Configurable check

[becoded]

Allow to configure the check action.
Added flags:

  --disallowed_types  list of disallowed types
  --allowed_licenses list of allowed license names

Keeping the default behaviour of just checking the forbidden licenses.

[Bobgy]

Curious, why do we need this list?

[becoded]

I didn't find a method in github.com/google/licenseclassifier to get all defined license names.
It is used here to validate the input of flag allowed_license_names.

[Bobgy]

Is there a strong need to do this validation? If there is a typo, the check command fails and reports the correct license name in error message.

An extraneous invalid license name seems not much harm either.

[becoded]

You have a valid point! I removed the validation.

[Bobgy]

Thank you for the contribution!

Let me start with high level questions.

Can you clarify the use case for allowed licenses? That seems too flexible as interface, it's probably only useful when very limited license types are allowed.

Would it be simpler asking someone with such flexible use case to directly parse the license CSV file and write custom validation?

[becoded]

Currently, only the list of forbidden licenses, defined in google/licenseclassifier, is validated.
And there is no way to change that, so it doesn't leave any room for flexibility in controlling that.
So for that reason, I added the other flags (--exclude_forbidden, --exclude_notice, --exclude_permissive, --exclude_reciprocal, --exclude_restricted, --exclude_unencumbered).
However, these sets are fixed.
I have a case where a subset is allowed and for others, we need special approval.
By allowing to create your own list of allowed licenses --allowed_license_names we are able to verify exactly what we need.

Personally, I don't think it would be simpler to parse the report.
A part of this tool is written to check licenses, it makes sense to me that you can also control what is checked. Otherwise you could argue also that there is no need for the check action as you could also write a parser to check for the forbidden licenses.

[Bobgy]

To explain why I'm asking, this tool was built primarily for Google's own use-cases for open source go projects, so I am seeking a balance between maintenance cost vs use-case coverage. I'm asking to learn more about why this feature is useful to you.

I think your use-case convinces me it may be useful to more people. Thank you for explaining that!

[Bobgy]

Regarding the interface, do the following changes make it slightly simpler and more consistent?

• Make exclude flags one flag that takes multiple values: --disallowed_categories, the description points to https://github.com/google/licenseclassifier/blob/e6a9bb99b5a6f71d5a34336b8245e305f5430f99/license_type.go#L180 for license categories.
• Reduce number of words on allowed_license_names: --allowed_licenses.

Also, I think we should add validation and description that, the two flags cannot be used at the same time.

[becoded]

I changed the interface. I did name it types instead of categories as that is what is used in multiple places in this repo and in google/licenseclassifier

[Bobgy]

nit: update PR description?

[Bobgy]

Can you move this paragraph above? It's more important than exlude options I feel.

[becoded]

Added it to the top of the usage block as it is helpful for all comments.

[Bobgy]

Add comment about default behavior?

[becoded]

Done

[Bobgy]

Also print the list of supported types?

[becoded]

Done

[Bobgy]

See previous unmerged PR for a reference of how to handle unknown types: #44

[becoded]

Added support for unknown and added it to the default set.

Didn't implement different exit codes.
In the past, it stopped as soon as one forbidden license was found. In the meantime, it reports all forbidden licenses.

[Bobgy]

Also comment default behavior is disallow forbidden and unknown licenses?

[becoded]

Added it to the title

[hansinator]

hey thank you for this PR and hopefully this gets merged soon, b/c we need to maintain a fork of license checker and it causes trouble with replace directives and deprecated go get / go install behaviour. basically soft-forks of "go install"-ed things are no longer a supported use-case since a few go versions so I'd really appreciate it if this goes upstream

[Bobgy]

Awesome 👍!
Thank you for the great contribution!