在Visual Studio之外获取.NET Core中所有已使用的NuGet软件包的许可证信息 [英] Get license information for all used NuGet packages in .NET Core outside of Visual Studio
问题描述
在我们的项目中,我们需要列出所有许可的nuget软件包.将它们生成为某种csv,json,xml文件是理想的.它必须通过构建或CI/CD工具来完成.问题是我找到该列表的唯一方法是致电:
We have a requirement in our project to list all of the licensed nuget packages. It would be ideal to generate them to some kind of csv, json, xml file. It would have to be done by build or by CI/CD tool. The problem is the only way I found to get that listing is by calling:
Get-Package | Select-Object Id,LicenseUrl
在Visual Studios包管理器内部.我还发现了一些示例powershell脚本,但是它们都基于.net核心之前的.net版本,并且基于.net核心版本中不再存在的读取包文件夹.
inside Visual studios package manager. I found also some sample powershell scripts but they are all based on versions of .net prior to .net core and are based on reading packages folder which in .net core version no longr exists.
有什么方法可以实现.NET Core中所需的功能?
Is there any way to achieve what we need in .NET Core ?
致谢.
推荐答案
根据 Nate McMaster的列表. NET全局工具,有一个名为 dotnet-project-licenses .我从未使用过,但是您可以尝试一下.
According to Nate McMaster's list of .NET global tools, there's a tool called dotnet-project-licenses. I've never used it, but you could try it out.
但是,如果您想自己做某事,并不是很难,但是需要一些代码.
However, if you want to do things yourself, it's not terribly difficult, but will require some code.
首先使用dotnet list package --include-transitive列出项目使用的所有软件包,然后解析其输出. NuGet团队有一个请求,可以使输出更易于解析,但老实说,我认为您只需要2个正则表达式即可轻松解析其当前输出,如果您不关心TFM,则只需1个正则表达式.如果您的项目针对多个TFM,则需要对列表进行重复数据删除.
First use dotnet list package --include-transitive to list all the packages used by a project, and parse it's output. The NuGet team has a request to make the output easier to parse, but honestly I think you only need 2 regexes to easily parse it's current output, only 1 if you don't care about TFMs. If your project targets multiple TFMs, you'll want to deduplicate the lists.
一旦有了软件包ID和版本号的列表(版本很重要,因为软件包可能会在版本之间更改许可证),您就可以找到全局软件包文件夹(gpf)dotnet nuget locals -l global-packages的位置,然后使用{gpf}\{lowercase package id}\{lowercase package version}\{lowercase package id}.{lowercase package version}.nuspec模式将nuspec加载为XML并找到许可证.
Once you have the list of package ids and version numbers (versions are important, as a package could change licenses between versions), you can find the location of your global packages folder (gpf) dotnet nuget locals -l global-packages, then use the {gpf}\{lowercase package id}\{lowercase package version}\{lowercase package id}.{lowercase package version}.nuspec pattern to load the nuspec as XML and find the licence.
请记住,最近NuGet不赞成使用LicenseUrl并鼓励软件包作者使用许可证表达式,或将其许可证文件嵌入nupkg中.我想嵌入式许可证对任何许可证工具都构成最大的挑战,因为除非您想解析许可证文本并猜测它最有可能是哪个许可证,否则您将需要执行其他操作.如果所有软件包均来自nuget.org,则可以让您的工具生成nuget.org/packages/{package id}/{package version}/license的url.但是,如果您使用多个来源,则您将无法知道软件包来自哪个来源,而其他Feed可能无法轻松地查看嵌入式许可证的许可证文本.要适当地"执行操作,您需要搜索软件包的源,以查看特定的软件包ID和版本是否存在. NuGet的V3协议已记录,但有意未记录v2协议,并且某些第三方nuget服务器仅实现v2协议.您也可以考虑使用裸体客户端库.
Keep in mind that recently NuGet deprecated LicenseUrl and encourage package authors to use license expressions, or embed their licence file in the nupkg. I imagine that embedded licenses pose the largest challenge to any license tool, because unless you want to parse the license text and guess which license it's most likely to be, you'll need to do something else. If all of your packages come from nuget.org, you can have your tool generate urls to nuget.org/packages/{package id}/{package version}/license. But if you use multiple sources, you have no way of knowing which source a package came from, and other feeds might not have an easy way to see the license text for embedded licenses. To do things "properly" you'll need to search your package sources to see if that specific package id and version exist. NuGet's V3 protocol is documented, but the v2 protocol is intentionally not documented, and some 3rd party nuget servers only implement the v2 protocol. You could also look into using the nuget client libraries.
这篇关于在Visual Studio之外获取.NET Core中所有已使用的NuGet软件包的许可证信息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
