feature/#75 add support for project license auditing

.github/workflows/checks.yml

@@ -24,9 +24,25 @@ jobs:
       - name: Check Version(s)
         run: poetry run version-check `poetry run python -c "from noxconfig import PROJECT_CONFIG; print(PROJECT_CONFIG.version_file)"`
 
+  license-check-job:
+    name: Check Licences
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: SCM Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Setup Python & Poetry Environment
+        uses: ./.github/actions/python-environment
+
+      - name: Check Version(s)
+        run: poetry run python -m nox -s audit
+
   build-documentation-job:
     name: Build Documentation
-    needs: [ version-check-job ]
+    needs: [ version-check-job, license-check-job ]
     runs-on: ubuntu-latest
 
     steps:
@@ -42,7 +58,7 @@ jobs:
 
   lint-job:
     name: Linting (Python-${{ matrix.python-version }})
-    needs: [ version-check-job ]
+    needs: [ version-check-job, license-check-job ]
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -69,7 +85,7 @@ jobs:
 
   type-check-job:
     name: Type Checking (Python-${{ matrix.python-version }})
-    needs: [ version-check-job ]
+    needs: [ version-check-job, license-check-job ]
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false

exasol/toolbox/license.py

@@ -0,0 +1,85 @@
+from collections import defaultdict
+from dataclasses import dataclass
+from typing import (
+    Dict,
+    List,
+    Tuple,
+)
+
+
+@dataclass(frozen=True)
+class Package:
+    name: str
+    license: str
+    version: str
+
+
+def _packages(package_info):
+    for p in package_info:
+        kwargs = {key.lower(): value for key, value in p.items()}
+        yield Package(**kwargs)
+
+
+def _normalize(license):
+    def is_mulit_license(l):
+        return ";" in l
+
+    def select_most_permissive(l):
+        licenses = [_normalize(l.strip()) for l in l.split(";")]
+        priority = defaultdict(
+            lambda: 9999,
+            {"Unlicense": 0, "BSD": 1, "MIT": 2, "MPLv2": 3, "LGPLv2": 4, "GPLv2": 5},
+        )
+        priority_to_license = defaultdict(
+            lambda: "Unknown", {v: k for k, v in priority.items()}
+        )
+        selected = min(*[priority[lic] for lic in licenses])
+        return priority_to_license[selected]
+
+    mapping = {
+        "BSD License": "BSD",
+        "MIT License": "MIT",
+        "The Unlicense (Unlicense)": "Unlicense",
+        "Mozilla Public License 2.0 (MPL 2.0)": "MPLv2",
+        "GNU Lesser General Public License v2 (LGPLv2)": "LGPLv2",
+        "GNU General Public License v2 (GPLv2)": "GPLv2",
+    }
+    if is_mulit_license(license):
+        return select_most_permissive(license)
+
+    if license not in mapping:
+        return license
+
+    return mapping[license]
+
+
+def audit(
+    licenses: List[Dict[str, str]], acceptable: List[str], exceptions: Dict[str, str]
+) -> Tuple[List[Package], List[Package]]:
+    """
+    Audit package licenses.
+
+    Args:
+        licenses: a list of dictionaries containing license information for packages.
+                  This information e.g. can be obtained by running `pip-licenses --format=json`.
+
+            example: [{"License": "BSD License", "Name": "Babel", "Version": "2.12.1"}, ...]
+
+        acceptable: A list of licenses which shall be accepted.
+            example: ["BSD License", "MIT License", ...]
+
+        exceptions: A dictionary containing package names and justifications for packages to ignore/skip.
+            example: {'packagename': 'justification why this is/can be an exception'}
+
+    Returns:
+        Two lists containing found violations and ignored packages.
+    """
+    packages = list(_packages(licenses))
+    acceptable = [_normalize(a) for a in acceptable]
+    ignored = [p for p in packages if p.name in exceptions and exceptions[p.name]]
+    violations = [
+        p
+        for p in packages
+        if _normalize(p.license) not in acceptable and p not in ignored
+    ]
+    return violations, ignored

exasol/toolbox/nox/tasks.py

@@ -1,5 +1,11 @@
 from __future__ import annotations
 
+from io import (
+    BytesIO,
+    TextIOWrapper,
+)
+from subprocess import run
+
 __all__ = [
     "Mode",
     "fix",
@@ -239,6 +245,38 @@ def _coverage(
     session.run(*command)
 
 
+@nox.session(name="audit", python=False)
+def audit(session: Session) -> None:
+    """Audit project dependencies in regard of their license."""
+
+    def _packages():
+        result = run(
+            ["poetry", "show", "--no-ansi", "--no-interaction", "--only", "main"],
+            capture_output=True,
+            check=True,
+        )
+        stream = TextIOWrapper(BytesIO(result.stdout))
+        lines = (line for line in stream)
+        return (line.split(" ")[0] for line in lines)
+
+    packages = [
+        package
+        for package in _packages()
+        if package not in PROJECT_CONFIG.audit_exceptions
+    ]
+    session.run(
+        "poetry",
+        "run",
+        "python",
+        "-m",
+        "piplicenses",
+        "--packages",
+        *packages,
+        "--allow-only",
+        ";".join(PROJECT_CONFIG.audit_licenses),
+    )
+
+
 @nox.session(name="build-docs", python=False)
 def build_docs(session: Session) -> None:
     """Builds the project documentation"""

noxconfig.py

@@ -1,6 +1,7 @@
 from __future__ import annotations
 
 from dataclasses import dataclass
+from inspect import cleandoc
 from pathlib import Path
 from typing import (
     Any,
@@ -18,6 +19,26 @@ class Config:
     version_file: Path = Path(__file__).parent / "exasol" / "toolbox" / "version.py"
     path_filters: Iterable[str] = ("dist", ".eggs", "venv")
 
+    audit_licenses = ["Apache Software License"]
+    audit_exceptions = {
+        "pylint": cleandoc(
+            """
+            The project only makes use of pylint command line.
+
+            It only was added as normal dependency to save the "clients" the step
+            of manually adding it as dependency.
+
+            Note(s): 
+
+                Pylint could be marked, added as optional (extra) dependency to make it obvious
+                that it is an opt in, controlled by the "user/client". 
+
+                Replacing pylint with an alternative (like `ruff <https://github.com/astral-sh/ruff>`_)
+                with a more would remove the ambiguity and need for justification.
+        """
+        )
+    }
+
     @staticmethod
     def pre_integration_tests_hook(
         _session: Session, _config: Config, _context: MutableMapping[str, Any]