licensedog
Описание
Языки
- Python95,2%
- Shell1,8%
- PowerShell1,7%
- Batchfile1,3%
LicenseDog
Find licenses for third‑party packages and write the results to OUT.csv (or JSONL). Designed for fast, reliable compliance inventories with robust caching and an optional Textual TUI.
What is this and why was it created?
When you ship software, you need an auditable list of licenses for your dependencies. licensedog reads a simple IN.csv of package identifiers and resolves each package's license by probing canonical repository license files and trusted metadata. It outputs a machine‑readable table you can import into spreadsheets or pipelines, and it caches aggressively so repeated runs are fast and deterministic.
Supported package ecosystems:
- 🐹 Go modules (20+ domain patterns: github.com, gopkg.in, google.golang.org, filippo.io, dario.cat, sigs.k8s.io, and more)
- 📦 npm packages (registry API, tarball inspection, Code tab web scraping)
- 🐍 Python packages (PyPI JSON API, web scraping fallback)
- ⚙️ GitHub Actions (actions/checkout@v4, etc.)
Input Format Example
Here's what a typical
github.com/lufia/plan9stats@v0.0.0-20211012122336-39d0f177ccd0
react-transition-group@4.4.2
pyyaml@6.0.2
Such files can be generated by CycloneDX or similar SBOM tools. Important: There's no guarantee that package identifiers from SBOM actually exist or that their license information reflects the current state in the ever-changing Internet.
Resolution Priority Order
licensedog uses a very simple strategy: the more specialized version wins. All else being equal, what can be linked to wins. The last desperate measure is to download the source or link to a main/master/canary branch in Git, if nothing else is available.
npm packages:
- 🎯 Version-specific Git refs (tags/branches like
- 📋 npm registry metadata (API
- 🌐 npm Code tab scraping (web UI, unless disabled with
- 📦 npm tarball inspection (download & extract package)
- 🔄 PyPI fallback (for misclassified packages)
- 🌿 Generic Git branches (master/main - last resort)
Go modules:
- 🎯 Version-specific Git refs (tags/branches)
- 📋 pkg.go.dev metadata/scraping (web check)
- 📦 Go module archive (download from proxy.golang.org)
- 🌿 Generic Git branches (master/main - last resort)
Python packages:
- 🎯 Version-specific Git refs (tags/branches)
- 📋 PyPI JSON API (metadata
- 🎯 GitHub version-specific refs (extracted from PyPI metadata)
- 🌐 PyPI web scraping (page sidebar, unless disabled with
- 📦 PyPI sdist inspection (download & extract source distribution)
- 🌿 Generic Git branches (master/main - last resort)
Key principle: Version-specific sources (git tags or package archives) are always preferred over generic
Installation
🚀 Standard Installation (Recommended)
For development environments with full features including web scraping support.
What you get:
- ✅ Full support for all package types (Go, npm, Python, GitHub Actions)
- ✅ Web scraping for PyPI pages and npm Code tab (resolves hard-to-find licenses)
- ✅ Fast HTTP with retries and connection pooling (requests)
- ✅ Fast SPDX fuzzy matching (rapidfuzz, 10-100x faster)
- ✅ Rich terminal UI with progress bars (textual)
🔒 High-Security Installation (Zero Dependencies)
For restricted environments where browser automation is prohibited.
What you get:
- ✅ Full support for Go modules and GitHub Actions
- ✅ Basic npm support (registry API only, no Code tab scraping)
- ✅ Basic Python support (PyPI JSON API only, no web scraping)
- ❌ No web scraping (some packages may not resolve)
- ⚠️ Slower HTTP (urllib instead of requests with retries)
- ⚠️ Slower SPDX matching (difflib instead of rapidfuzz, 10-100x slower)
- ⚠️ Plain text output only (no TUI)
Key point: The
🎛️ Installation Options & Feature Groups
All dependencies are optional with graceful fallbacks. You can choose which features to install:
Using uv (recommended)
Using pip (traditional)
Feature Groups Explained
| Group | Dependencies | Purpose | When to Use |
|---|---|---|---|
| requests≥2.31.0 | Fast HTTP with retries, session reuse | Always recommended |
| rapidfuzz≥3.5.0 | Fast fuzzy SPDX matching (10-100x faster) | Always recommended |
| textual≥0.47.0 | Rich terminal UI with progress bars | Interactive use |
| playwright≥1.40.0 | Web scraping for PyPI/npm Code tab | When hard-to-resolve packages present |
| All of the above | Full features | Development, best results |
Fallback behavior:
- No
- No
- No
- No
General Usage
Quick Start
Simplest way (3 steps):
- Put your
- Run
- Your results are in OUT.csv
By default, licensedog displays a pseudographical text UI (TUI) in the console with progress bars and real-time updates.
With custom paths:
Wrapper script modes:
UI Mode Control (mutually exclusive):
Direct Python invocation:
IN.csv Format
One package identifier per line (no header). Duplicates are automatically de‑duplicated.
Supported version separators:
- Standard
- CycloneDX-style
Examples (see
github.com/lufia/plan9stats@v0.0.0-20211012122336-39d0f177ccd0
google.golang.org/appengine@v1.6.8
gopkg.in/yaml.v3@v3.0.1
sigs.k8s.io/yaml@v1.4.0
filippo.io/edwards25519@v1.1.0
react-transition-group@4.4.2
@next/swc-linux-x64-gnu@14.2.24
pyyaml@6.0.2
pathspec@0.12.1
actions/checkout@v4
actions/setup-go@v5
OUT.csv Format
Columns written by default (
| Column | Description |
|---|---|
| Input package id as emitted |
| Detected SPDX id (e.g., |
| Canonical URL where the license text was found |
| |
| Origin: |
| Repository/ref hint used (when applicable) |
| README URL that mentioned license (when applicable) |
| Human‑readable steps taken to resolve |
| Reserved; currently empty |
| |
| |
| |
| Namespace clash detection details (npm vs PyPI) |
To emit line‑delimited JSON instead:
How License Resolution Works
licensedog follows a conservative, explainable pipeline for each package:
1. Package Classification
Automatic ecosystem detection using pattern matching:
-
Go modules: 20+ domain patterns
- And more...
-
GitHub Actions: Pattern
- Examples:
- Examples:
-
Python packages: Conservative detection for packages with Python keywords
- Examples:
- Examples:
-
npm packages: Default for packages not matching above patterns
- Examples:
- Examples:
2. Repository Inference
- Go modules: Map to GitHub org/repo using hardcoded rules or go-get meta tags
- Special cases:
- Special cases:
- npm packages: Query npm registry metadata for repository URL
- Python packages: Query PyPI JSON API for package metadata
- GitHub Actions: Direct mapping to github.com/org/repo
3. Direct License Probing
Try LICENSE files at version-specific refs (tags/branches), then fallback to main/master:
- Files checked:
- Uses
- Heuristics detect common licenses (MIT, Apache-2.0, BSD, ISC, MPL)
- Fuzzy SPDX matching against SPDX corpus (configurable threshold via
4. Policy Flags & Clash Detection
Why only npm and PyPI packages can clash:
Go packages are never checked for clashes because their format makes them unambiguous:
- Go packages always include the full import path:
- npm/PyPI packages use simple names:
The presence of domain paths (
5. Caching & Deduplication
- SQLite cache
- SPDX license index cached under
- Single-flight behavior: each unique package resolved once per run
- Conditional GET using ETag/Last-Modified minimizes network traffic
All resolution steps are recorded in
Advanced Usage & Parameters
Core Options
Wrapper Script Options
The wrapper scripts (
How --nouv works:
- Without --nouv: Wrapper checks for uv and runs uv run licensedog.py
- With --nouv: Wrapper runs
- With --nouv --noweb: High-security mode with zero dependencies
When to use --nouv:
- uv is not installed and you don't want to install it
- Restricted environments where uv installation is not allowed
- You prefer pip for dependency management
- Testing with specific Python environments
Web Scraping Control
Network & Performance
License Detection
UI & Logging
Caching
Targeted Updates
Examples
Standard Installation Examples
High-Security Examples
Update Single Package
Sample Output
Input (
github.com/lufia/plan9stats@v0.0.0-20211012122336-39d0f177ccd0
pyyaml@6.0.2
actions/checkout@v4
react-transition-group@4.4.2
Output excerpt (
Requirements
- Python 3.10+ (required - uses modern type hints like
- All other dependencies are optional with graceful fallbacks
When to Use Each Installation Method
| Environment | Installation | Command | Features |
|---|---|---|---|
| 🚀 Development | Standard (uv + all extras) | | Full features, best results |
| 🏢 Corporate CI/CD | Standard without web | | Fast, no browser |
| 🔒 High-Security | Zero dependencies | | No external tools |
| 🔧 No uv available | Pure Python with pip | | Use pip instead of uv |
| 📦 Docker Alpine | Minimal with http/spdx | | Small image, fast |
| 💻 Local Testing | Standard (uv + all extras) | | Full features |
Troubleshooting
"playwright not found" error
You're trying to use web scraping without Playwright installed. Options:
- Add --noweb flag: python3 licensedog.py --text --noweb
- Install Playwright: pip install playwright && playwright install chromium
Packages not resolving
- Check package identifier format (use
- Enable verbose logging: --verbose
- Try with web scraping enabled (install
- For hard-to-resolve packages, check
Slow performance
- Install optional dependencies: pip install -e ".[http,spdx]"
- Use more threads: --threads 8
- Use cache from previous run: existing
License
Universal Permissive License. This is the most libertarian license of all. It forever and with minimal additional requirements allows using the text for any purposes and transfers patent rights, if they happen to occur there. This is a more permissive license than Apache2 and MIT. This license is needed if you adhere to an ideology opposite to Richard Stallman's, and directly allow using something for any purposes (including commercial), requiring nothing in return.