Warning For any legal questions, please consult a lawyer. This tool is not a substitute for legal advice.
ROS packages must have licenses. This tool checks if the license declarations in the package.xml matches the license(s) of the code. We do this by using scancode-toolkit to scan the code and compare the results to the declaration in the package.xml
graph TD
classDef stroke stroke:#333,stroke-width:2px;
s([scan code for licenses and copyrights])
class s stroke
p[compare to\n package.xml\nfor linting]
class p stroke
c[create\ncopyright file\nfor release]
class c stroke
s --> p
s --> c
This checks:
- Is any license defined in
package.xml? - LicenseTagExistsCheck - Has at most one license tag without a source-files declaration? - LicenseTagExistsCheck
- Do all licenses tags follow the SPDX standard? - LicenseTagIsInSpdxListCheck
- Are license texts available and correctly referenced for all declared licenses? - LicenseTextExistsCheck
- Does the code contain licenses not declared in any license tags source-file attribute (source-files="src/something/**")? - LicensesInCodeCheck
Install the package from source:
pip install .You should then have the executable in your $PATH and can run it on any ROS package or a directory containing multiple ROS packages:
ros_license_toolkit my_ros_package$ ros_license_toolkit -h
usage: ros_license_toolkit [-h] [-c] [-v] [-q] path
Checks ROS packages for correct license declaration.
positional arguments:
path path to ROS2 package or repo containing packages
options:
-h, --help show this help message and exit
-c, --generate_copyright_file
generate a copyright file
-v, --verbose enable verbose output
-q, --quiet disable most outputAdditionally, there is an option to ignore single files, folders and types of files.
If there exists a .scanignore in the top level directory of a package,
everything in it is going to be ignored.
The file entries work similar to a .gitignore file, including making comments with #.
One Example for a custom .scanignore file:
.git/* # folder
README.txt # file
README.* # file pattern
Per default, ros_license_toolkit ignores the following:
.scanignore
package.xml
setup.py
setup.cfg
CMakeLists.txt
.git/*
You can use ros_license_toolkit inside your GitHub workflow in order to check licenses in your
repository in each pull request. Use the following job inside your workflow file:
jobs:
check_licenses:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: boschresearch/ros_license_toolkit@1.2.3WORK IN PROGRESS This is currently working and feature complete to the point it was originally intended. But there are still open points concerning testing and it is also very important to make sure how this behaves with existing ROS packages. In particular, the following things will have to be done:
- Coverage analysis
- Linter(s) per CI
- Field trials (check existing ROS packages and see what to do with the results). see field-trials/
- Allow license name in tag to be also full name of SPDX key.
- Each LicenseTag should have SPDX id.
- Single license tag without file attribute and single license text should match automatically.
- Turn into github action.
- Evaluate runtime. If scancode-toolkit takes too long on too many cases, we will have to look for an alternative.
- Idea: Create pull requests for package maintainers automatically.
- Error of
LicenseTagIsInSpdxListCheckmust be a warning
ros_license_toolkit is open-sourced under the Apache-2.0 license. See the LICENSE file for details.