{"id":16014700,"url":"https://github.com/pmonks/tools-licenses","last_synced_at":"2025-10-04T15:53:08.007Z","repository":{"id":40400165,"uuid":"421171026","full_name":"pmonks/tools-licenses","owner":"pmonks","description":"A Clojure tools.build task library related to dependency licenses.","archived":false,"fork":false,"pushed_at":"2024-11-12T19:32:31.000Z","size":1368,"stargazers_count":7,"open_issues_count":2,"forks_count":4,"subscribers_count":2,"default_branch":"dev","last_synced_at":"2025-02-20T18:47:12.732Z","etag":null,"topics":["clojure","license-checking","licenses","licensing","spdx","tools-build"],"latest_commit_sha":null,"homepage":"","language":"Clojure","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pmonks.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-10-25T20:13:16.000Z","updated_at":"2024-11-12T19:32:35.000Z","dependencies_parsed_at":"2023-01-31T07:15:51.455Z","dependency_job_id":"6ec22330-b3a8-4da5-968e-3d55b77b24ca","html_url":"https://github.com/pmonks/tools-licenses","commit_stats":{"total_commits":196,"total_committers":1,"mean_commits":196.0,"dds":0.0,"last_synced_commit":"9b3822b14cc8ece67f425fb94ab7ec40521d3f29"},"previous_names":[],"tags_count":46,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pmonks%2Ftools-licenses","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pmonks%2Ftools-licenses/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pmonks%2Ftools-licenses/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pmonks%2Ftools-licenses/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pmonks","download_url":"https://codeload.github.com/pmonks/tools-licenses/tar.gz/refs/heads/dev","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243871244,"owners_count":20361320,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["clojure","license-checking","licenses","licensing","spdx","tools-build"],"created_at":"2024-10-08T15:04:48.626Z","updated_at":"2025-10-04T15:53:08.000Z","avatar_url":"https://github.com/pmonks.png","language":"Clojure","funding_links":[],"categories":[],"sub_categories":[],"readme":"# tools-licenses\n\n[![CI](https://github.com/pmonks/tools-licenses/actions/workflows/ci.yml/badge.svg?branch=dev)](https://github.com/pmonks/tools-licenses/actions?query=workflow%3ACI+branch%3Adev)\n[![Dependencies](https://github.com/pmonks/tools-licenses/actions/workflows/dependencies.yml/badge.svg?branch=dev)](https://github.com/pmonks/tools-licenses/actions?query=workflow%3Adependencies+branch%3Adev)\n\u003cbr/\u003e\n[![Latest Version](https://img.shields.io/clojars/v/com.github.pmonks/tools-licenses)](https://clojars.org/com.github.pmonks/tools-licenses/)\n[![License](https://img.shields.io/github/license/pmonks/tools-licenses.svg)](https://github.com/pmonks/tools-licenses/blob/release/LICENSE)\n[![Open Issues](https://img.shields.io/github/issues/pmonks/tools-licenses.svg)](https://github.com/pmonks/tools-licenses/issues)\n![Maintained](https://badges.ws/badge/?label=maintained\u0026value=yes,+at+author's+discretion)\n\nA Clojure [tools.build](https://github.com/clojure/tools.build) task library for interrogating your project's dependencies' licenses.  Somewhat inspired by the (discontinued) [`lein-licenses`](https://github.com/technomancy/lein-licenses/) Leiningen plugin, but with the added benefit of canonicalisation to [SPDX](https://spdx.dev/) [License Expressions](https://spdx.github.io/spdx-spec/v2.3/SPDX-license-expressions/).\n\nIt also provides the ability to check your (Apache-2.0 licensed) project against the [Apache Software Foundation's 3rd Party License Policy](https://www.apache.org/legal/resolved.html).\n\nNote: `tools-licenses` assumes a \"flat\" project organisational structure, where each project is defined by a directory containing a `deps.edn` file, and all of its sub-directories.  This may or may not work well with monolithic development models (such as [Polylith](https://polylith.gitbook.io/polylith)), where all source code is managed out of a single, large, deeply-nested directory structure.  That said, `tools-licenses` will do _something_, but whether that thing is what you're expecting and/or useful is quite another matter.\n\n## Disclaimer\n\n**The author and contributors to `tools-licenses` are not lawyers, and neither they nor `tools-licenses` itself provide legal advice. This is simply a tool that might help you and your legal counsel perform licensing due diligence on your projects.**  If you need a primer on the legal aspects of open source software, the author has found the [Blue Oak Council](https://blueoakcouncil.org/) to be a useful resource.\n\n## System Requirements\n\nThis tool uses the [`lice-comb` library](https://github.com/pmonks/lice-comb), which has these system requirements:\n\n* JDK 11 or higher.\n\n* An internet connection.\n\n* Assumes Maven is installed and in the `PATH` (but has fallback logic if it isn't available).\n\n## Tasks\n\n1. `licenses` - attempt to display the licenses used by all transitive dependencies of the project\n2. `check-asf-policy` - attempt to check your project's probable compliance (or not) with the ASF's 3rd Party License Policy\n\n## Why not [`tools.deps`' built-in license detection](https://clojure.org/reference/deps_and_cli#_other_programs)?\n\n`tools.deps`' license discovery logic (provided via the command `clj -X:deps list`) has several serious shortcomings, including:\n\n* It only scans Maven POM files for license information, and silently ignores projects that don't have license tags in their POM file, or don't have a POM file at all. This is a problem because:\n  * git dependencies (whose use is encouraged by tools.deps/tools.build) don't need a POM file (and in practice most don't provide one)\n  * silently ignoring projects that lack a `pom.xml` file (or have one that doesn't contain licensing information) may lull users into a false sense of security vis-a-vis license compliance\n  * [Clojars only recently started mandating license information in the POM files it hosts](https://github.com/clojars/clojars-web/issues/873), and as of mid-2023 around 1/3 of all projects deployed hosted there do not include any licensing information in their POM files\n* It's coupled to tools.deps and cannot easily be consumed as an independent library. It's also dependent on tools.deps state management (e.g. requires POM files to be downloaded locally).\n* It doesn't canonicalise license information to SPDX License Expressions, or even (in some cases) SPDX License Identifiers.\n* It only reports the first license for multi-licensed artifacts.\n\n## Why not [`scarletcomply/license-finder`](https://github.com/scarletcomply/license-finder)?\n\nIt uses `tools.deps`' license discovery logic under the covers, so has all of the same issues.  It does provide a better user experience however (it's packaged as a tool, has more output options, etc.).\n\n## I use Leiningen - is something like `tools-licenses` available?\n\nWhile Leiningen's original [`lein-licenses` plugin](https://github.com/technomancy/lein-licenses) was discontinued some years ago and finally archived in 2020, [JohnnyJayJay has developed an alternative `lein-licenses` plugin](https://github.com/JohnnyJayJay/lein-licenses/) that leverages the same underlying license detection library ([`lice-comb`](https://github.com/pmonks/lice-comb)) as `tools-licenses`, thereby offering similar capabilities.\n\n## Usage\n\n### Documentation\n\n[API documentation is available here](https://pmonks.github.io/tools-licenses/), or [here on cljdoc](https://cljdoc.org/d/com.github.pmonks/tools-licenses/).\n\n[FAQ is available here](https://github.com/pmonks/tools-licenses/wiki/FAQ).\n\n### Adding the tasks to your tools.build script\n\nAdd the tool as a Maven dependency to your `deps.edn`, in your build alias:\n\n```edn\n  :aliases\n    :build\n      {:deps {com.github.pmonks/tools-licenses {:mvn/version \"LATEST_CLOJARS_VERSION\"}}  ; Or use \"RELEASE\" to blindly follow the latest release of the tool\n       :ns-default your.build.ns}\n```\n\nRequire the namespace in your tools.build script (typically called `build.clj`), and add task functions that delegate to the tool:\n\n```clojure\n(ns your.build.ns\n  (:require [tools-licenses.tasks :as lic]))\n\n(defn licenses\n  \"Attempts to list all licenses for the transitive set of dependencies of the\n  project, as SPDX license expressions.\"\n  [opts]\n  (lic/licenses opts))\n\n; And, optionally:\n(defn check-asf-policy\n  \"Checks this project's dependencies' licenses against the ASF's 3rd party\n  license policy (https://www.apache.org/legal/resolved.html).\n\n  Note: only meaningful if this project is Apache-2.0 licensed.\"\n  [opts]\n  (lic/check-asf-policy opts))\n```\n\nYou may also wish to configure a logging implementation for your `build` alias, since this tool can emit logging output (mostly from the Java libraries it uses).  For example (using log4j2, though you may choose any logging implementation you like that supports [SLF4J](https://www.slf4j.org/)):\n\n```edn\n    :build\n      {:deps {com.github.pmonks/tools-licenses           {:mvn/version \"LATEST_CLOJARS_VERSION\"}  ; Or use \"RELEASE\" to blindly follow the latest release of the tool\n              org.apache.logging.log4j/log4j-api         {:mvn/version \"2.21.1\"}\n              org.apache.logging.log4j/log4j-core        {:mvn/version \"2.21.1\"}\n              org.apache.logging.log4j/log4j-jul         {:mvn/version \"2.21.1\"}    ; Java utils clogging bridge\n              org.apache.logging.log4j/log4j-jcl         {:mvn/version \"2.21.1\"}    ; Apache commons clogging bridge\n              org.apache.logging.log4j/log4j-slf4j2-impl {:mvn/version \"2.21.1\"}    ; SLF4J clogging bridge\n              org.apache.logging.log4j/log4j-1.2-api     {:mvn/version \"2.21.1\"}}   ; log4j1 clogging bridge\n       :ns-default your.build.ns}\n```\n\nThen add this `log4j2.xml` file in the root directory of your project (or another directory, which would then need to be added to the `:paths` of your build alias):\n\n```xml\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003cConfiguration status=\"WARN\" strict=\"true\"\u003e\n  \u003cProperties\u003e\n    \u003cProperty name=\"filename\"\u003ebuild.log\u003c/Property\u003e\n  \u003c/Properties\u003e\n  \u003cAppenders\u003e\n    \u003cAppender type=\"File\" name=\"File\" fileName=\"${filename}\"\u003e\n      \u003cLayout type=\"PatternLayout\" pattern=\"%d %p %C{1.} [%t] %m%n\" /\u003e\n    \u003c/Appender\u003e\n  \u003c/Appenders\u003e\n  \u003cLoggers\u003e\n    \u003c!-- These libraries tend to be exceptionally noisy, even at WARN --\u003e\n    \u003cLogger name=\"org.apache\" level=\"FATAL\"\u003e\n      \u003cAppenderRef ref=\"File\"/\u003e\n    \u003c/Logger\u003e\n    \u003cLogger name=\"org.eclipse\" level=\"FATAL\"\u003e\n      \u003cAppenderRef ref=\"File\"/\u003e\n    \u003c/Logger\u003e\n    \u003cRoot level=\"WARN\"\u003e\n      \u003cAppenderRef ref=\"File\"/\u003e\n    \u003c/Root\u003e\n  \u003c/Loggers\u003e\n\u003c/Configuration\u003e\n```\n\n### Using the tasks from the command line\n\n#### `licenses` task\n\nExample summary output:\n\n\u003cimg alt=\"Example output from licenses task, summary sub-task\" src=\"demo-licenses-summary.png\" width=\"75%\"/\u003e\n\nOther invocation possibilities:\n* `clj -T:build licenses :output :summary` - the default (see above)\n* `clj -T:build licenses :output :detailed` - detailed per-dependency license information\n* `clj -T:build licenses :output :edn` - detailed per-dependency license information in EDN format\n* `clj -T:build licenses :output :explain :dep \u003cdep symbol\u003e` - an explanation of how the tool arrived at the given license(s) for a single dep (expressed as a tools.dep symbol). For example:\n\n\u003cimg alt=\"Example output from licenses task, explain sub-task\" src=\"demo-licenses-explain.png\" width=\"75%\"/\u003e\n\nIf you see `Unidentified (\u003csome text\u003e)` licenses in the output, but the license is listed in the [SPDX license list](https://spdx.org/licenses/), **[please raise an issue here](https://github.com/pmonks/lice-comb/issues/new?assignees=pmonks\u0026labels=unknown+licenses\u0026template=Unknown_licenses.md)**.\n\n#### `check-asf-policy` task\n\nExample summary output:\n\n\u003cimg alt=\"Example output from check-asf-policy task, summary sub-task\" src=\"demo-check-asf-policy.png\" width=\"75%\"/\u003e\n\nOther invocation possibilities:\n* `clj -T:build check-asf-policy :output :summary` - the default (see above)\n* `clj -T:build check-asf-policy :output :detailed` - detailed per-dependency ASF category information\n* `clj -T:build check-asf-policy :output :edn` - detailed per-dependency ASF category information in EDN format\n\n## Contributor Information\n\n[Contributing Guidelines](https://github.com/pmonks/tools-licenses/blob/release/.github/CONTRIBUTING.md)\n\n[Bug Tracker](https://github.com/pmonks/tools-licenses/issues)\n\n[Code of Conduct](https://github.com/pmonks/tools-licenses/blob/release/.github/CODE_OF_CONDUCT.md)\n\n### Developer Workflow\n\nThis project uses the [git-flow branching strategy](https://nvie.com/posts/a-successful-git-branching-model/), and the permanent branches are called `release` and `dev`.  Any changes to the `release` branch are considered a release and auto-deployed (JARs to Clojars, API docs to GitHub Pages, etc.).\n\nFor this reason, **all development must occur either in branch `dev`, or (preferably) in temporary branches off of `dev`.**  All PRs from forked repos must also be submitted against `dev`; the `release` branch is **only** updated from `dev` via PRs created by the core development team.  All other changes submitted to `release` will be rejected.\n\n### Build Tasks\n\n`tools-licenses` uses [`tools.build`](https://clojure.org/guides/tools_build). You can get a list of available tasks by running:\n\n```\nclojure -A:deps -T:build help/doc\n```\n\nOf particular interest are:\n\n* `clojure -T:build test` - run the unit tests\n* `clojure -T:build lint` - run the linters (clj-kondo and eastwood)\n* `clojure -T:build ci` - run the full CI suite (check for outdated dependencies, run the unit tests, run the linters)\n* `clojure -T:build install` - build the JAR and install it locally (e.g. so you can test it with downstream code)\n\nPlease note that the `deploy` task is restricted to the core development team (and will not function if you run it yourself).\n\n## License\n\nCopyright © 2021 Peter Monks\n\nDistributed under the [Mozilla Public License, version 2.0](https://www.mozilla.org/en-US/MPL/2.0/).\n\nSPDX-License-Identifier: [`MPL-2.0`](https://spdx.org/licenses/MPL-2.0)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpmonks%2Ftools-licenses","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpmonks%2Ftools-licenses","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpmonks%2Ftools-licenses/lists"}