’ve recently begun working on Elixir full-time again! :raised_hands: It’s been...
New
boundedvariable
I am going through the kafka architecture. All the features what the kafka is providing are already in Erlang. I would like hear your opi...
New
Brian
What is the proper way to load a module from a file in to IEX? In the python world, doing something like this pretty standard: from ....
New
shijith.k
I am trying to start a new phoenix project with elixir 1.9, but mix phx.new does not work. It says that ** (Mix) The task "phx.new" could...
New

We're in Beta

About us Mission Statement