DEV Community

loading...

How to find third parties licenses

antoinega profile image Antoine ・1 min read

Finding the right license

Usually most tools scanning third parties for vulnerabilities also identifies licenses but without telling you explicitly which license belong to which packages.

Dotnet delice

dotnet delice is a tool made by Aaron Powell that will identify for each package transitively the license and group them.

The tool is easy to install, but is only compatible with SDK project:

dotnet tool install -g dotnet-delice

The output is simple. As example, here is the output from the sample project based on angular template:

License Expression: Apache-2.0
├── There are 18 occurances of Apache-2.0
├─┬ Conformance:
│ ├── Is OSI Approved: true
│ ├── Is FSF Free/Libre: true
│ └── Included deprecated IDs: false
└─┬ Packages:
  ├── Microsoft.AspNetCore.NodeServices@3.1.2
  ├── Microsoft.AspNetCore.SpaServices@3.1.2
  ├── Microsoft.AspNetCore.SpaServices.Extensions@3.1.2
  ├── Microsoft.Extensions.Configuration@3.1.2
  ├── Microsoft.Extensions.Configuration.Abstractions@3.1.2
  ├── Microsoft.Extensions.Configuration.Binder@3.1.2
  ├── Microsoft.Extensions.DependencyInjection@3.1.2
  ├── Microsoft.Extensions.DependencyInjection.Abstractions@3.1.2
  ├── Microsoft.Extensions.FileProviders.Abstractions@3.1.2
  ├── Microsoft.Extensions.FileProviders.Physical@3.1.2
  ├── Microsoft.Extensions.FileSystemGlobbing@3.1.2
  ├── Microsoft.Extensions.Logging@3.1.2
  ├── Microsoft.Extensions.Logging.Abstractions@3.1.2
  ├── Microsoft.Extensions.Logging.Configuration@3.1.2
  ├── Microsoft.Extensions.Logging.Console@3.1.2
  ├── Microsoft.Extensions.Options@3.1.2
  ├── Microsoft.Extensions.Options.ConfigurationExtensions@3.1.2
  └── Microsoft.Extensions.Primitives@3.1.2

License Expression: MIT
├── There are 1 occurances of MIT
├─┬ Conformance:
│ ├── Is OSI Approved: true
│ ├── Is FSF Free/Libre: true
│ └── Included deprecated IDs: false
└─┬ Packages:
  └── Newtonsoft.Json@12.0.2

Discussion

pic
Editor guide