Feluda

🔎 Feluda is a Rust-based command-line tool that analyzes the dependencies of a project, notes down their licenses, and flags any permissions that restrict personal or commercial usage or are incompatible with your project's license.

👋 It's still highly experimental, but fast iterating. Welcoming contributors and support to help bring out this project even better!

Features

• Parse your project to identify dependencies and their licenses.
• Classify licenses into permissive, restrictive, or unknown categories.
• Check license compatibility between dependencies and your project's license.
• Flag dependencies with licenses that may restrict personal or commercial use.
• Flag dependencies with licenses that may be incompatible with your project's license.
• Generate compliance files (NOTICE and THIRD_PARTY_LICENSES) for legal requirements.
• Output results in plain text, JSON or TUI formats. There's also a gist format which is available in strict mode to output a single line only.
• CI/CD support for Github Actions and Jenkins.
• Verbose mode gives an enhanced view of all licenses.

Support Languages

1. 
2. 
3. 
4. 

Feluda supports analyzing dependencies across multiple languages simultaneously.

feluda

You can also filter the analysis to a specific language using the --language flag. If your fav language or framework isn't supported, feel free to open an feature request issue! 👋

Installation

Official Distribution 🎉:

Rust (Crate)

Prerequisites

• Rust installed on your system.

If you already had it, make sure it's up-to-date and update if needed. (Optional) Set rust path if not set already.

Install

cargo install feluda

Community Maintained 🙌:

Homebrew (maintained by @chenrui333)

feluda is available in the Homebrew. You can install it using brew:

brew install feluda

Arch Linux (maintained by @adamperkowski)

feluda is available in the AUR. You can install it using an AUR helper (e.g. paru):

paru -S feluda

NetBSD (maintained by @0323pin)

On NetBSD a package is available from the official repositories. To install it, simply run:

pkgin install feluda

Track releases on github releases or via release feed.

Build from Source (advanced users)

Note: This might have experimental features which might not work as intended.

Clone and Build

First, clone the repository:

git clone https://github.com/anistark/feluda.git
cd feluda

Then, build the project using Cargo:

cargo build --release

Finally, to make feluda available globally, move the binary to a directory in your PATH. For example:

sudo mv target/release/feluda /usr/local/bin/

Usage

Feluda provides license analysis by default, with an additional command for generating compliance files. Analyze your project's dependencies and their licenses:

# Basic usage
feluda

# Specify a path to your project directory
feluda --path /path/to/project/

# Check with specific language
feluda --language {rust|node|go|python}

License File Generation

Generate compliance files for legal requirements:

# Interactive file generation
feluda generate

# Generate for specific language and license
feluda generate --language rust --project-license MIT

# Generate for specific path
feluda generate --path /path/to/project/

Run feluda on a github repo directly

feluda --repo <repository_url> [--ssh-key <key_path>] [--ssh-passphrase <passphrase>] [--token <https_token>]

<repository_url>: The URL of the Git repository to clone (e.g., git@github.com:user/repo.git or https://github.com/user/repo.git).

--ssh-key <key_path>: (Optional) Path to a private SSH key for authentication.

--ssh-passphrase <passphrase>: (Optional) Passphrase for the SSH key.

--token <https_token>: (Optional) HTTPS token for authenticating with private repositories.

If you're using Feluda, feel free to grab a Scanned with Feluda badge for your project:

[![Scanned with Feluda](https://img.shields.io/badge/Scanned%20with-Feluda-brightgreen)](https://github.com/anistark/feluda)

License Compliance Files

Feluda can generate essential compliance files required for commercial software distribution and open source projects.

NOTICE File

A NOTICE file is a concise summary document that provides attribution for third-party components:

• Purpose: Quick overview of all third-party components and their licenses
• Content: Organized by license type, lists all dependencies with their versions
• Use Cases:
  • Legal compliance documentation
  • Quick reference for license audits
  • Attribution requirements for many open source licenses

THIRD_PARTY_LICENSES File

A THIRD_PARTY_LICENSES file provides comprehensive license documentation:

• Purpose: Complete legal documentation for all dependencies
• Content: Full license texts, compatibility analysis, package URLs, and copyright information
• Use Cases:
  • Commercial software distribution requirements
  • Legal compliance for enterprise applications
  • Due diligence for acquisitions and audits
  • App store submissions (iOS, Android, etc.)

Why These Files Are Important

Legal Protection: Many open source licenses require attribution when redistributing code. These files ensure compliance and protect your organization from legal issues.

Transparency: Shows exactly what third-party code is included in your application, building trust with users and stakeholders.

Commercial Readiness: Essential for commercial software, enterprise deployments, and app store submissions.

Audit Preparation: Makes license audits faster and easier by providing all necessary documentation in standard formats.

Important Legal Notice

⚠️ DISCLAIMER: Feluda is still in early stages. While we're trying to follow through all compliances, users are responsible for:

• Verifying accuracy of all license information
• Ensuring compliance with all applicable license terms
• Consulting legal counsel for license compliance matters
• Checking official repositories for up-to-date license information

Feluda and its contributors disclaim all warranties and are not liable for any legal issues arising from the use of this information. Use at your own risk.

When You Need These Files

• 📱 Mobile app distribution (iOS App Store, Google Play)
• 🏢 Enterprise software deployment
• 💼 Commercial product releases
• 🔍 Legal compliance audits
• 🤝 Open source project attribution
• 📄 Regulatory compliance (GDPR, SOX, etc.)

Output Format

JSON

• Default: Plain text.
• JSON: Use the --json flag for JSON output.

feluda --json

Sample Output for a sample cargo.toml file containing serde and tokio dependencies:

[
  {
    "name": "serde",
    "version": "1.0.151",
    "license": "MIT",
    "is_restrictive": false,
    "compatibility": "Compatible"
  },
  {
    "name": "tokio",
    "version": "1.0.2",
    "license": "MIT",
    "is_restrictive": false,
    "compatibility": "Compatible"
  }
]

YAML

Use the --yaml flag for YAML output

feluda --yaml

Sample Output for a sample cargo.toml file containing serde and tokio dependencies:

- name: serde
  version: 1.0.151
  license: MIT
  is_restrictive: false
  compatibility: Compatible
- name: tokio
  version: 1.0.2
  license: MIT
  is_restrictive: false
  compatibility: Compatible

Gist Mode

For a short summary, in case you don't want all that output covering your screen:

feluda --gist

Verbose Mode

For detailed information about each dependency:

feluda --verbose

License Compatibility

Feluda can check if dependency licenses are compatible with your project's license:

feluda --project-license MIT

You can also filter for incompatible licenses only:

feluda --incompatible

And fail CI builds if incompatible licenses are found:

feluda --fail-on-incompatible

Strict Mode

In case you strictly need only the restrictive dependencies:

feluda --strict

Terminal User Interface (TUI) Mode

We've an awesome ✨ TUI mode available to browse through the dependencies in a visually appealing way as well:

feluda --gui

CI/CD Integration

Feluda provides several options for CI integration:

• --ci-format <github|jenkins>: Generate output compatible with the specified CI system
• --fail-on-restrictive: Make the CI build fail when restrictive licenses are found
• --fail-on-incompatible: Make the CI build fail when incompatible licenses are found
• --output-file <path>: Write the output to a file instead of stdout

Feluda can be easily integrated into your CI/CD pipelines with built-in support for GitHub Actions and Jenkins.

GitHub Actions

To use Feluda with GitHub Actions, create a .github/workflows/feluda.yml file with the following content:

name: License Check

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

jobs:
  check-licenses:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Install Rust
        uses: actions-rs/toolchain@v1
        with:
          profile: minimal
          toolchain: stable
          override: true

      - name: Install Feluda
        run: cargo install feluda

      - name: Check licenses
        run: feluda --ci-format github --fail-on-restrictive --fail-on-incompatible

      - name: Generate compliance files
        run: |
          echo "1" | feluda generate  # Auto-select NOTICE file
          echo "2" | feluda generate  # Auto-select THIRD_PARTY_LICENSES file

      - name: Upload compliance artifacts
        uses: actions/upload-artifact@v3
        with:
          name: license-compliance
          path: |
            NOTICE
            THIRD_PARTY_LICENSES.md

Checkout contributing guidelines if you are looking to contribute to this project.

Currently, using choosealicense license directory for source of truth.

Configuration (Optional)

Feluda allows you to customize which licenses are considered restrictive through configuration. This can be done in three ways, listed in order of precedence (highest to lowest):

1. Environment variables
2. .feluda.toml configuration file
3. Default values

Default Restrictive Licenses

By default, Feluda considers the following licenses as restrictive:

• GPL-3.0
• AGPL-3.0
• LGPL-3.0
• MPL-2.0
• SEE LICENSE IN LICENSE
• CC-BY-SA-4.0
• EPL-2.0

Configuration File

Create a .feluda.toml file in your project root to override the default restrictive licenses:

[licenses]
# Override the default list of restrictive licenses
restrictive = [
    "GPL-3.0",      # GNU General Public License v3.0
    "AGPL-3.0",     # GNU Affero General Public License v3.0
    "Custom-1.0",   # Your custom license identifier
]

Environment Variables

You can also override the configuration using environment variables:

# Override restrictive licenses list
export FELUDA_LICENSES_RESTRICTIVE='["GPL-3.0","AGPL-3.0","Custom-1.0"]'

The environment variables take precedence over both the configuration file and default values.

---

Happy coding with Feluda! 🚀