matthijskooijman/license-tools.txt

## license-tools.txt
https://www.npmjs.com/package/oss-attribution-generator

	Supports JS. Should be able to generate an attribution file, but shows a
	failure after seemingly succesfully processing all dependencies.
	Has capabilities for overriding the licenses.

https://github.com/src-d/go-license-detector

	Supports Go. Detects the license for a single license folder (returning
	certainty / match factor), but does not support dependency
	scanning. Might be useful as a building block.

https://github.com/pmezard/licenses

	Supports Go. Should use go list to list dependencies and scan them for
	licenses, but seems to only print the package names. Does not
	support modules yet.

https://github.com/ribice/glice

	Supports Go. Only detects licenses and puts them in a nice table. Not tried.

https://github.com/senseyeio/diligent

	Supports Go and JS. Only detects licenses. Does not
	support go.mod yet, nor attribution generation, but seems
	modular enough to add such a thing.

https://www.npmjs.com/package/license-spelunker
	Supports JS. Seems to generate attribution (or at least shows
	LICENSE contents?). Not tried, 5 years old.


https://eladnava.com/check-your-dependencies-license-requirements-with-tldrlegal/

	Supports JS. Scans licenses using legally, and cross-references
	them against tldrlegal.com to summarize the actual requirements
	of these licenses. Not tried.

https://github.com/franciscop/legally

	Suports JS. Scans all of package.json, LICENSE and README and
	provides a nice summary. Not attribution generation.

yarn licenses generate-disclaimer

	Generates attribution file, but does not seem to scan for
	licenses (only includes dependencies that have a LICENSE and/or
	NOTICE file).

https://www.fossology.org/features/

	Web-based tool into which you can upload a set of files, which
        are scanned for licenses. Distinguishes between scanned and
	concluded licenses and has supports a workflow of automatically
	or manually concluding licenses and reviewing corner cases.
	Decisions can be remembered across updates (for unchanged
	files). Simple installation through a docker.

	Only seems to support per-file licensing. E.g. a LICENSE file
	only applies to itself, rather than to all files in a directory.
	No support for metadata (e.g. package.json), though there is
	some support for .deb and .rpm headers.

https://www.openchainproject.org

	Not a tool, but a specification for how organizations should
	manage their FOSS compliance. Mostly on a policy level, not
	operational.

https://clearlydefined.io/about

	Not a tool, but an online datastore and API that collects
	(curated) info about licenses for specific (versions of)
	software packages.

https://qmstr.org/

	Implements modular license analysis that integrates into the
	build process, collecting data about what files were actually
	used and analyzing those afterwards. Is mostly intended to be
	glue for existing analysis tools (e.g. scancode) and has some
	analysis tools of its own (e.g. SPDX file scanning, git history
	scanning).

	Fairly young project (since 2017/2018), so might not be entirely
	usable. Setup is a bit cumbersome (build your own docker image)
	and no examples of generated output. Seems very promising,
	though.

https://github.com/heremaps/oss-review-toolkit

	Generic license scanning tool. Scans a directory for
	dependencies (supports various package formats, such as yarn and
	go dep, but not go mod, more are planned), downloads the
	dependend on packages (not sure if vendored/already downloaded
	files are an option) and scans those for licenses with
	third-party tools (e.g.  scancode). Allows a user-defined
	evaluator that decides which licenses are (not) ok (and maybe
	also allows generating custom output?).

	Has a concept of projects, which are used for output. It is not
	entirely clear to what degree scanning of files is actually used
	for the conclusions and output generation. Through config files,
	project metadata can be overridden (examples are limited to VCS
	location, though). Allows configuring ignore lines for parsing
	and policy errors.

	Support for generating security advisories and attribution /
	compliancy documents (e.g. in SPDX format) is planned (simple
	NOTICE files can be generated already, though these just only
	the detected copyrights along with canonical license texts).

	Java-based program, takes a while to build and run (couple of
	minutes per package).

https://github.com/nexB/scancode-toolkit/wiki

	Scanner that scans files for licenses and copyright info. Does
	not seem to traverse dependencies, or have any concept of
	packages or metadata (though there is a mention of packages, I
	suspect this is about .deb packages or similar). A lot of other
	projects se scancode as the underlying scanner.

https://github.com/github/licensed

	Ruby-based tool that can scan dependencies for licenses.
	Supports a dozen different packagers, including go.mod and npm.
	Seems to only scan for package metadata and LICENSE files. Can
	list and check licenses against a whitelist (and allows
	explicitly marking packages as having been reviewed), but does
	not seem to support generating an attribution notice.

https://www.almtoolbox.com/palamida.php

	Commercial software package for compliance management. No
	pricing, details about features are vague.

https://fossa.com/

	Commercial web-based software (hosted) for license and
	vulnerability management. $46/month/developer, but there is also
	a limited free version available. Not tested yet.
	https://www.npmjs.com/package/oss-attribution-generator

	Supports JS. Should be able to generate an attribution file, but shows a
	failure after seemingly succesfully processing all dependencies.
	Has capabilities for overriding the licenses.

	https://github.com/src-d/go-license-detector

	Supports Go. Detects the license for a single license folder (returning
	certainty / match factor), but does not support dependency
	scanning. Might be useful as a building block.

	https://github.com/pmezard/licenses

	Supports Go. Should use go list to list dependencies and scan them for
	licenses, but seems to only print the package names. Does not
	support modules yet.

	https://github.com/ribice/glice

	Supports Go. Only detects licenses and puts them in a nice table. Not tried.

	https://github.com/senseyeio/diligent

	Supports Go and JS. Only detects licenses. Does not
	support go.mod yet, nor attribution generation, but seems
	modular enough to add such a thing.

	https://www.npmjs.com/package/license-spelunker
	Supports JS. Seems to generate attribution (or at least shows
	LICENSE contents?). Not tried, 5 years old.


	https://eladnava.com/check-your-dependencies-license-requirements-with-tldrlegal/

	Supports JS. Scans licenses using legally, and cross-references
	them against tldrlegal.com to summarize the actual requirements
	of these licenses. Not tried.

	https://github.com/franciscop/legally

	Suports JS. Scans all of package.json, LICENSE and README and
	provides a nice summary. Not attribution generation.

	yarn licenses generate-disclaimer

	Generates attribution file, but does not seem to scan for
	licenses (only includes dependencies that have a LICENSE and/or
	NOTICE file).

	https://www.fossology.org/features/

	Web-based tool into which you can upload a set of files, which
	are scanned for licenses. Distinguishes between scanned and
	concluded licenses and has supports a workflow of automatically
	or manually concluding licenses and reviewing corner cases.
	Decisions can be remembered across updates (for unchanged
	files). Simple installation through a docker.

	Only seems to support per-file licensing. E.g. a LICENSE file
	only applies to itself, rather than to all files in a directory.
	No support for metadata (e.g. package.json), though there is
	some support for .deb and .rpm headers.

	https://www.openchainproject.org

	Not a tool, but a specification for how organizations should
	manage their FOSS compliance. Mostly on a policy level, not
	operational.

	https://clearlydefined.io/about

	Not a tool, but an online datastore and API that collects
	(curated) info about licenses for specific (versions of)
	software packages.

	https://qmstr.org/

	Implements modular license analysis that integrates into the
	build process, collecting data about what files were actually
	used and analyzing those afterwards. Is mostly intended to be
	glue for existing analysis tools (e.g. scancode) and has some
	analysis tools of its own (e.g. SPDX file scanning, git history
	scanning).

	Fairly young project (since 2017/2018), so might not be entirely
	usable. Setup is a bit cumbersome (build your own docker image)
	and no examples of generated output. Seems very promising,
	though.

	https://github.com/heremaps/oss-review-toolkit

	Generic license scanning tool. Scans a directory for
	dependencies (supports various package formats, such as yarn and
	go dep, but not go mod, more are planned), downloads the
	dependend on packages (not sure if vendored/already downloaded
	files are an option) and scans those for licenses with
	third-party tools (e.g. scancode). Allows a user-defined
	evaluator that decides which licenses are (not) ok (and maybe
	also allows generating custom output?).

	Has a concept of projects, which are used for output. It is not
	entirely clear to what degree scanning of files is actually used
	for the conclusions and output generation. Through config files,
	project metadata can be overridden (examples are limited to VCS
	location, though). Allows configuring ignore lines for parsing
	and policy errors.

	Support for generating security advisories and attribution /
	compliancy documents (e.g. in SPDX format) is planned (simple
	NOTICE files can be generated already, though these just only
	the detected copyrights along with canonical license texts).

	Java-based program, takes a while to build and run (couple of
	minutes per package).

	https://github.com/nexB/scancode-toolkit/wiki

	Scanner that scans files for licenses and copyright info. Does
	not seem to traverse dependencies, or have any concept of
	packages or metadata (though there is a mention of packages, I
	suspect this is about .deb packages or similar). A lot of other
	projects se scancode as the underlying scanner.

	https://github.com/github/licensed

	Ruby-based tool that can scan dependencies for licenses.
	Supports a dozen different packagers, including go.mod and npm.
	Seems to only scan for package metadata and LICENSE files. Can
	list and check licenses against a whitelist (and allows
	explicitly marking packages as having been reviewed), but does
	not seem to support generating an attribution notice.

	https://www.almtoolbox.com/palamida.php

	Commercial software package for compliance management. No
	pricing, details about features are vague.

	https://fossa.com/

	Commercial web-based software (hosted) for license and
	vulnerability management. $46/month/developer, but there is also
	a limited free version available. Not tested yet.