The meta-licscan layer provides source code license analysis for Yocto based OS distributions. Please see the corresponding sections below for details.
URI: git://git.yoctoproject.org/poky
branch: scarthgap
Open pull request at https://github.com/vaisala-oss/meta-licscan/pulls
Niko Mauno <[email protected]>
See COPYING.MIT
I. About meta-licscan II. Host OS requirements III. Usage IV. Studying license analysis results
This meta layer is a complementary facility for disambiguating software license compliance standing of devices that contain software artifacts built from source code with Yocto framework. It facilitates generation of .json files containing both source code license analysis results (on a per-file basis) as well as relevant parts of Yocto metadata related to prementioned software artifacts.
A command line utility for studying image-wide and package-specific license analysis results from prementioned .json files is also provided.
There is no warranty of any kind for any feature or functionality provided by this layer.
Requires python-magic installed on host OS. The dependency can be satisfied e.g. on Debian OS followingly
sudo apt install python3-magic
Deploy the meta layer by adding meta-licscan to BBLAYERS in <BUILDDIR>/conf/bblayers.conf,
which can be achieved e.g. by issuing
bitbake-layers add-layer meta-licscan
This will add the custom do_licscan() and emit_pkgdata_licscan() tasks to bitbake work flow for recipes generating target device specific packages.
Former task performs the actual license analysis, while latter adds relevant metadata fields before storing the final file.
Furthermore a generate_image_licscan_files() task is added to IMAGE_POSTPROCESS_COMMAND set,
which induces generation of image-specific licscan results files in licscan.json and licscantool.txt formats,
containing licscan results of recipes that provide the packages that are installed into the image specific rootfs.
Recipe-specific results are stored in JSON formatted files under <PKGDATA_DIR>/licscan/<scanner>/ (e.g. <BUILDDIR>/tmp/pkgdata/qemux86/licscan/nomossa/glibc.json),
and image-specific results in <DEPLOY_DIR_IMAGE>/<IMAGE_NAME>.licscan.json.
The scope of packages/recipes to run licenses scanner(s) against can be modified to better suit individual purposes.
This can be achieved by tuning variables which have base declaration in beginning of <BUILDDIR>/meta-licscan/classes/licscan.bbclass file.
For example, to avoid altogether analyzing huge source code trees of Linux kernel and GNU C Library, respectively, one can add following lines to <BUILDDIR>/conf/local.conf file:
LICSCAN_SKIP_INHERIT:append = " kernel"
LICSCAN_SKIP_PN:append = " glibc glibc-locale glibc-mtrace glibc-scripts"
In order to analyze source codes of only specific recipe(s), you can set LICSCAN_RECIPES to appropriate value in your <BUILDDIR>/conf/local.conf file.
For instance in order to scan only coreutils and util-linux source code:
LICSCAN_RECIPES = "coreutils util-linux"
A command line method for studying license analysis results is provided by using licscantool program.
Note that when licscantool prints license information defined in recipes, it uses SPDXLICENSEMAP translated license labels which are declared in meta/conf/licenses.conf file.
Example 1. To study image-specific results
../meta-licscan/scripts/licscantool -i <image_name>
Example 2. Studying package-specific results
../meta-licscan/scripts/licscantool -p <package_name> [<package_name2> <package_name3> ...]
Example 3. Show comprehensive image-specific results (combined information about an image and all packages it contains) from image-specific licscan.json and manifest files
../meta-licscan/scripts/licscantool -f -v -i path/to/<image_name>.licscan.json
Note that the first two examples resort to probing details from bitbake context while the last example doesn't (ie. Example 3 works also without sourcing oe-init-build-env first).