Gathering detailed insights and metrics for @brainhubeu/license-auditor
Gathering detailed insights and metrics for @brainhubeu/license-auditor
Gathering detailed insights and metrics for @brainhubeu/license-auditor
Gathering detailed insights and metrics for @brainhubeu/license-auditor
npm install @brainhubeu/license-auditor
Typescript
Module System
69.5
Supply Chain
99
Quality
87.7
Maintenance
100
Vulnerability
99.3
License
TypeScript (97.52%)
JavaScript (2.47%)
Shell (0.01%)
Total Downloads
47,540
Last Day
40
Last Week
500
Last Month
2,405
Last Year
29,842
10 Stars
265 Commits
103 Branches
18 Contributors
Latest Version
1.2.0
Package Id
@brainhubeu/license-auditor@1.2.0
Unpacked Size
47.34 kB
Size
11.67 kB
File Count
29
Cumulative downloads
Total Downloads
Last day
-64.6%
40
Compared to previous day
Last week
-28%
500
Compared to previous week
Last month
-24.4%
2,405
Compared to previous month
Last year
411.8%
29,842
Compared to previous year
License Auditor helps you track and validate licenses inside your project.
License Auditor helps you track and validate licenses inside your project. Prevents unwanted law complications. The license Auditor includes a step in your pipeline and creates notifications about potential problems with used licenses. At the moment, a notification means a comment.
To start using the License Auditor, install its package with NPM:
1npm install @brainhubeu/license-auditor
or Yarn:
1yarn add @brainhubeu/license-auditor
In the next step, copy license-template
directory with licenses.js
, blacklist.js
, and whitelist.js
files, naming it license
in your project. The first one contains a full list of all currently acknowledged, depreciated, and exceptional software licenses. To whitelist or blacklist the license, you must copy selected licenses from the main file into them.
Whitelisting stops License Auditor from analyzing and displaying any notifications for a given package with whitelisted license type. Blacklisting a license leads to the generation of fail notification log or causes CI job to fail if the blacklisted license is found, which prevents the developer from merging unwanted dependencies into the destination branch. Any license that is included in neither blacklist.js
nor whitelist.js
, but is found during packages analyze or merge request, becomes a warning, which developer should address during merge process or further development.
If a given dependency has no license specified, it's marked with UNKNOWN
and thus the default blacklist contains UNKNOWN
license to notify about a potentially unwanted license.
For License Auditor to work, all project dependencies have to be installed before an audit. License Auditor iterates through the node_modules
and retrieves the license information from them. List of licenses is also available at spdx site.
The order of files in which the license information is retrieved from is: package.json
, LICENSE
, LICENCE
, COPYING
, README
. Warning and Error notifications specify the license file that it has been read from. In some cases, license files may not provide the license directly. The asterisk *
symbol next to shown license name indicates that it is the closest possible, but not fully confirmed license.
If you intend to use License Auditor with GitLab CI or GitHub Actions, you have to copy CI example file to the root of your project directory and RENAME it to dangerfile.js
. This example provides a base for CI-oriented licenses checking using DangerJS (for more information this framework, visit official Danger Systems site).
Then, you have to include it in your pipeline. The basic structure of Gitlab pipeline step should look like this:
1check_foo_licenses: 2 stage: CheckFooLicenses 3 image: node:alpine 4 script: 5 - yarn add -D danger @brainhubeu/license-auditor 6 - yarn danger ci --failOnErrors --id Foo 7 variables: 8 DANGER_GITLAB_API_TOKEN: $GITLAB_ACCESS_TOKEN 9 PROJECT_PATH: $PATH_TO_FOO_PACKAGE # it could look like: ./packages/web or ./server 10 only: 11 - merge_requests
and the basic structure for Github Actions:
1 - name: CheckBarLicenses 2 run: | 3 yarn add -D danger @brainhubeu/license-auditor 4 yarn danger ci --failOnErrors --verbose --id Bar 5 env: 6 DANGER_GITHUB_API_TOKEN: ${{ secrets.GITHUB_ACCESS_TOKEN }} 7 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 8 PROJECT_PATH: $PATH_TO_BAR_PACKAGE # it could look like: ./packages/web or ./server
You can find more examples in examples directory for GitLab and GitHub.
To allow automatic comments posting on MRs/PRs, you need to create either Gitlab Access Token
or Github Access Token
in a profile that is going to post comments
under MRs/ PRs. Then you need to specify environmental variables with key DANGER_GITLAB_API_TOKEN
or DANGER_GITHUB_API_TOKEN
and value being the acquired token.
The Access Token needs to have the ability to use the Github/Gitlab API and write discussions for MRs/PRs.
In provided examples, the new Gitlab and Github accounts were created to act as a "bot", that was posting MR/PR comments based on license information. Both of them were named HAL9002.
The comments should look similar to:
for Gitlab:
for Github:
You can find more information about Github and Gitlab configuration here.
To use a logging tool instead of CI, copy logging example file to the root of your project directory. It is intended to log used license information into the console of your preference. To use it, you need to have a JavaScript runtime environment installed (e.g. Node.js). Then, just simply type:
1node logging_example.js
This command will list fails for every dependency that was blacklisted in blacklist.js
file and warnings for licenses that are missing on both whitelist.js
and blacklist.js
files.
You can also create your own implementation of warn
and fail
methods behavior based on your needs. To do so, we recommend to copy logging example file and change fail
and warn
methods implementations, remembering to preserve msg
input parameter and not to add new parameters, as they will be of no use.
release-<version>
e.g. release-v1.1.1
.yarn version
command and set a new version e.g v1.1.1
. Follow Semantic Versioning 2.0.0.git push --set-upstream origin release-v1.1.1 --tags
.v1.1.1
and fill in release notes. A new version will be published using Github Actions :tada:.yarn test
license-auditor
was built using:
license-auditor
is maintained by @jkthomas, @nikodemwrona and the Brainhub development team. It is funded by Brainhub and the names and logos for Brainhub are trademarks of Brainhub Sp. z o.o.. You can check other open-source projects supported/developed by our teammates here.
We love open-source JavaScript software! See our other projects or hire us to build your next web, desktop, and mobile application with JavaScript.
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Reason
no binaries found in the repo
Reason
Found 22/24 approved changesets -- score normalized to 9
Reason
2 existing vulnerabilities detected
Details
Reason
dependency not pinned by hash detected -- score normalized to 5
Details
Reason
detected GitHub workflow tokens with excessive permissions
Details
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
Reason
license file not detected
Details
Reason
project is not fuzzed
Details
Reason
branch protection not enabled on development/release branches
Details
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
Score
Last Scanned on 2024-12-16
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More