#!/usr/bin/env bash # Compare licenses of Go dependencies against a whitelist. ###### script header ###### lib=$(realpath @@BASE_LIB@@) || exit 1 stat "${lib}" >> /dev/null || exit 1 # shellcheck source=../sh/lib.bash if ! source "${lib}"; then echo "Error: could not find import" exit 1 fi go=$(realpath @@GO@@) stat "${go}" >> /dev/null golicenses=$(realpath @@GO_LICENSES@@) stat "${golicenses}" >> /dev/null cd "${BUILD_WORKSPACE_DIRECTORY}" ###### script body ###### not_allowed() { echo "license not allowed for package: ${line}" err=1 } ${go} mod download err=0 PATH="$(dirname "${go}"):${PATH}" \ GOROOT=$(${go} env GOROOT) \ GOPATH=$(${go} env GOPATH) \ GOCACHE=$(${go} env GOCACHE) \ ${golicenses} csv ./... | { while read -r line; do pkg=${line%%,*} lic=${line##*,} case ${lic} in Apache-2.0 | BSD-2-Clause | BSD-3-Clause | ISC | MIT) ;; MPL-2.0) case ${pkg} in github.com/siderolabs/talos/pkg/machinery/config/encoder) ;; github.com/letsencrypt/boulder) ;; github.com/hashicorp/*) ;; *) not_allowed ;; esac ;; AGPL-3.0) case ${pkg} in github.com/edgelesssys/constellation/v2) ;; github.com/edgelesssys/constellation/v2/operators/constellation-node-operator/v2/api/v1alpha1) ;; *) not_allowed ;; esac ;; Unknown) case ${pkg} in github.com/edgelesssys/go-tdx-qpl/*) ;; *) not_allowed ;; esac ;; *) echo "unknown license: ${line}" err=1 ;; esac done exit "${err}" }