sigs.k8s.io/cluster-api@v1.7.1/hack/verify-licenses.sh (about) 1 #!/bin/bash 2 3 # Copyright 2023 The Kubernetes Authors. 4 # 5 # Licensed under the Apache License, Version 2.0 (the "License"); 6 # you may not use this file except in compliance with the License. 7 # You may obtain a copy of the License at 8 # 9 # http://www.apache.org/licenses/LICENSE-2.0 10 # 11 # Unless required by applicable law or agreed to in writing, software 12 # distributed under the License is distributed on an "AS IS" BASIS, 13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 # See the License for the specific language governing permissions and 15 # limitations under the License. 16 17 set -o errexit 18 set -o nounset 19 set -o pipefail 20 21 if [[ "${TRACE-0}" == "1" ]]; then 22 set -o xtrace 23 fi 24 25 # This list is from https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md 26 CNCF_LICENSE_ALLOWLIST=Apache-2.0,MIT,BSD-2-Clause,SD-2-Clause-FreeBSD,BSD-3-Clause,ISC,Python-2.0,PostgreSQL,X11,Zlib 27 28 VERSION=${1} 29 30 REPO_ROOT=$(git rev-parse --show-toplevel) 31 "${REPO_ROOT}/hack/ensure-trivy.sh" "${VERSION}" 32 33 34 TRIVY="${REPO_ROOT}/hack/tools/bin/trivy/${VERSION}/trivy" 35 $TRIVY filesystem . --license-full --ignored-licenses ${CNCF_LICENSE_ALLOWLIST} --scanners license --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL -f json | \ 36 # Specifically ignore 'github.com/hashicorp/hcl'. This is a known indirect dependency that we should remove where possible. 37 # This query ensures we only skip github.com/hashicorp/hcl for as long as the license remains MPL-2.0 38 jq '.Results[] | select( .Licenses[]?.PkgName == "github.com/hashicorp/hcl" and .Licenses[]?.Name == "MPL-2.0" | not) | if . == {} then . else error(.) end' 39 40 41