License Policies and Compliance Alerts
In this tutorial, we’ll introduce ScanCode.io’s license policies and compliance alerts system and use the results of a pipeline run to demonstrate an example of the license policies and compliance alerts output.
As already mentioned, ScanCode.io automates the process of Software Composition Analysis “SCA” to identify existing open source components and their license compliance data in an application’s codebase.
ScanCode.io also gives users the ability to define a set of license policies to have their projects checked against with a compliance system.
Refer to License Policies and Compliance Alerts for details about the policies system.
Instructions
Create a policies.yml
file with the following content:
license_policies:
- license_key: mit
label: Approved License
compliance_alert: ''
- license_key: gpl-3.0
label: Prohibited License
compliance_alert: error
Run the following command to create a project and run the scan_codebase
pipeline
(make sure to use the proper path for the policies.yml file):
$ scanpipe create-project cuckoo-filter-with-policies \
--input-url https://files.pythonhosted.org/packages/75/fc/f5b2e466d763dcc381d5127b73ffc265e8cdaf39ddafa422b7896e625432/cuckoo_filter-1.0.6.tar.gz \
--input-file policies.yml \
--pipeline scan_codebase \
--execute
Generate results:
$ scanpipe output --print --project cuckoo-filter-with-policies
The computed compliance alerts are now included in the results, available for each detected license, and computed at the codebase resource level, for example:
{
"for_packages": [],
"compliance_alert": "error",
"path": "cuckoo_filter-1.0.6.tar.gz-extract/cuckoo_filter-1.0.6/README.md",
"licenses": [
{
"key": "mit",
"name": "MIT License",
"policy": {
"label": "Recommended License",
"compliance_alert": ""
},
},
{
"key": "gpl-3.0",
"name": "GNU General Public License 3.0",
"policy": {
"label": "Prohibited License",
"compliance_alert": "error"
}
}
],
"license_expressions": [
"mit OR gpl-3.0"
],
"status": "scanned",
"name": "README",
"[...]": "[...]"
}
Run the check-compliance
command
Run the check-compliance
command to get a listing of the compliance alerts detected
in the project:
$ scanpipe check-compliance --project cuckoo-filter-with-policies --verbosity 2
4 compliance issues detected on this project.
[packages]
> ERROR: 3
pkg:pypi/cuckoo-filter@.
pkg:pypi/cuckoo-filter@1.0.6
pkg:pypi/cuckoo-filter@1.0.6
[resources]
> ERROR: 1
cuckoo_filter-1.0.6.tar.gz-extract/cuckoo_filter-1.0.6/README.md
Tip
In case of compliance alerts, the command returns a non-zero exit code which may be useful to trigger a failure in an automated process.