Skip to content

aaronpowell/dotnet-delice

Repository files navigation

CI build Release build NuGet Badge The MIT License

dotnet-delice

delice is a tool for determining the license information of the packages that are referenced in a project/solution. This is a port of the Node.js utility delice, created by Tierney Cyren.

Note: dotnet-delice only supports SDK project files for C#, F# and VB.NET (although I'm not sure on VB.NET, never tried it!), not the legacy "MSBuild style" project files (which only support .NET full framework). If you are still using the legacy project file the tool will fail. I'd encourage you to try and upgrade (using a tool such as CsprojToVs2017).

Usage

This tool ships as a dotnet global tool and can be installed like so:

dotnet tool install -g dotnet-delice

You can then use it like so:

dotnet delice [folder, sln, csproj, fsproj]

Commands

  • -?|-h|--help Boolean. Show help.
  • -j|--json Boolean. Output results as JSON rather than pretty-print.
  • --json-output [path] String. Path to file that the JSON should be written to. Note: Only in use if you use -j|--json.
  • --check-github Boolean. If the license URL (for a legacy package) points to a GitHub hosted file, use the GitHub API to try and retrieve the license type.
  • --github-token <token> String. A GitHub Personal Access Token (PAT) to use when checking the GitHub API for license types. This avoids being rate limited when checking a project.
  • --check-license-content Boolean. When provided the contents of the license file will be compared to known templates.
  • --refresh-spdx Boolean. When provided the tool will also refresh the SPDX license cache used for conformance infomation.

Output

  • Project Name
    • The name of the project that was checked
  • License Expression
    • A license expression found when parsing references
    • Some packages may result in an undetermined license. See Undetermined Licenses for more information
  • Packages
    • The name(s) of the packages found for that license

The following is an example of pretty-printed output:

Project dotnet-delice
License Expression: MIT
β”œβ”€β”€ There are 10 occurances of MIT
β”œβ”€β”¬ Conformance:
β”‚ β”œβ”€β”€ Is OSI Approved: true
β”‚ β”œβ”€β”€ Is FSF Free/Libre: true
β”‚ └── Included deprecated IDs: false
└─┬ Packages:
  β”œβ”€β”€ FSharp.Core
  β”œβ”€β”€ Microsoft.NETCore.App
  β”œβ”€β”€ Microsoft.NETCore.DotNetAppHost
  β”œβ”€β”€ Microsoft.NETCore.DotNetHostPolicy
  β”œβ”€β”€ Microsoft.NETCore.DotNetHostResolver
  β”œβ”€β”€ Microsoft.NETCore.Platforms
  β”œβ”€β”€ Microsoft.NETCore.Targets
  β”œβ”€β”€ NETStandard.Library
  β”œβ”€β”€ Newtonsoft.Json
  └── System.ComponentModel.Annotations

Roadmap

  • Ability to filter for only a particular license
  • Anything you'd like? Open an issue 😁

Undetermined Licenses

At the end of 2018 the licenseUrl field in the nuspec file was deprecated to be replaced with a richer license metadata field. You can read more about it in the annuncement, the documentation and Spec wiki.

This new metadata makes it possible to determine from the package what the license in use by a package is, rather than relying on navigating through to the referred license file.

Some NuGet packages have moved over to the new format, but many of them are still using the legacy approach which makes it difficult for delice to determine what the license is of a package.

By default these packages will be reported with an "Unable to determine" license type with the URL of the license URL included in the output but there are two options that can be set at the CLI to help attempt to discover what the license is.

Using GitHub's API to Check Licenses

Projects hosted on GitHub will often have their license shown on the repository header, which is done by GitHub scanning the license file in the repository and determine the appropriate type. This can be accessed via GitHub's API and delice provides an integration to it.

When the --check-github flag is set delice will check if the projects license URL points to a GitHub-hosted file, if it does, it'll attempt to get the owner and repo name from the URL to then call the GitHub API. If the API returns a detected license the license information will be updated in the response from delice.

It's recommended to also use the --github-token <token> CLI option to provide a GitHub Personal Access Token to authenticate the requests (they are anonymous by default) as this will avoid rate-limiting happening with the API.

Checking License Contents

GitHub uses Licensee in its detecting a license. Licensee will look at the contents of the license and compare it to license templates using SΓΈrensen–Dice coefficient.

delice also supports doing this via the --check-license-content flag. When provided delice will download the contents of the licenseUrl in the nuspec and compare it to known templates stored within itself. The comparison requires that the license and template be at least 90% the same for it to be considered a match (this is lower than Licensee, which uses 98%, but experiments against .NET showed it was better to be a bit looser), so there is still some potential misses.

Also, only certain license templates are stored within delice, but feel free to add more via PR's.

This can work in conjunction with the GitHub API test, but will be run after the API check is done, and only if it fails.

Common License Cache

The file LicenseCache.fs contains a map of commonly used packages and the license file that they have. This means that delice can determine more licenses out of the box.

If you're coming across packages that you think should be in there, open a Pull Request with the updates.

Related Projects

This project is a port of the Node.js utility delice, created by Tierney Cyren and aims to provide the same sorts of functionality but in a .NET friendly workflow.