-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathMakefile
More file actions
99 lines (92 loc) · 2.85 KB
/
Copy pathMakefile
File metadata and controls
99 lines (92 loc) · 2.85 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
.PHONY: release-audit license-check sbom vuln-scan lock-deps
release-audit: lock-deps license-check sbom vuln-scan
@echo ""
@echo "=== Release audit complete ==="
@echo "Outputs in release/:"
@ls -1 release/*.json release/*.csv release/*.txt 2>/dev/null
@echo ""
# Packages whose license field contains the full license text rather than a
# short SPDX identifier. Manually verified:
# replicate — Apache License 2.0
# tiktoken — MIT License
# zalgolib — MIT License
# flintai-cli — Apache License 2.0 (this project, license not yet in metadata)
IGNORE_PACKAGES := --ignore-packages replicate tiktoken zalgolib flintai-cli
license-check:
@echo "=== License review ==="
pip-licenses \
--format=csv \
--with-urls \
--with-authors \
--output-file=release/licenses.csv
pip-licenses \
--format=json \
--with-urls \
--with-authors \
--output-file=release/licenses.json
@echo "License summary:"
@pip-licenses --summary --order=count
@echo ""
@echo "Checking for copyleft/restricted licenses..."
@pip-licenses $(IGNORE_PACKAGES) --allow-only="Apache Software License;\
Apache Software License; BSD License;\
Apache Software License; MIT License;\
Apache License 2.0;\
Apache 2.0;\
Apache-2.0;\
Apache-2.0 AND CNRI-Python;\
Apache-2.0 AND MIT;\
Apache-2.0 OR BSD-2-Clause;\
Apache-2.0 OR BSD-3-Clause;\
Apache-2.0 OR MIT;\
Apache 2.0 License;\
Apache License;\
Apache;\
BSD License;\
BSD-2-Clause;\
BSD-3-Clause;\
BSD-3-Clause AND 0BSD AND MIT AND Zlib AND CC0-1.0;\
BSD 3-Clause OR Apache-2.0;\
3-Clause BSD License;\
MIT License;\
MIT;\
MIT OR Apache-2.0;\
MIT-CMU;\
ISC License (ISCL);\
ISC;\
Mozilla Public License 2.0 (MPL 2.0);\
MPL-2.0 AND (Apache-2.0 OR MIT);\
MPL-2.0 AND MIT;\
Python Software Foundation License;\
PSF;\
PSF-2.0;\
Public Domain;\
The Unlicense (Unlicense);\
Historical Permission Notice and Disclaimer (HPND);\
GNU Lesser General Public License v2 or later (LGPLv2+);\
GNU Lesser General Public License v3 or later (LGPLv3+);\
Zope Public License;\
ZPL-2.1;\
UNKNOWN" \
2>&1 || (echo "WARNING: Some packages have licenses that need manual review — see above" && exit 1)
@echo ""
@echo "Packages with UNKNOWN license (need manual verification):"
@pip-licenses --format=csv | grep UNKNOWN || echo " (none)"
@echo ""
@echo "All known licenses are Apache-2.0 compatible."
sbom:
@echo "=== SBOM generation (CycloneDX) ==="
cyclonedx-py environment \
-o release/sbom.json \
--of json \
--pyproject pyproject.toml
@echo "SBOM written to release/sbom.json"
vuln-scan:
@echo "=== Dependency vulnerability scan ==="
pip-audit --format=json --output=release/vulnerabilities.json || true
pip-audit --desc 2>&1 | tee release/vulnerabilities.txt
@echo ""
lock-deps:
@echo "=== Locking dependencies ==="
pip-compile --strip-extras --output-file=requirements.lock pyproject.toml
@echo "Locked dependencies written to requirements.lock"