License audit for dependencies

[divarvel]

Eclipse projects rely on a tight auditing on all source code, including third-party code.  This means not only checking licenses declared in package metadata, but also actually scanning the source code, searching for copyright notices and license text.

This is handled by the eclipse dash licenses tool, which takes as input a list of dependencies.

This tool does not support swift yet, but since swift uses git for its package infrastructure it might be possible to piggy back on its git support.

The first thing we could do is creating a script that lists all fetched dependencies.

We’re in the same process for haskell dependencies: eclipse-dash/dash-licenses#489

[saoirse-a]

Easiest way to do this would be to process the Package.resolved, which is JSON, with jq or similar. If I do this:

swift package resolve
jq '.pins[].location' Package.resolved

The output I get is:

"https://github.com/apple/swift-asn1.git"
"https://github.com/apple/swift-crypto.git"
"https://github.com/apple/swift-protobuf.git"

Which hopefully is enough for Eclipse's tooling.

(I've noticed there is already a Package.resolved checked in, which is a mistake. It should have been in the .gitignore like for Rust libraries. I'll fix this in a PR. Edit #4 )