hex_license - check your dependency licenses and lint your own

I’ve recently been working on a Mix task to check dependency licenses.

There are a few mix tasks in this project:

mix licenses will print a summary of your dependencies and whether their licenses are valid SPDX identifiers.

$ mix licenses
Dependency  Status
ex_doc      all valid
httpoison   all valid
poison      all valid

mix licenses.explain will print the dependencies that have unidentifiable licenses.
License IDs defined by the package should be an identifier on the SPDX License List.
You can also pass the --osi flag to all these tasks in order to ensure all licenses are approved by the Open Source Initiative.

$ mix licenses.explain --osi
dependency_a has 1 unsafe licenses:
 - "MIT License" is not an SPDX ID.
dependency_b has 1 unsafe licenses:
 - "WTFPL" is not OSI-approved.

Lastly, mix licenses.lint will check the package info in your own project,
and returns an error code to your shell if the ID is not found.

$ mix licenses.lint
This project has 1 unsafe licenses:
 - "badid" is not an SPDX ID

This project is a lot like licensir, which I learned of today while reading the forum on this topic, and saw that it was recently archived. I think we have similar goals in mind, and of course we share the same mix task name, so please consider hex_licenses as a replacement.

I’d love if I could add more license-related functionality to this project, so please suggest something!

11 Likes

I was going to do something similar, but I never had enough time. I am glad that someone done that.

:heart: for the project.

Maybe it could be somehow integrated with sbom?

3 Likes

I was going to do something similar, but I never had enough time. I am glad that someone done that.

I saw your fork when I was researching a little bit for this post! Small world! I’ve got a little too much free time on my hands so I’m happy to put it towards something useful like this.

:heart: for the project.

Thank you so much!

Maybe it could be somehow integrated with sbom?

I’m checking it out now. I think our purposes might be perfectly orthogonal, but I’d love to figure out a way to better support another tool. At the very least, there might be a new library we could share to better deal with Mix dependencies, since hex_licenses still needs a little improvement in that area.

Thank you for the support!

3 Likes

After some fabulous feedback, I’ve been able to change the tasks to get all their information locally. Now we’re getting license info directly from the hex metadata file in deps/, so you get feedback on the exact versions of the dependencies you’re using. This also means no more mess of HTTP calls to Hex.

Also, we are now caching a version of the SPDX license list locally. It’s possible that this may become out-of-date. However, the SPDX list does not change very often, so this is a good trade-off. If the list does update and you need that new information, give the --update flag to any task in order to pull fresh data.

I also made the remaining two prod dependencies optional, because they are now only used for the --update flag and nothing else. Might as well try to keep the number of dependencies down.

v0.3.0 - The Local Update

Added

  • All tasks now accept the --update flag to pull down a fresh copy of the license list instead of using the version checked into this repo.

Changed

  • No longer makes HTTP calls to Hex and SPDX, and instead uses locally-available information.
  • httpoison and poison deps are now optional, since using --update is optional.
2 Likes