OpenSource code refers to software available for use, study, change, and distribution by anyone and for any purpose provided that the corresponding license conditions are met. License violation may end up with litigations, damage compensation, obligation to disclose intellectual property as well as reputational losses.
In a project with many external dependencies it might be really difficult to trace license obligations. Also if many collaborators are involved, a risk of non-intentional license violation (such as via Copy-Paste) grows. There are even more tricky nuances such as double-licensed dependencies or license change (because of owner, purpose, legislation change) that may make a previously safe dependency to become an unsafe one over time.
License Pre-Validation Service (LPVS) helps to mitigate license-related risks for OpenSource code. The tool analyzes the project, identifies its components and their respective licenses at every commit. Then it returns the list of potential issue cases as GitHub comments. LPVS provides the comprehensive description of possible license violations, including risky code location and license issue overview.
- available license scanners: SCANOSS
- LPVS supports GitHub review system
LPVS license scan shall be enabled on a project via GitHub Hooks:
-
In
src/main/resources/application.propertiesspecify the account to be used for posting scan results as a review message. The following fields should be filled:github.token. -
Add the user specified in
github.tokenas a collaborator to your GitHub project. -
Configure webhook in your GitHub repository settings:
- go to
Settings->Hooks - press
Add webhook - fill in Payload URL with:
http://<IP where LPVS is running>:7896/webhooks - specify content type:
application/json - fill in
Secretfield with the passphrase:LPVS - select
Let me select individual events->Pull requests(make sure that onlyPull requestsis selected) - make it
Active - press
Add Webhook
Create a new pull request and update it with commits. LPVS will start scanning automatically, then provide comments about the licenses found in the project.
-
Install SCANOSS Python package by following the guideline.
-
Fill in
licenses.jsonfile with the information about permitted, restricted, and prohibited licenses (mandatory) as well as their compatibility specifics (optional). A template of thelicenses.jsonfile can be found in the repository atsrc/main/resources/licenses.json. -
Fill in the lines of the
src/main/resources/application.propertiesfile:# Used license scanner: scanoss (at the moment, only this scanner is supported) scanner=scanoss # Path to the 'licenses.json' file which contains information about permitted, # restricted and prohibited licenses. This file should be filled according to # the template which could be found at 'src/main/resources/licenses.json' license_filepath= # Used license conflicts source: # > option "json": take conflicts from 'licenses.json' (should be filled manually # according to the template at 'src/main/resources/licenses.json') # > option "scanner": take conflicts from the scanner response license_conflict=json -
Build LPVS application with Maven, then run it:
mvn clean install cd target/ java -jar lpvs-1.0.0.jarOr alternatively build and run the Docker container with LPVS:
docker build -t lpvs . docker run -p 7896:7896 --name lpvs -e LPVS_GITHUB_TOKEN=<`github.token`> lpvs:latest
For additional information about using Docker and tips, please check file Docker_Usage.
-
Install ngrok (step 1 and 2) and run it with the following command:
./ngrok http 7896
At this point LPVS is ready for work.
The LPVS source code is distributed under the MIT open source license.
You are welcome to contribute to LPVS project.
Contributing is also a great way to practice social coding at Github, study new technologies and enrich your public portfolio.
How to contribute code
How to report a security vulnerability