Monitoring Dependency Licenses in Python Projects

python licenses development

Monitoring license-compliant states of all Python dependencies in your development projects can be a tricky and painful process. There are few tools in the Python ecosystem that can automate this task, however, I wanted a tool that can be easily integrated in my CI pipelines with support for parsing different options for dependency and requirement files in Python. This is why I started developing dep-license (deplic).

deplic supports reporting licenses information for dependencies in use from local project directories, local/remote git repos, or selected virtual environments.

To install it:

pip install dep_license

It supports the following dependency files:

setup.py, setup.cfg, requirements.txt, pyproject.toml, Pipfile, Pipfile.lock, conda.yaml

To report / scan dependency licenses used in a local project:

$ deplic /path/to/python/project
Found dependencies: 3

| Name       | Meta   | Classifier                                       |
|------------|--------|--------------------------------------------------|
| pandas     | BSD    |                                                  |
| matplotlib | PSF    | OSI Approved::Python Software Foundation License |
| numpy      | BSD    | OSI Approved                                     |

Or report from a virtualenv:

$ deplic $VIRTUAL_ENV/bin/python --env
Found dependencies: 3

| Name               | Meta                                 | Classifier                                       |
|--------------------|--------------------------------------|--------------------------------------------------|
| smmap              | BSD                                  | OSI Approved::BSD License                        |
| tabulate           | MIT                                  | OSI Approved::MIT License                        |
| six                | MIT                                  | OSI Approved::MIT License

Or from a github repository on requirements.txt file:

$ deplic https://github.com/abduhbm/zmapio -n requirements.txt
Found dependencies: 1

| Name   | Meta   | Classifier   |
|--------|--------|--------------|
| numpy  | BSD    | OSI Approved |

You can also run a check against banned licenses listed in a configuration file:

$ more banned-lic.cfg

[deplic]
banned = AGPL-3.0
# or multi-lines
# banned =
#     AGPL-3.0,
#     ...

$ deplic --check /path/to/banned-lic.cfg /path/to/working/project

BANNED: edx-opaque-keys :: AGPL-3.0 - OSI Approved::GNU Affero General Public License v3
BANNED: edx-rbac :: AGPL 3.0 - OSI Approved::GNU Affero General Public License v3 or later (AGPLv3+)
BANNED: edx-django-utils :: AGPL 3.0 - OSI Approved::GNU Affero General Public License v3 or later (AGPLv3+)
BANNED: django-config-models :: AGPL 3.0 - OSI Approved::GNU Affero General Public License v3 or later (AGPLv3+)

This can be used also as a pre-commit hook to automatically point out license-compliant issues in your project:

$ more .pre-commit-config.yaml
repos:
-   repo: https://github.com/abduhbm/dep-license
    rev: HEAD
    hooks:
    -   id: deplic
        args: ['--check=./deplic.cfg']

To use deplic in Docker:

$ docker run -t -v $PWD:/stage abduh/dep-license deplic /stage
Found dependencies: 1

| Name         | Meta   | Classifier                |
|--------------|--------|---------------------------|
| editdistance |        | OSI Approved::MIT License |

And that’s it! Feel free to contribute to the project 🎉.

comments powered by Disqus