Be able to specify unknown license

Question

Be able to specify unknown license

CatalinaMoisuc opened this issue 5 years ago · comments

Sometimes one License is UNKNOWNand would be nice to be able to specify the license if the license-checker doesn't find it.
Example:

├─ png-js@0.1.1
│ ├─ licenses: UNKNOWN
│ ├─ repository: https://github.com/devongovett/png.js
│ ├─ publisher: Devon Govett
│ ├─ email: devongovett@gmail.com
│ ├─ url: http://badassjs.com/
│ ├─ path: /png-js
│ └─ licenseFile: /node_modules/png-js/README.md

When you go to the repo, there is a LICENSE file (no *.txt) and also Github recognizes it as being MIT.
It would be nice if I could just say something like: --include 'png-js@0.1.1;MIT' or provide a path to a config file: --unknownLicenses 'licenses.yml' to specify unknown licenses that would be taken in consideration for the output when a license is not found.

Dav Glass · Answer 1 · Sat Jan 26 2019 00:42:05 GMT+0800 (China Standard Time)

This is one of those weird packages.. The tarball for 0.1.1 does not contain the LICENSE file:

$ npm install png-js
$ ls node_modules/png-js/
README.md  images  index.html  package.json  png-node.coffee  png-node.js  png.coffee  png.js  zlib.js
$ cat node_modules/png-js/package.json | grep version
  "version": "0.1.1"

It looks like the LICENSE file was added to the repo after the 0.1.1 package was released. In this case license-checker is doing exactly what it was supposed to do. If the LICENSE file was in the published package then license-checker would detect it properly and it would be good. However since it was published and distributed without a license, it's technically unlicensed code.

Catalina Moisuc · Answer 2 · Wed Jan 30 2019 16:02:26 GMT+0800 (China Standard Time)

@davglass thank you for clarifying.
I understand that this is a weird package, but still, it would be nice to be able to manually specify missing licenses when are not found.
It would bring a huge plus especially since other similar libraries are already offering this possibility.

Dav Glass · Answer 3 · Thu Jan 31 2019 04:49:21 GMT+0800 (China Standard Time)

I'm not really a fan of overriding the license that was detected. That's a pretty dangerous thing to do. In this case it's a valid issue. The version of that package is not licensed MIT, it's unlicensed as it was distributed without a license. Just allowing an arg to say "ignore the license that is sees, and make it something else" defeats the purpose of this module. It can lead to all kinds of false issues.

Catalina Moisuc · Answer 4 · Thu Jan 31 2019 15:53:40 GMT+0800 (China Standard Time)

@davglass yes indeed, in this case, but when the license exists but it is not detected because it was not added in the right place, that is a case when you would want to override it.

Daniel Beland · Answer 5 · Wed Sep 25 2019 02:26:49 GMT+0800 (China Standard Time)

I second that, I need to whitelist allowed licenses and fail the build if other licenses are used. Having a local file where we can specify the license makes it possible to include it, without that I would need to allow unknown and unlicensed modules, which in my opinion is worse that the ability to override it.

At least the override file will be version controlled and reviewed every time it is modified.

mgreg89 · Answer 6 · Mon Sep 14 2020 02:27:57 GMT+0800 (China Standard Time)

@CatalinaMoisuc Had a similiar issue. May be it is still of interest, here you go: https://github.com/mgreg89/license-checker