Add license check script for incompatible licenses in pip dependencies (

#16753) NVDA is licensed with GPL2 which is incompatible with certain licenses like Apache. Currently there are 2 python dependencies bundled with NVDA with incompatible licenses: fast-diff-match-patch - see Reconsider fast_diff_match_path license violation workaround #16633 requests Description of user facing changes Developers can now check licenses with runlicensecheck.bat AppVeyor checks that new dependencies with incompatible licenses aren't introduced Description of development approach Using the licensecheck pip dependency, check licenses Similar to lint checks, run these checks on appveyor builds
nvaccess · Jul 1, 2024 · 62c9122 · 62c9122
1 parent 6836a17
commit 62c9122
Show file tree

Hide file tree

Showing 11 changed files with 80 additions and 5 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -8,3 +8,12 @@ repos:
       args: [ --fix ]
     # Run the formatter.
     - id: ruff-format
+
+- repo: local
+  hooks:
+    - id: licenseCheck
+      name: Check license compatibility of pip dependencies
+      files: requirements.txt
+      entry: ./runlicensecheck.bat
+      language: script
+      pass_filenames: false
diff --git a/appveyor.yml b/appveyor.yml
@@ -81,6 +81,7 @@ test_script:
  - ps: |
      "TEST_START, $(Get-Date -Format 'o')"| Out-File ../timing.csv -Append
  - ps: appveyor\scripts\tests\translationCheck.ps1
+ - ps: appveyor\scripts\tests\licenseCheck.ps1
  - ps: appveyor\scripts\tests\unitTests.ps1
  - ps: appveyor\scripts\tests\lintCheck.ps1
  - ps: appveyor\scripts\tests\systemTests.ps1

diff --git a/appveyor/scripts/tests/beforeTests.ps1 b/appveyor/scripts/tests/beforeTests.ps1
@@ -2,6 +2,7 @@ New-Item -ItemType directory -Path testOutput
 New-Item -ItemType directory -Path testOutput\unit
 New-Item -ItemType directory -Path testOutput\system
 New-Item -ItemType directory -Path testOutput\lint
+New-Item -ItemType directory -Path testOutput\license
 
 # The first Chrome system test to run occasionally fails.
 # This has been observed on developer machines after chrome updates, but is difficult to reproduce.

diff --git a/appveyor/scripts/tests/licenseCheck.ps1 b/appveyor/scripts/tests/licenseCheck.ps1
@@ -0,0 +1,10 @@
+$licenseOutput = (Resolve-Path .\testOutput\license\)
+$licenseOutput = "$licenseOutput\licenseCheckResults.md"
+.\runlicensecheck.bat "$licenseOutput" 
+if ($LastExitCode -ne 0) {
+	Set-AppveyorBuildVariable "testFailExitCode" $LastExitCode
+	Add-AppveyorMessage "FAIL: License check. See $licenseOutput for more information."
+} else {
+	Add-AppveyorMessage "PASS: License check."
+}
+Push-AppveyorArtifact $licenseOutput
diff --git a/constraints.txt b/constraints.txt
@@ -0,0 +1,2 @@
+# Pillow is an implicit dependency and requires zlib and jpeg by default, but we don't need it
+Pillow==10.3.0 -C "zlib=disable" -C "jpeg=disable"
diff --git a/projectDocs/dev/buildSystemNotes.md b/projectDocs/dev/buildSystemNotes.md
@@ -30,6 +30,7 @@ These are the only files expected to be executed directly by a user/developer:
 - `rununittests.bat`
 - `runsystemtests.bat`
 - `runlint.bat`
+- `runlicensecheck.bat`
 
 **Note:** The `runnvda.bat` script intentionally uses `pyw.exe` to run NVDA as
 this is the more common and expected way to run NVDA.

diff --git a/projectDocs/dev/contributing.md b/projectDocs/dev/contributing.md
@@ -40,6 +40,7 @@ If you are new to the project, or looking for some way to help take a look at:
 	- The lint check ensures your changes comply with our code style expectations.
 	Use `runlint.bat`.
 	- Run `scons checkPot` to ensure translatable strings have comments for the translators
+	- Run `runlicensecheck.bat` to check that you don't introduce any new python dependencies with incompatible licenses.
 1. [Create a change log entry](#change-log-entry)
 1. [Create a Pull Request (PR)](./githubPullRequestTemplateExplanationAndExamples.md)
 	- When you think a contribution is ready, or you would like feedback, open a draft pull request.

diff --git a/projectDocs/testing/automated.md b/projectDocs/testing/automated.md
@@ -50,3 +50,10 @@ To run all tests standard tests for developers use `runsystemtests.bat --include
 Internally this script uses the Robot test framework to execute the tests.
 Any arguments given to `runsystemtests.bat` are forwarded onto Robot.
 For more details (including filtering and exclusion of tests) see `tests/system/readme.md`.
+
+### License checks
+
+NVDA uses GPLv2 which is incompatible with certain licenses like Apache.
+Run `runlicensecheck.bat` to check that you don't introduce any new python dependencies with incompatible licenses.
+
+This is configured in [pyproject.toml](../../pyproject.toml) using the [licensecheck pip package](https://github.com/FHPythonUtils/LicenseCheck).
diff --git a/pyproject.toml b/pyproject.toml
@@ -51,3 +51,32 @@ ignore = [
 	# indentation contains tabs
 	"W191",
 ]
+
+[tool.licensecheck]
+using = "requirements:requirements.txt"
+only_licenses = ["BSD", "MIT", "Python", "LGPLV3+"]
+ignore_packages = [
+	# Incompatible Apache licenses.
+	# These are current license violations and are bundled with NVDA.
+	"fast-diff-match-patch",  # See also #16633
+	"requests",
+
+	# Incompatible Apache licenses.
+	# Bundled with a dependency, but not bundled with NVDA.
+	"importlib-metadata",
+	"opencv-python",
+
+	# Incompatible Apache licenses.
+	# System testing frameworks, not bundled with NVDA.
+	"robotframework",
+	"robotframework-screencaplibrary",
+	"robotremoteserver",
+
+	# Compatible licenses:
+	"certifi",  # Mozilla Public License 2.0
+	"markdown-link-attr-modifier",  # GPLV3 license, but not in PyPI correctly
+	"pycaw",  # MIT license, but not in PyPI
+	"wxPython",  # wxWindows Library License
+	"pillow",  # PIL Software License
+]
+
diff --git a/requirements.txt b/requirements.txt
@@ -4,12 +4,11 @@ SCons==4.5.2
 # NVDA's runtime dependencies
 comtypes==1.2.0
 pyserial==3.5
-./miscDeps/python/wxPython-4.2.2a1-cp311-cp311-win32.whl
-git+https://github.com/DiffSK/configobj@e2ba4457c4651fa54f8d59d8dcdd3da950e956b8#egg=configobj
+wxPython @ https://github.com/nvaccess/nvda-misc-deps/raw/51ae7db821d1d5166ab0c030fe20ec72dd7a2ad9/python/wxPython-4.2.2a1-cp311-cp311-win32.whl
+configobj @ git+https://github.com/DiffSK/configobj@e2ba4457c4651fa54f8d59d8dcdd3da950e956b8#egg=configobj
 requests==2.32.0
 schedule==1.2.1
-# Pillow is an implicit dependency and requires zlib and jpeg by default, but we don't need it
-Pillow==10.3.0 -C "zlib=disable" -C "jpeg=disable"
+-c constraints.txt
 
 #NVDA_DMP requires diff-match-patch
 fast-diff-match-patch==2.1.0
@@ -21,7 +20,7 @@ typing-extensions==4.9.0
 pycaw==20240210
 
 # Packaging NVDA
-git+https://github.com/py2exe/py2exe@4e7b2b2c60face592e67cb1bc935172a20fa371d#egg=py2exe
+py2exe @ git+https://github.com/py2exe/py2exe@4e7b2b2c60face592e67cb1bc935172a20fa371d#egg=py2exe
 
 # Creating XML unit test reports
 unittest-xml-reporting==3.2.0
@@ -42,6 +41,9 @@ sphinx_rtd_theme==1.3.0
 ruff==0.4.10
 pre-commit==3.7.1
 
+# Runing automated license checks
+licensecheck==2024.2
+
 # Requirements for system tests
 robotframework==6.1.1
 robotremoteserver==1.1.1

diff --git a/runlicensecheck.bat b/runlicensecheck.bat
@@ -0,0 +1,12 @@
+@echo off
+rem runlicensecheck [<output file>]
+rem Runs a license check for python dependencies
+set hereOrig=%~dp0
+set here=%hereOrig%
+if #%hereOrig:~-1%# == #\# set here=%hereOrig:~0,-1%
+set scriptsDir=%here%\venvUtils
+
+set checkArgs=
+if "%1" NEQ "" set checkArgs=--file=%1 --format=markdown
+call "%scriptsDir%\venvCmd.bat" py -m licensecheck -0 --format ansi %checkArgs%
+if ERRORLEVEL 1 exit /b %ERRORLEVEL%
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# Pillow is an implicit dependency and requires zlib and jpeg by default, but we don't need it
		Pillow==10.3.0 -C "zlib=disable" -C "jpeg=disable"