# purl-license-checker
Retrieve missing licenses for `purl` documented dependencies.
[](https://github.com/Malwarebytes/purl-license-checker/actions/workflows/codeql.yml)
[](https://pepy.tech/project/purl-license-checker)
[](https://pypi.org/project/purl-license-checker)
[](https://github.com/malwarebytes/purl-license-checker/graphs/contributors)
This cli utility takes one or more purl formatted urls from stdin and will try to find the license attached to each of them, by querying various package managers databases.
This is particularly useful to fill GitHub's Dependabot gap of missing 90% of licenses when working at scale with [ghas-cli](https://github.com/Malwarebytes/ghas-cli
) for instance.
## Supported package managers:
- Github Actions ✔️
- Composer✔️
- Go✔️
- Maven✔️
- NPM: 🟠 [wip - see issue](https://github.com/Malwarebytes/purl-license-checker/issues/10)
- Nuget✔️
- Pip: 🟠[wip - see issue](https://github.com/Malwarebytes/purl-license-checker/issues/7)
- Rubygems✔️
- Rust: 🟠 [wip - see issue](https://github.com/Malwarebytes/purl-license-checker/issues/12)
- Swift: 🟠 wip
## Installation
Builds are available in the [`Releases`](https://github.com/Malwarebytes/purl-license-checker/releases) tab and on [Pypi](https://pypi.org/project/purl-license-checker/)
* Pypi:
```bash
pip install purl-license-checker
```
* Manually:
```bash
python -m pip install /full/path/to/purl-license-checker-xxx.whl
# e.g: python3 -m pip install Downloads/purl-license-checker-0.5.0-none-any.whl
```
## Usage
To show the help message for each command, run `purl-license-checker -h`:
```
Usage: purl-license-checker [OPTIONS] COMMAND [ARGS]...
Retrieve licenses for purl documented dependencies.
Get help: `@jboursier-mwb` on GitHub
Options:
--help Show this message and exit.
Commands:
get_license
load_file
merge_csv
```
### Get a license
```
get_license PURL GITHUB_TOKEN
```
e.g:
```
get_license pip:ghas-cli gh-123456789qwerty
```
### Find licenses for a csv-list of purl dependencies
```
load_file PATH GITHUB_TOKEN
```
e.g:
With a `PATH` csv file formatted as follow:
```csv
repo_name, purl, version, license
```
Where missing licenses are set to `Unknown`, for instance:
```csv
ghas-cli, ghas-cli, com.github.Malwarebytes/ghas-cli,, MIT
ghas-cli, pip:charset-normalizer,3.3.2, MIT
ghas-cli, pip:colorama,0.4.6, BSD-2-Clause AND BSD-3-Clause
ghas-cli, pip:click,8.1.7, BSD-2-Clause AND BSD-3-Clause
ghas-cli, pip:python-magic,0.4.27, MIT
ghas-cli, pip:urllib3,2.2.3, MIT
ghas-cli, pip:requests,2.32.3, Apache-2.0
ghas-cli, pip:configparser,7.1.0, MIT
ghas-cli, pip:certifi,2024.8.30, MPL-2.0
ghas-cli, pip:idna,3.10, BSD-2-Clause AND BSD-3-Clause
ghas-cli, actions:actions/checkout,4.*.*, Unknown
ghas-cli, actions:github/codeql-action/analyze,3.*.*, Unknown
ghas-cli, actions:github/codeql-action/init,3.*.*, Unknown
ghas-cli, actions:actions/dependency-review-action,4.*.*, Unknown
```
`load_file` will do its best to find the licenses for all `Unknown` license fields and will output its results in `output.csv`.
The output format is as follow:
```csv
purl, license
```
For instance:
```csv
npm:unicode-match-property-ecmascript, MIT
npm:unicode-match-property-value-ecmascript, MIT
npm:unicode-property-aliases-ecmascript, MIT
npm:universalify, MIT
npm:unpipe, MIT
npm:use-sync-external-store, MIT
npm:util-deprecate, MIT
npm:utils-merge, MIT
```
### Fill an existing partial csv list of purl licenses
```
merge_csv LICENSES_INPUT_PATH DEPENDENCIES_OUTPUT_PATH GITHUB_TOKEN
```
Allows to fill the unknown dependencies in `DEPENDENCIES_OUTPUT_PATH` formatted as `repo_name, purl, version, license` from `LICENSES_INPUT_PATH` containing only `purl, license`.
Particularly useful with a workflow based on [ghas-cli](https://github.com/Malwarebytes/ghas-cli).
## Development
### Build
[Install Poetry](https://python-poetry.org/docs/#installation) first, then:
```bash
make dev
```
### Bump the version number
* Bump the version number: `poetry version x.x.x`
* Update the `__version__` field in `src/cli.py` accordingly.
### Publish a new version
**Requires `syft` to be installed to generate the sbom.**
1. Bump the version number as described above
2. `make deps` to update the dependencies
3. `make release` to build the packages
4. `git commit -a -S Bump to version 1.1.2` and `git tag -s v1.1.2 -m "1.1.2"`
5. Upload `dist/*`, `checksums.sha512` and `checksums.sha512.asc` to a new release in GitHub.
# Miscellaneous
This repository is provided as-is and isn't bound to Malwarebytes' SLA.
Raw data
{
"_id": null,
"home_page": "https://github.com/Malwarebytes/purl-license-checker",
"name": "purl-license-checker",
"maintainer": null,
"docs_url": null,
"requires_python": "<4,>=3.12",
"maintainer_email": null,
"keywords": "security, cli, license, purl, opensource, utility",
"author": "jboursier",
"author_email": "jboursier@malwarebytes.com",
"download_url": "https://files.pythonhosted.org/packages/77/cf/d722f5e085989a191c5b8ea153afc76ea0fea3cfdc3eacd75cdb95342d2a/purl_license_checker-0.0.2.tar.gz",
"platform": null,
"description": "# purl-license-checker\n\nRetrieve missing licenses for `purl` documented dependencies.\n\n\n[](https://github.com/Malwarebytes/purl-license-checker/actions/workflows/codeql.yml)\n[](https://pepy.tech/project/purl-license-checker)\n[](https://pypi.org/project/purl-license-checker)\n[](https://github.com/malwarebytes/purl-license-checker/graphs/contributors)\n\n\nThis cli utility takes one or more purl formatted urls from stdin and will try to find the license attached to each of them, by querying various package managers databases.\n\nThis is particularly useful to fill GitHub's Dependabot gap of missing 90% of licenses when working at scale with [ghas-cli](https://github.com/Malwarebytes/ghas-cli\n) for instance.\n\n## Supported package managers:\n\n- Github Actions \u2714\ufe0f\n- Composer\u2714\ufe0f\n- Go\u2714\ufe0f\n- Maven\u2714\ufe0f\n- NPM: \ud83d\udfe0 [wip - see issue](https://github.com/Malwarebytes/purl-license-checker/issues/10)\n- Nuget\u2714\ufe0f\n- Pip: \ud83d\udfe0[wip - see issue](https://github.com/Malwarebytes/purl-license-checker/issues/7)\n- Rubygems\u2714\ufe0f\n- Rust: \ud83d\udfe0 [wip - see issue](https://github.com/Malwarebytes/purl-license-checker/issues/12)\n- Swift: \ud83d\udfe0 wip\n\n## Installation\n\nBuilds are available in the [`Releases`](https://github.com/Malwarebytes/purl-license-checker/releases) tab and on [Pypi](https://pypi.org/project/purl-license-checker/)\n\n* Pypi:\n\n```bash\npip install purl-license-checker\n```\n\n* Manually:\n\n```bash\npython -m pip install /full/path/to/purl-license-checker-xxx.whl\n\n# e.g: python3 -m pip install Downloads/purl-license-checker-0.5.0-none-any.whl\n```\n\n## Usage\n\nTo show the help message for each command, run `purl-license-checker -h`:\n\n```\nUsage: purl-license-checker [OPTIONS] COMMAND [ARGS]...\n\n Retrieve licenses for purl documented dependencies.\n\n Get help: `@jboursier-mwb` on GitHub\n\nOptions:\n --help Show this message and exit.\n\nCommands:\n get_license\n load_file\n merge_csv\n```\n\n### Get a license\n\n```\nget_license PURL GITHUB_TOKEN\n```\n\ne.g:\n\n```\nget_license pip:ghas-cli gh-123456789qwerty\n```\n\n### Find licenses for a csv-list of purl dependencies\n\n```\nload_file PATH GITHUB_TOKEN\n```\n\ne.g:\n\nWith a `PATH` csv file formatted as follow:\n\n```csv\nrepo_name, purl, version, license\n```\n\nWhere missing licenses are set to `Unknown`, for instance:\n\n```csv\nghas-cli, ghas-cli, com.github.Malwarebytes/ghas-cli,, MIT\nghas-cli, pip:charset-normalizer,3.3.2, MIT\nghas-cli, pip:colorama,0.4.6, BSD-2-Clause AND BSD-3-Clause\nghas-cli, pip:click,8.1.7, BSD-2-Clause AND BSD-3-Clause\nghas-cli, pip:python-magic,0.4.27, MIT\nghas-cli, pip:urllib3,2.2.3, MIT\nghas-cli, pip:requests,2.32.3, Apache-2.0\nghas-cli, pip:configparser,7.1.0, MIT\nghas-cli, pip:certifi,2024.8.30, MPL-2.0\nghas-cli, pip:idna,3.10, BSD-2-Clause AND BSD-3-Clause\nghas-cli, actions:actions/checkout,4.*.*, Unknown\nghas-cli, actions:github/codeql-action/analyze,3.*.*, Unknown\nghas-cli, actions:github/codeql-action/init,3.*.*, Unknown\nghas-cli, actions:actions/dependency-review-action,4.*.*, Unknown\n```\n\n`load_file` will do its best to find the licenses for all `Unknown` license fields and will output its results in `output.csv`.\n\nThe output format is as follow:\n\n```csv\npurl, license\n```\n\nFor instance:\n\n```csv\nnpm:unicode-match-property-ecmascript, MIT\nnpm:unicode-match-property-value-ecmascript, MIT\nnpm:unicode-property-aliases-ecmascript, MIT\nnpm:universalify, MIT\nnpm:unpipe, MIT\nnpm:use-sync-external-store, MIT\nnpm:util-deprecate, MIT\nnpm:utils-merge, MIT\n```\n\n### Fill an existing partial csv list of purl licenses\n```\nmerge_csv LICENSES_INPUT_PATH DEPENDENCIES_OUTPUT_PATH GITHUB_TOKEN\n```\n\nAllows to fill the unknown dependencies in `DEPENDENCIES_OUTPUT_PATH` formatted as `repo_name, purl, version, license` from `LICENSES_INPUT_PATH` containing only `purl, license`.\nParticularly useful with a workflow based on [ghas-cli](https://github.com/Malwarebytes/ghas-cli).\n\n## Development\n\n### Build\n\n[Install Poetry](https://python-poetry.org/docs/#installation) first, then:\n\n```bash\nmake dev\n```\n\n### Bump the version number\n\n* Bump the version number: `poetry version x.x.x`\n* Update the `__version__` field in `src/cli.py` accordingly.\n\n### Publish a new version\n\n**Requires `syft` to be installed to generate the sbom.**\n\n1. Bump the version number as described above\n2. `make deps` to update the dependencies\n3. `make release` to build the packages\n4. `git commit -a -S Bump to version 1.1.2` and `git tag -s v1.1.2 -m \"1.1.2\"`\n5. Upload `dist/*`, `checksums.sha512` and `checksums.sha512.asc` to a new release in GitHub.\n\n\n\n\n# Miscellaneous\n\nThis repository is provided as-is and isn't bound to Malwarebytes' SLA.\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "Retrieve licenses for purl documented dependencies.",
"version": "0.0.2",
"project_urls": {
"Documentation": "https://github.com/Malwarebytes/purl-license-checker/wiki",
"Homepage": "https://github.com/Malwarebytes/purl-license-checker",
"Repository": "https://github.com/Malwarebytes/purl-license-checker"
},
"split_keywords": [
"security",
" cli",
" license",
" purl",
" opensource",
" utility"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "e90d711ebaacded4776a35aeb7c05ac6fe861ccbbef51c29576c27f2fe36f9ea",
"md5": "822ddd188ba3fa52b9e1270a718626ff",
"sha256": "f6a8624d25638419460b5763b2b7025771a23f70c2bb42180cebdfa733c18ccc"
},
"downloads": -1,
"filename": "purl_license_checker-0.0.2-py3-none-any.whl",
"has_sig": false,
"md5_digest": "822ddd188ba3fa52b9e1270a718626ff",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "<4,>=3.12",
"size": 5206,
"upload_time": "2025-01-23T16:20:02",
"upload_time_iso_8601": "2025-01-23T16:20:02.082780Z",
"url": "https://files.pythonhosted.org/packages/e9/0d/711ebaacded4776a35aeb7c05ac6fe861ccbbef51c29576c27f2fe36f9ea/purl_license_checker-0.0.2-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "77cfd722f5e085989a191c5b8ea153afc76ea0fea3cfdc3eacd75cdb95342d2a",
"md5": "b6f791ddc43957e36bf65f4be2afaaab",
"sha256": "75fae1cbe329de2601f0045d54246001dd599d54173ae7462ef84c2fa144f414"
},
"downloads": -1,
"filename": "purl_license_checker-0.0.2.tar.gz",
"has_sig": false,
"md5_digest": "b6f791ddc43957e36bf65f4be2afaaab",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "<4,>=3.12",
"size": 5228,
"upload_time": "2025-01-23T16:20:03",
"upload_time_iso_8601": "2025-01-23T16:20:03.866097Z",
"url": "https://files.pythonhosted.org/packages/77/cf/d722f5e085989a191c5b8ea153afc76ea0fea3cfdc3eacd75cdb95342d2a/purl_license_checker-0.0.2.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-01-23 16:20:03",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "Malwarebytes",
"github_project": "purl-license-checker",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "purl-license-checker"
}
JSON
