1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
# Example of automated license policy definitions.
load("@rules_license//examples/policy_checker:license_policy.bzl", "license_policy")
load("@rules_license//examples/policy_checker:license_policy_check.bzl", "license_policy_check")
package(default_package_metadata = ["//:license", "//:package_info"])
# license_policy rules generally appear in a central location per workspace. That
# should be access controlled by the policy team.
# A production service can use licenses with most conditions
license_policy(
name = "production_service",
conditions = [
"notice",
"restricted_if_statically_linked",
],
)
# A mobile application usually can not allow end-user replacable libraries.
# So LGPL code (which is restricted_if_statically_linked) can not be used.
license_policy(
name = "mobile_application",
conditions = [
"notice",
],
)
license_policy(
name = "special_allowlisted_app",
# There could be a allowlist of targets here.
conditions = [
"notice",
"allowlist:acme_corp_paid",
],
)
# Now we might build checks of critical applications against policies
#
# Questions to consider?
# - Your organization migth want to fold these kinds of checks into
# wrapper macros around the rules which generate services and apps
# - You might want to distribute checks to rules alongside the products
# - Or, you might want to consolidate them in a single place where your
# compliance team owns them, as this example does
license_policy_check(
name = "check_server",
policy = ":production_service",
target = "//examples/src:my_server",
)
# This is marked manual, so bazel test ... does not fail. Try it yourself with
# bazel build :check_violating_server
license_policy_check(
name = "check_violating_server",
policy = ":production_service",
tags = [
"manual",
],
target = "//examples/src:my_violating_server",
)
|
