{"id":13710705,"url":"https://github.com/blocky/adlr","last_synced_at":"2026-01-14T11:52:33.191Z","repository":{"id":49484875,"uuid":"360245561","full_name":"blocky/adlr","owner":"blocky","description":"A.D.L.R. is a project that attempts to Automate Dependency License Requirements for Golang projects","archived":false,"fork":false,"pushed_at":"2024-10-10T15:18:38.000Z","size":136,"stargazers_count":11,"open_issues_count":2,"forks_count":0,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-05-06T19:38:10.830Z","etag":null,"topics":["automation","go","golang","license-checking","license-management"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/blocky.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"custom":["https://www.blocky.rocks/contact"]}},"created_at":"2021-04-21T17:01:45.000Z","updated_at":"2024-10-09T10:41:02.000Z","dependencies_parsed_at":"2024-08-26T09:41:52.181Z","dependency_job_id":"55312076-b77c-4bee-9e43-12360fb689c1","html_url":"https://github.com/blocky/adlr","commit_stats":null,"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/blocky/adlr","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blocky%2Fadlr","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blocky%2Fadlr/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blocky%2Fadlr/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blocky%2Fadlr/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/blocky","download_url":"https://codeload.github.com/blocky/adlr/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blocky%2Fadlr/sbom","scorecard":{"id":243855,"data":{"date":"2025-08-11","repo":{"name":"github.com/blocky/adlr","commit":"24b430dbf2bf56a4f439457d7891be74ff222a17"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.1,"checks":[{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":1,"reason":"Found 4/30 approved changesets -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":0,"reason":"18 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2023-1765 / GHSA-2q89-485c-9j2x","Warn: Project is vulnerable to: GO-2024-2453 / GHSA-9763-4f94-gfch","Warn: Project is vulnerable to: GO-2025-3754 / GHSA-2x5j-vhc8-9cwm","Warn: Project is vulnerable to: GO-2024-2456 / GHSA-449p-3h89-pw88","Warn: Project is vulnerable to: GO-2024-2466 / GHSA-mw99-9chc-xw7r","Warn: Project is vulnerable to: GO-2025-3367 / GHSA-r9px-m959-cxf4","Warn: Project is vulnerable to: GO-2025-3368 / GHSA-v725-9546-7q7m","Warn: Project is vulnerable to: GO-2023-2402 / GHSA-45x7-px36-x8w8","Warn: Project is vulnerable to: GO-2024-3321 / GHSA-v778-237x-gjrc","Warn: Project is vulnerable to: GO-2025-3487 / GHSA-hcg3-q754-cr77","Warn: Project is vulnerable to: GO-2023-1571 / GHSA-vvpx-j8f3-3w6h","Warn: Project is vulnerable to: GO-2023-1988 / GHSA-2wrh-6pvc-2jm9","Warn: Project is vulnerable to: GO-2023-2102 / GHSA-4374-p667-p6c8","Warn: Project is vulnerable to: GHSA-qppj-fm5r-hxr3","Warn: Project is vulnerable to: GO-2024-2687 / GHSA-4v7x-pqxf-cx7m","Warn: Project is vulnerable to: GO-2024-3333","Warn: Project is vulnerable to: GO-2025-3503 / GHSA-qxp5-gwg8-xv66","Warn: Project is vulnerable to: GO-2025-3595 / GHSA-vvgc-356p-c3xw"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 27 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-17T07:09:28.700Z","repository_id":49484875,"created_at":"2025-08-17T07:09:28.700Z","updated_at":"2025-08-17T07:09:28.700Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28419272,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T10:47:48.104Z","status":"ssl_error","status_checked_at":"2026-01-14T10:46:19.031Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["automation","go","golang","license-checking","license-management"],"created_at":"2024-08-02T23:01:00.029Z","updated_at":"2026-01-14T11:52:33.176Z","avatar_url":"https://github.com/blocky.png","language":"Go","funding_links":["https://www.blocky.rocks/contact"],"categories":["Repositories"],"sub_categories":[],"readme":"# A.D.L.R.\n### **A**utomating **D**ependency **L**icense **R**equirements\n\n[![GoDoc](https://godoc.org/github.com/blocky/adlr?status.svg)](https://godoc.org/github.com/blocky/adlr)\n[![Build Status](https://www.travis-ci.com/blocky/adlr.svg?token=JczzdP6eMqmEqysZ8pDf\u0026branch=main)](https://www.travis-ci.com/blocky/adlr)\n[![Go Report Card](https://goreportcard.com/badge/github.com/blocky/adlr)](https://goreportcard.com/report/github.com/blocky/adlr)\n\nADLR is a project that attempts to automate fulfillment of golang module dependency license requirements in a lock file suitable for vcs.\n\nFor our dependencies and their licenses, see [license.lock](license.lock)\n\n# Disclaimer\n**The ADLR project offers no legal advice or license compliance guarantee. It is your responsibility to ensure compliance with licenses you interact with**\n\n# Overview\n## ADLR's License Lock\nADLR creates a license lock file. This is a readable and manually edittable json file of your directly imported golang dependencies and their licenses. It is much like a `go.mod`, and you can save this file in your version control system. Some benefits of this:\n+ monitor imports' licenses across versions\n+ automate listing *copyrights*|*permissions*|*warranties* for licenses in your source code\n\n## Get ADLR\n`go get github.com/blocky/adlr/...`\n\n## ADLR and Distributable Inclusion\nAutomate a license information command for your distributable with your license lock file\n\n### Linker Flag\n1. Serialize the lock file _(Go Linker flag requires strings to have no spaces or newlines)_\n2. Pass to a variable in your code with the `-ldflags` build flag\n3. Deserialize and unmarshal for license information command(s)\n\n### Go 1.16 File Embedding\n1. Embed your license lock file with an embed directive:\n```golang\n\\\\go:embed license.lock\nvar DependencyRequirements []byte\n```\n2. Unmarshal for license information command(s)\n\nAn example of this is built in to the repo. See `main.go`and the `cmd/` folder for details. Or test out ADLR's `about license(s)` commands with `go get` or `make build`.\n\n# ADLR Process\n## Your Golang Module buildlist\nUsing the command in your golang module:\n```sh\n$ go list -m -json all \u003e buildlist.json\n```\nyou can generate a json list of all golang modules/projects required to build your module.\nIf your project is complex this list can be long. Currently, ADLR filters for directly imported modules only.\n```golang\nbuildlist, err := os.Open(\"./buildlist.json\")\n...\ndefer buildlist.Close()\n\nparser := gotool.MakeBuildListParser()\nmods, err := parser.ParseModuleList(buildlist)\n...\n\ndirect := gotool.FilterDirectImportModules(mods)\n```\n\n## Text Mining Licenses\nUnfortunately, golang does not yet have a standard for module license files. There names can be lowercase, uppercase, with or without a file extension, or not even named \"license\", such as \"COPYLEFT\". To solve this, ADLR uses text mining to prospect potential license file matches and their confidences with https://github.com/go-enry/go-license-detector.\n```golang\ndirect := gotool.FilterDirectImportModules(mods)\n\nprospects := adlr.MakeProspects(direct...)\nprospector := adlr.MakeProspector()\nmines, err := prospector.Prospect(prospects...)\n...\n```\n\n## Automatically Determining License\nFrom prospecting, one or multiple matches are returned for a golang module with license type, file name, and confidence. With preset confidence values, ADLR attempts to automatically determine the license for each golang module. If a license cannot be determined through mining, the license lock manager may be able to automatically determine it (only if a license lock file has already been created).\n```golang\nmines, err := prospector.Prospect(prospects...)\n...\n\nminer := adlr.MakeMiner()\nlocks, err := miner.Mine(mines...)\nif err != nil \u0026\u0026 Verbose {\n\tfmt.Println(err)\n}\n```\n\n## Locking Dependencies and their Licenses\nAfter mining, licenses are hopefully automatically determined. These are now ready to be locked into a file. For no pre-existing license lock, a new file is created. For an existing license lock, the new and old list of dependencies are merged.\n\nNew dependencies take priority, and will fill the lock file. But for new locks that are missing license fields, merging is attempted with pre-existing locks. For new locks that cannot be automatically resolved, the license lock manager will print them in stderr, asking for manual editting of the license lock file. These license edits will persist for that dependency.\n```golang\nlocks, err := miner.Mine(mines...)\n...\n\nlicenselock := adlr.MakeLicenseLockManager(\"./\")\nerr = licenselock.Lock(locks...)\n...\n```\n\n## Auditing Locked License types\nAfter locking, dependencies and their licenses have been written to the lock file. But unwanted license types may have slipped through. The auditing step will search through the lock file, checking license types against a whitelist. For any types not listed, an error is returned listing bad license types, and requesting whitelist inclusion or dependency removal.\n```golang\nlicenselock := adlr.MakeLicenseLockManager(\"./\")\nerr = licenselock.Lock(locks...)\n...\n\nlocks, err = licenselock.Read()\n...\n\nwhitelist := adlr.MakeWhitelist([]string{\"A\",\"B\",\"C\"...})\nauditor := adlr.MakeAuditor(whitelist)\nerr = auditor.Audit(locks...)\n...\n```\n# Development\nContributions are welcome! Contact BLOCKY through our website [www.blocky.rocks](www.blocky.rocks) or email **ian@blocky.rocks**\n\n## Branch Practices\n### Branches\n+ **feature/**: Used for adding features, increments semver x.**y**.z\n+ **bugfix/**: Used for fixing bugs, increments semver x.y.**z**\n+ **chore/**: Used for small chores, tasks, etc and does not usually result in a semver increase/release\n\n### Main \u0026 Develop\nDue to recent errors in PR merges to the main branch, *all PR's must initially merge into the* **develop branch**, **checked for bugs**, *then a PR merging* **develop's** *changes into* **main**\n\n### Squash Merging\nWe use squash merging for PR's. Therefore, not all of your commits are required to pass testing **besides your the last commit**\n\n## Dependencies for testing\nMockery - mockery v1 is used to autogenerate code for golang interfaces. Mocked interfaces are outputted to the `internal/mocks/` folder. The golang binary tool can be downloaded from https://github.com/vektra/mockery\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblocky%2Fadlr","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fblocky%2Fadlr","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblocky%2Fadlr/lists"}