Generate NOTICE from on installed deps composer.lock file (#29)

.github/workflows/build-packages.yml

@@ -46,7 +46,6 @@ jobs:
       - uses: actions/download-artifact@v4
         with:
             name: php-dependencies
-            path: prod/php/
       - name: Build packages
         run: |
           mkdir -p "${PWD}/build/packages"

.github/workflows/build-php-deps.yml

@@ -27,13 +27,14 @@ jobs:
           do
             mkdir -p "prod/php/vendor_${PHP_VERSION}"
 
+            echo "This project depends on folliwng packages for PHP ${PHP_VERSION:0:1}.${PHP_VERSION:1:1}" >>NOTICE
+
             docker run --rm \
               -v ${PWD}:/sources \
               -v ${PWD}/prod/php/vendor_${PHP_VERSION}:/sources/vendor \
               -w /sources \
-              php:${PHP_VERSION:0:1}.${PHP_VERSION:1:1}-cli sh -c "apt-get update && apt-get install -y unzip && curl -sS https://getcomposer.org/installer | php -- --filename=composer --install-dir=/usr/local/bin && composer --ignore-platform-req=ext-opentelemetry --ignore-platform-req=ext-otel_instrumentation --no-dev install"
+              php:${PHP_VERSION:0:1}.${PHP_VERSION:1:1}-cli sh -c "apt-get update && apt-get install -y unzip && curl -sS https://getcomposer.org/installer | php -- --filename=composer --install-dir=/usr/local/bin && composer --ignore-platform-req=ext-opentelemetry --ignore-platform-req=ext-otel_instrumentation --no-dev install && php /sources/packaging/notice_generator.php >>/sources/NOTICE"
 
-              #TODO get licences from dependencies
               rm composer.lock
 
           done
@@ -43,3 +44,4 @@ jobs:
           name: php-dependencies
           path: |
             prod/php/vendor_*
+            NOTICE

NOTICE

@@ -0,0 +1,161 @@
+Elastic OpenTelemetry PHP Distribution
+Copyright 2023-2024 Elasticsearch B.V.
+
+This project is licensed under the Apache License, Version 2.0 - https://www.apache.org/licenses/LICENSE-2.0
+A copy of the Apache License, Version 2.0 is provided in the 'LICENSE' file.
+
+This project depends on folliwng packages:
+
+--------------------------------------------------------------------------------
+
+Package name: Boost C++ Libraries
+Version: 1.83.0
+Authors: Boost contributors (https://github.com/boostorg/boost/graphs/contributors)
+Licenses: BSL-1.0 license 
+URL: https://github.com/boostorg/boost/tree/boost-1.83.0
+
+
+LICENSE_1.0.txt content:
+Boost Software License - Version 1.0 - August 17th, 2003
+
+Permission is hereby granted, free of charge, to any person or organization
+obtaining a copy of the software and accompanying documentation covered by
+this license (the "Software") to use, reproduce, display, distribute,
+execute, and transmit the Software, and to prepare derivative works of the
+Software, and to permit third-parties to whom the Software is furnished to
+do so, all subject to the following:
+
+The copyright notices in the Software and this entire statement, including
+the above license grant, this restriction and the following disclaimer,
+must be included in all copies of the Software, in whole or in part, and
+all derivative works of the Software, unless such copies or derivative
+works are solely in the form of machine-executable object code generated by
+a source language processor.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT
+SHALL THE COPYRIGHT HOLDERS OR ANYONE DISTRIBUTING THE SOFTWARE BE LIABLE
+FOR ANY DAMAGES OR OTHER LIABILITY, WHETHER IN CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+DEALINGS IN THE SOFTWARE.
+
+--------------------------------------------------------------------------------
+
+Package name: libcurl
+Version: 8.0.1
+Authors: Daniel Stenberg, <[email protected]>, and many contributors
+Licenses: Custom (https://github.com/curl/curl/blob/curl-8_0_1/COPYING)
+URL: https://github.com/curl/curl/blob/curl-8_0_1/
+
+curl/COPYING content:
+
+COPYRIGHT AND PERMISSION NOTICE
+
+Copyright (c) 1996 - 2024, Daniel Stenberg, <[email protected]>, and many
+contributors, see the THANKS file.
+
+All rights reserved.
+
+Permission to use, copy, modify, and distribute this software for any purpose
+with or without fee is hereby granted, provided that the above copyright
+notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN
+NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
+OR OTHER DEALINGS IN THE SOFTWARE.
+
+Except as contained in this notice, the name of a copyright holder shall not
+be used in advertising or otherwise to promote the sale, use or other dealings
+in this Software without prior written authorization of the copyright holder.
+
+--------------------------------------------------------------------------------
+
+Package name: libunwind
+Version: 1.6.2
+Authors: David Mosberger <[email protected]>
+Licenses: MIT licenses
+URL: https://github.com/libunwind/libunwind/tree/b3ca1b59a795a617877c01fe5d299ab7a07ff29d
+
+No NOTICE file found
+LICENSE content:
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+COPYING content:
+Copyright (c) 2002 Hewlett-Packard Co.
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+--------------------------------------------------------------------------------
+
+Package name: zlib
+Version: 1.3
+Authors: Jean-loup Gailly <[email protected]> and Mark Adler <[email protected]>
+Licenses: Custom zlib license (https://github.com/madler/zlib/blob/09155eaa2f9270dc4ed1fa13e2b4b2613e6e4851/LICENSE)
+URL: https://github.com/madler/zlib/tree/09155eaa2f9270dc4ed1fa13e2b4b2613e6e4851
+
+No NOTICE file found
+LICENSE content:
+Copyright notice:
+
+ (C) 1995-2024 Jean-loup Gailly and Mark Adler
+
+  This software is provided 'as-is', without any express or implied
+  warranty.  In no event will the authors be held liable for any damages
+  arising from the use of this software.
+
+  Permission is granted to anyone to use this software for any purpose,
+  including commercial applications, and to alter it and redistribute it
+  freely, subject to the following restrictions:
+
+  1. The origin of this software must not be misrepresented; you must not
+     claim that you wrote the original software. If you use this software
+     in a product, an acknowledgment in the product documentation would be
+     appreciated but is not required.
+  2. Altered source versions must be plainly marked as such, and must not be
+     misrepresented as being the original software.
+  3. This notice may not be removed or altered from any source distribution.
+
+  Jean-loup Gailly        Mark Adler
+  [email protected]          [email protected]
+
+--------------------------------------------------------------------------------
+

packaging/nfpm.yaml

@@ -35,6 +35,10 @@ contents:
   type: config
 - src: /source/README.md
   dst: /opt/elastic/elastic-otel-php/docs/README.md
+- src: /source/NOTICE
+  dst: /opt/elastic/elastic-otel-php/NOTICE
+- src: /source/LICENSE
+  dst: /opt/elastic/elastic-otel-php/LICENSE
 
 scripts:
   postinstall: /source/packaging/post-install.sh

packaging/notice_generator.php

@@ -0,0 +1,120 @@
+<?php
+
+// Path to the composer.lock file
+$composerLockFile = 'composer.lock';
+
+
+$separatorLen = 80;
+
+// Check if the file exists
+if (!file_exists($composerLockFile)) {
+    die('The composer.lock file does not exist.');
+}
+
+// Read and decode the composer.lock file
+$composerData = readAndDecodeComposerLock($composerLockFile);
+
+// Check if the 'packages' section exists
+if (!isset($composerData['packages']) || !is_array($composerData['packages'])) {
+    die('The "packages" section is missing in the composer.lock file.');
+}
+
+$packages = $composerData['packages'];
+
+foreach ($packages as $package) {
+    $packageName = $package['name'] ?? 'Unknown package name';
+    $packageVersion = $package['version'] ?? 'Unknown version';
+    $authors = getAuthors($package);
+    $licenses = $package['license'] ?? ['No license'];
+    $url = $package['homepage'] ?? ($package['support']['source'] ?? 'No URL');
+    $sourceUrl = $package['support']['source'] ?? $url;
+
+    // Generate URLs for NOTICE.txt and LICENSE using new method and fallback to old method
+    $noticeContent = fetchFileContent(generateRawFileUrl($package), 'NOTICE') ?: fetchFileContent(filterUrl($sourceUrl), 'NOTICE');
+    $licenseContent = fetchFileContent(generateRawFileUrl($package), 'LICENSE') ?: fetchFileContent(filterUrl($sourceUrl), 'LICENSE');
+
+
+    // Display package information
+    echo "Package name: $packageName\n";
+    echo "Version: $packageVersion\n";
+    echo "Authors: " . implode(', ', $authors) . "\n";
+    echo "Licenses: " . implode(', ', $licenses) . "\n";
+    echo "URL: $url\n";
+    echo "\n";
+    if ($noticeContent) {
+        echo "NOTICE content:\n$noticeContent\n";
+    } else {
+        echo "No NOTICE file found\n";
+    }
+
+    if ($licenseContent) {
+        echo "LICENSE content:\n$licenseContent\n";
+    } else {
+        echo "No LICENSE file found\n";
+    }
+    echo str_repeat('-', $separatorLen)."\n\n";
+}
+
+
+function readAndDecodeComposerLock($filePath) {
+    $content = file_get_contents($filePath);
+    $data = json_decode($content, true);
+    if (json_last_error() !== JSON_ERROR_NONE) {
+        die('JSON decoding error: ' . json_last_error_msg());
+    }
+    return $data;
+}
+
+function getAuthors($package) {
+    $authors = [];
+    if (isset($package['authors']) && is_array($package['authors'])) {
+        foreach ($package['authors'] as $author) {
+            $name = $author['name'] ?? 'Unknown name';
+            if (isset($author['email'])) {
+                $email = $author['email'];
+                $authors[] = "$name <$email>";
+            } else {
+                $authors[] = "$name";
+            }
+        }
+    }
+    return $authors;
+}
+
+function fetchFileContent($fileUrl, $fileName) {
+    $fileUrl = $fileUrl . '/' . $fileName;
+
+    if ($fileUrl !== 'No URL') {
+        $headers = @get_headers($fileUrl);
+        if ($headers && strpos($headers[0], '200')) {
+            return file_get_contents($fileUrl);
+        }
+    }
+    return '';
+}
+
+function filterUrl($url) {
+    if (strpos($url, 'https://github.com/') === 0) {
+        if (strpos($url, 'https://github.com/') === 0) {
+            $url = str_replace('https://github.com/', 'https://raw.githubusercontent.com/', $url);
+            $url .= "/main";
+        } else {
+            $url = str_replace('/tree/', '/', $url);
+        }
+    }
+    return $url;
+}
+
+function generateRawFileUrl($package) {
+    if (isset($package['source']['type']) && $package['source']['type'] === 'git' && isset($package['source']['url']) && isset($package['source']['reference'])) {
+        $repoUrl = $package['source']['url'];
+        $reference = $package['source']['reference'];
+        if (strpos($repoUrl, 'https://github.com/') === 0) {
+            $repoUrl = str_replace('https://github.com/', 'https://raw.githubusercontent.com/', $repoUrl);
+            $repoUrl = substr($repoUrl, 0, -4);
+            return $repoUrl . '/' . $reference;
+        }
+    }
+    return 'No URL';
+}
+?>