Have Henry Rollins check vendored licenses in your Go project.
Please note that wwhrd only checks packages stored under vendor/, if you are using Go modules (go mod), you can add go mod vendor before running wwhrd, this will dump a copy of the vendored packages inside the local repo.
go get -u github.com/frapposelli/wwhrdUsing Brew on macOS:
brew install frapposelli/tap/wwhrdConfiguration for wwhrd is stored in .wwhrd.yml at the root of the repo you want to check.
The format is compatible with Anderson, just run wwhrd check -f .anderson.yml.
--- denylist: - GPL-2.0 allowlist: - Apache-2.0 - MIT exceptions: - github.com/jessevdk/go-flags - github.com/pmezard/go-difflib/difflibHaving a license in the denylist section will fail the check, unless the package is listed under exceptions.
exceptions can also be listed as wildcards:
exceptions: - github.com/davecgh/go-spew/spew/...Will make a blanket exception for all the packages under github.com/davecgh/go-spew/spew.
Use it in your CI!
$ wwhrd check INFO[0006] Found Approved license license=Apache-2.0 package="github.com/xanzy/ssh-agent" INFO[0006] Found Approved license license=BSD-3-Clause package="golang.org/x/crypto/ed25519" INFO[0006] Found Approved license license=Apache-2.0 package="gopkg.in/src-d/go-git.v4/internal/revision" INFO[0006] Found Approved license license=Apache-2.0 package="gopkg.in/src-d/go-git.v4/plumbing/format/config" INFO[0006] Found Approved license license=BSD-3-Clause package="golang.org/x/exp/rand" INFO[0006] Found Approved license license=BSD-3-Clause package="gonum.org/v1/gonum/internal/cmplx64" INFO[0006] Found Approved license license=Apache-2.0 package="gopkg.in/src-d/go-git.v4/plumbing/cache" INFO[0006] Found Approved license license=MIT package="github.com/montanaflynn/stats" INFO[0006] Found Approved license license=MIT package="github.com/ekzhu/minhash-lsh" FATA[0006] Exiting: Non-Approved license found $ echo $? 1Starting from version v0.3.0, wwhrd graph can be used to generate a graph in DOT language, the graph can then be parsed by Graphviz or other compatible tools.
To generate a PNG of the dependencies of your repository, you can run:
$ wwhrd graph -o - | dot -Tpng > wwhrd-graph.pngThe -o - option will print the DOT output to STDOUT.
$ wwhrd Usage: wwhrd [OPTIONS] <check | graph | list> What would Henry Rollins do? Application Options: -v, --version Show CLI version -q, --quiet quiet mode, do not log accepted packages -d, --debug verbose mode, log everything Help Options: -h, --help Show this help message Available commands: check Check licenses against config file (aliases: chk) graph Generate dot graph dependency tree (aliases: dot) list List licenses (aliases: ls)WWHRD? graphic by Mitch Clem, used with permission, support him!.