如何通过podfile.lock获得所有包装的列表？

发布于 2025-02-13 11:46:58 字数 335 浏览 3 评论 0原文

由于合规性原因，我需要生成我们使用许可证使用的所有软件包的列表。也用于间接（及其）依赖性。

我知道如何使用pkg.get_metadata_lines（“ pkg-info”）或使用YARN许可，但我不知道该怎么做用podfile.lock。

给定一个podfile.lock，我该怎么做这样的事情：

$ get-licenses Podfile.lock
BigInt==1.2.3;MIT
CryptoSwift==4.5.6;Apache License 2.0
SwiftProtobuf==1.3.5;BSDv3

原文

Due to compliance reasons, I need to generate a list of all software packages we use with their licenses. Also for indirect (transitive) dependencies.

I know how to do the same with Python using pkg.get_metadata_lines("PKG-INFO") or for JavaScript using yarn licenses, but I have no clue how to do it with a Podfile.lock.

Given a Podfile.lock, how can I do something like this:

$ get-licenses Podfile.lock
BigInt==1.2.3;MIT
CryptoSwift==4.5.6;Apache License 2.0
SwiftProtobuf==1.3.5;BSDv3

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

缘字诀 2025-02-20 11:46:58

第一个变体（我没有检查此）：使用（或尝试使用 snyk ）。
第二个变体（我没有检查）：您可以使用 adlicenselint ，但是您也需要podfile ，不仅是podfile.lock 。
第三个变体：使用PYYAML + NetworkX。

python示例要获得传递依赖性：

import networkx as nx
import matplotlib.pyplot as plt
import yaml


def fetch_connected_nodes(g, node, seen=None):
    if seen is None:
        seen = set()

    for nr in g.neighbors(node):
        if nr != node and nr not in seen:
            seen.add(nr)
            fetch_connected_nodes(g, nr, seen)

    return seen


def make_pod_graph(pods: dict, package_name: str):
    pod_graph: nx.DiGraph = nx.DiGraph()

    def add_pods(pod, parent):
        parent = parent.split(' ')[0]
        if isinstance(pod, dict):
            # Really only 1 key in the dict.
            for k, v in pod.items():
                add_pods(k, parent)
                add_pods(v, k)
        elif isinstance(pod, list):
            for i in pod:
                add_pods(i, parent)
        else:
            pod_params = pod.split(' ')
            pod_graph.add_node(pod_params[0])
            attrs = {'version': ''.join(pod_params[1:]).strip('()=')} if len(pod_params) > 1 else None

            if parent is not None:
                pod_graph.add_edge(parent, pod_params[0], attr=attrs)

    for p in pods:
        add_pods(p, package_name)

    return pod_graph


with open('Podfile.lock', 'r') as pod_file_lock:
    pod_data = yaml.safe_load(pod_file_lock)
    g_pod = make_pod_graph(pod_data['PODS'], 'Podfile.lock')

    for s in g_pod.neighbors('Podfile.lock'):
        print(f'{s};{";".join(fetch_connected_nodes(g_pod, s))}')

    # nx.draw(g_pod, with_labels=True, pos=nx.shell_layout(g_pod))
    # plt.show()

此文件：

GRMustache.swift;
GzipSwift;
Just;
PromiseKit;PromiseKit/CorePromise;PromiseKit/UIKit;PromiseKit/Foundation
PromiseKit/CorePromise;
PromiseKit/Foundation;PromiseKit/CorePromise
Sparkle;

您可以使用依赖项或外部来源章节。
只需在存储库中找到特定的文件即可。
或者，如果您可以使用OS软件包系统找到这些软件包（然后使用，例如YARN许可证列表，在它们上），那是一个选择。

First variant (I didn't check this): use "cocoapods-lockfile-parser" (or try to use Snyk).
Second variant (I didn't check this): you can use ADLicenseLint, but you need Podfile too, not only Podfile.lock.
Third variant: use PyYAML + NetworkX.

Python example to get transitive dependencies:

import networkx as nx
import matplotlib.pyplot as plt
import yaml


def fetch_connected_nodes(g, node, seen=None):
    if seen is None:
        seen = set()

    for nr in g.neighbors(node):
        if nr != node and nr not in seen:
            seen.add(nr)
            fetch_connected_nodes(g, nr, seen)

    return seen


def make_pod_graph(pods: dict, package_name: str):
    pod_graph: nx.DiGraph = nx.DiGraph()

    def add_pods(pod, parent):
        parent = parent.split(' ')[0]
        if isinstance(pod, dict):
            # Really only 1 key in the dict.
            for k, v in pod.items():
                add_pods(k, parent)
                add_pods(v, k)
        elif isinstance(pod, list):
            for i in pod:
                add_pods(i, parent)
        else:
            pod_params = pod.split(' ')
            pod_graph.add_node(pod_params[0])
            attrs = {'version': ''.join(pod_params[1:]).strip('()=')} if len(pod_params) > 1 else None

            if parent is not None:
                pod_graph.add_edge(parent, pod_params[0], attr=attrs)

    for p in pods:
        add_pods(p, package_name)

    return pod_graph


with open('Podfile.lock', 'r') as pod_file_lock:
    pod_data = yaml.safe_load(pod_file_lock)
    g_pod = make_pod_graph(pod_data['PODS'], 'Podfile.lock')

    for s in g_pod.neighbors('Podfile.lock'):
        print(f'{s};{";".join(fetch_connected_nodes(g_pod, s))}')

    # nx.draw(g_pod, with_labels=True, pos=nx.shell_layout(g_pod))
    # plt.show()

Result for this file:

GRMustache.swift;
GzipSwift;
Just;
PromiseKit;PromiseKit/CorePromise;PromiseKit/UIKit;PromiseKit/Foundation
PromiseKit/CorePromise;
PromiseKit/Foundation;PromiseKit/CorePromise
Sparkle;

You can get licenses using DEPENDENCIES or EXTERNAL SOURCES sections.
Just find specific files in repos.
Or, if you can find those packages using the OS package system (and then use, for example yarn licenses list, on them), that's an option.

回复收藏 0 原文

~没有更多了~