k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/hack/verify-licenses.sh (about) 1 #!/usr/bin/env bash 2 3 # Copyright 2016 The Kubernetes Authors. 4 # 5 # Licensed under the Apache License, Version 2.0 (the "License"); 6 # you may not use this file except in compliance with the License. 7 # You may obtain a copy of the License at 8 # 9 # http://www.apache.org/licenses/LICENSE-2.0 10 # 11 # Unless required by applicable law or agreed to in writing, software 12 # distributed under the License is distributed on an "AS IS" BASIS, 13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 # See the License for the specific language governing permissions and 15 # limitations under the License. 16 17 # Usage: `hack/verify-licenses.sh`. 18 19 20 set -o errexit 21 set -o nounset 22 set -o pipefail 23 24 25 KUBE_ROOT=$(dirname "${BASH_SOURCE[0]}")/.. 26 source "${KUBE_ROOT}/hack/lib/init.sh" 27 source "${KUBE_ROOT}/hack/lib/util.sh" 28 29 # This sets up the environment, like GOCACHE, which keeps the worktree cleaner. 30 kube::golang::setup_env 31 kube::util::ensure-temp-dir 32 33 ARTIFACTS="${ARTIFACTS:-${PWD}/_artifacts}" 34 mkdir -p "$ARTIFACTS/logs/" 35 36 # Creating a new repository tree 37 # Deleting vendor directory to make go-licenses fetch license URLs from go-packages source repository 38 git worktree add -f "${KUBE_TEMP}"/tmp_test_licenses/kubernetes HEAD >/dev/null 2>&1 || true 39 cd "${KUBE_TEMP}"/tmp_test_licenses/kubernetes && rm -rf vendor 40 41 # Ensure that we find the binaries we build before anything else. 42 export GOBIN="${KUBE_OUTPUT_BIN}" 43 PATH="${GOBIN}:${PATH}" 44 45 function http_code() { 46 curl -I -s -o /dev/null -w "%{http_code}" "$1" 47 } 48 49 packages_flagged=() 50 packages_url_missing=() 51 exit_code=0 52 53 # Install go-licenses 54 echo '[INFO] Installing go-licenses...' 55 go install github.com/google/go-licenses@latest 56 57 # Fetching CNCF Approved List Of Licenses 58 # Refer: https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md 59 curl -s 'https://spdx.org/licenses/licenses.json' -o "${ARTIFACTS}"/licenses.json 60 61 echo '[INFO] Fetching current list of CNCF approved licenses...' 62 jq -r '.licenses[] | select(.isDeprecatedLicenseId==false) .licenseId' "${ARTIFACTS}"/licenses.json | sort | uniq > "${ARTIFACTS}"/licenses.txt 63 64 # Scanning go-packages under the project & verifying against the CNCF approved list of licenses 65 echo '[INFO] Starting license scan on go-packages...' 66 go-licenses report ./... >> "${ARTIFACTS}"/licenses.csv 2>"${ARTIFACTS}"/logs/go-licenses.log 67 68 echo -e 'PACKAGE_NAME LICENSE_NAME LICENSE_URL\n' >> "${ARTIFACTS}"/approved_licenses.dump 69 while IFS=, read -r GO_PACKAGE LICENSE_URL LICENSE_NAME; do 70 if ! grep -q "^${LICENSE_NAME}$" "${ARTIFACTS}"/licenses.txt; then 71 echo "${GO_PACKAGE} ${LICENSE_NAME} ${LICENSE_URL}" >> "${ARTIFACTS}"/notapproved_licenses.dump 72 packages_flagged+=("${GO_PACKAGE}") 73 continue 74 fi 75 76 if [[ "${LICENSE_URL}" == 'Unknown' ]]; then 77 if [[ "${GO_PACKAGE}" != k8s.io/* ]]; then 78 echo "${GO_PACKAGE} ${LICENSE_NAME} ${LICENSE_URL}" >> "${ARTIFACTS}"/approved_licenses_with_missing_urls.dump 79 packages_url_missing+=("${GO_PACKAGE}") 80 else 81 LICENSE_URL='https://github.com/kubernetes/kubernetes/blob/master/LICENSE' 82 echo "${GO_PACKAGE} ${LICENSE_NAME} ${LICENSE_URL}" >> "${ARTIFACTS}"/approved_licenses.dump 83 fi 84 continue 85 fi 86 87 if [[ "$(http_code "${LICENSE_URL}")" != 404 ]]; then 88 echo "${GO_PACKAGE} ${LICENSE_NAME} ${LICENSE_URL}" >> "${ARTIFACTS}"/approved_licenses.dump 89 continue 90 fi 91 92 # The URL 404'ed. Try parent-paths. 93 94 #echo -e "DBG: err 404 ${LICENSE_URL}" 95 dir="$(dirname "${LICENSE_URL}")" 96 file="$(basename "${LICENSE_URL}")" 97 98 while [[ "${dir}" != "." ]]; do 99 dir="$(dirname "${dir}")" 100 #echo "DBG: try ${dir}/${file}" 101 if [[ "$(http_code "${dir}/${file}")" != 404 ]]; then 102 #echo "DBG: it worked" 103 echo "${GO_PACKAGE} ${LICENSE_NAME} ${dir}/${file}" >> "${ARTIFACTS}"/approved_licenses.dump 104 break 105 fi 106 #echo "DBG: still 404" 107 done 108 if [[ "${dir}" == "." ]];then 109 #echo "DBG: failed to find a license" 110 packages_url_missing+=("${GO_PACKAGE}") 111 echo "${GO_PACKAGE} ${LICENSE_NAME} ${LICENSE_URL}" >> "${ARTIFACTS}"/approved_licenses_with_missing_urls.dump 112 fi 113 done < "${ARTIFACTS}"/licenses.csv 114 awk '{ printf "%-100s : %-20s : %s\n", $1, $2, $3 }' "${ARTIFACTS}"/approved_licenses.dump 115 116 117 if [[ ${#packages_url_missing[@]} -gt 0 ]]; then 118 echo -e '\n[ERROR] The following go-packages in the project have unknown or unreachable license URL:' 119 awk '{ printf "%-100s : %-20s : %s\n", $1, $2, $3 }' "${ARTIFACTS}"/approved_licenses_with_missing_urls.dump 120 exit_code=1 121 fi 122 123 124 if [[ ${#packages_flagged[@]} -gt 0 ]]; then 125 echo -e "\n[ERROR] The following go-packages in the project are using non-CNCF approved licenses. Please refer to the CNCF's approved licence list for further information: https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md" 126 awk '{ printf "%-100s : %-20s : %s\n", $1, $2, $3 }' "${ARTIFACTS}"/notapproved_licenses.dump 127 exit_code=1 128 elif [[ "${exit_code}" -eq 1 ]]; then 129 echo -e "\n[ERROR] Project is using go-packages with unknown or unreachable license URLs. Please refer to the CNCF's approved licence list for further information: https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md" 130 else 131 echo -e "\n[SUCCESS] Scan complete! All go-packages under the project are using current CNCF approved licenses!" 132 fi 133 134 exit "${exit_code}"