License check

[rgetz]

make: add SPDX license audit script for compliance checking

This adds a spdx_check_target() CMake function to validate that all source
files in a target (and its linked static/shared libraries) include a valid
SPDX-License-Identifier tag and hides it behind a new "-DLICENCE_CHECK"
cmake option.

Key features:
 - Recursively gathers all sources linked into a target, even from
   subdirectories or helper libraries.
 - Differentiates between known SPDX-licensed files and those missing tags.
 - Handles relative paths for better readability.
 - Filters out generated or build-directory files (e.g., config.h, yacc/lex
   output).
 - Summarizes licenses used and flags untagged files for manual review.
 - Prints out external libraries which are linked (which needs to be
   checked by hand).

This is especially useful in projects with mixed-license source files,
where build options can change the resulting binaries license. This will
ensure license compliance, auditability, and downstream clarity.

Helps improve:
 - Legal review processes
 - Contributor workflow (by enforcing license hygiene)
 - Automation and SPDX compatibility

Signed-off-by: Robin Getz <[email protected]>

Can now print out things like this:

-- === License Check for : iio ==========
--     MIT: attr.c, backend.c, block.c, buffer.c, channel.c, context.c, device.c, events.c, library.c, mask.c, scan.c, sort.c, stream.c, task.c, utilities.c, xml.c
--     LGPL-2.1-or-later: usb.c, local.c, local-dmabuf.c, local-mmap.c, network.c, network-unix.c, dns_sd.c, dns_sd_avahi.c, lock.c, iiod-client.c, iiod-responder.c
--     Missing SPDX: deps/libini/libini.c
--     External libraries: /usr/lib/x86_64-linux-gnu/libusb-1.0.so, /usr/lib/x86_64-linux-gnu/librt.so, /usr/lib/x86_64-linux-gnu/libatomic.so.1, /usr/lib/x86_64-linux-gnu/libzstd.so, /usr/lib/x86_64-linux-gnu/libavahi-common.so, /usr/lib/x86_64-linux-gnu/libavahi-client.so, /usr/lib/x86_64-linux-gnu/libxml2.so, /usr/lib/x86_64-linux-gnu/libpthread.so

which can get confusing for the utils - but it's clear that they are still GPL (not MIT, or LGPL).

--     GPL-2.0-or-later: utils/iio_info.c, utils/iio_common.c, utils/gen_code.c
--     MIT: attr.c, backend.c, block.c, buffer.c, channel.c, context.c, device.c, events.c, library.c, mask.c, scan.c, sort.c, stream.c, task.c, utilities.c, xml.c
--     LGPL-2.1-or-later: usb.c, local.c, local-dmabuf.c, local-mmap.c, network.c, network-unix.c, dns_sd.c, dns_sd_avahi.c, lock.c, iiod-client.c, iiod-responder.c
--     Missing SPDX: deps/libini/libini.c

which will adapt based on cmake options used.

https://github.com/pcercuei/libini/pull/5 is in process to fix the Missing SPDX: deps/libini/libini.c issue.

[rgetz]

was thinking about this - at this time - this only looks at source files (.c) not header files (.h) - should likely add for the same reason...

Will see if I can update.

[rgetz]

cmake ../ -DLICENSE_CHECK=ON

generates a list that looks like:

-- === License Check for : iio ==========
--     MIT: attr.c, backend.c, block.c, buffer.c, channel.c, context.c, device.c, events.c, library.c, mask.c, scan.c, sort.c, stream.c, task.c, utilities.c, xml.c, iiod-responder.h, include/iio/iio.h, include/iio/iio-backend.h, include/iio/iio-lock.h, iio-private.h, include/iio/iio-debug.h, sort.h, attr.h
--     LGPL-2.1-or-later: usb.c, local.c, local-dmabuf.c, local-mmap.c, network.c, network-unix.c, dns_sd.c, dns_sd_avahi.c, lock.c, iiod-client.c, iiod-responder.c, dynamic.h, network.h, include/iio/iiod-client.h, local.h, dns_sd.h
--     Missing SPDX: deps/libini/libini.c, deps/libini/ini.h
--     External libraries: /usr/lib/x86_64-linux-gnu/libusb-1.0.so, /usr/lib/x86_64-linux-gnu/librt.so, /usr/lib/x86_64-linux-gnu/libatomic.so.1, /usr/lib/x86_64-linux-gnu/libzstd.so, /usr/lib/x86_64-linux-gnu/libavahi-common.so, /usr/lib/x86_64-linux-gnu/libavahi-client.so, /usr/lib/x86_64-linux-gnu/libxml2.so, /usr/lib/x86_64-linux-gnu/libpthread.so

-- === License Check for iiod: iiod ==========
--     LGPL-2.1-or-later: iiod/iiod.c, iiod/interpreter.c, iiod/rw.c, iiod/thread-pool.c, iiod/ops.c, iiod/usbd.c, iiod/serial.c, iiod/network.c, usb.c, local.c, local-dmabuf.c, local-mmap.c, network.c, network-unix.c, dns_sd.c, dns_sd_avahi.c, lock.c, iiod-client.c, iiod-responder.c, dynamic.h, network.h, include/iio/iiod-client.h, local.h, dns_sd.h, iiod/debug.h, iiod/thread-pool.h
--     MIT: iiod/responder.c, attr.c, backend.c, block.c, buffer.c, channel.c, context.c, device.c, events.c, library.c, mask.c, scan.c, sort.c, stream.c, task.c, utilities.c, xml.c, iiod-responder.h, include/iio/iio.h, include/iio/iio-backend.h, include/iio/iio-lock.h, iio-private.h, include/iio/iio-debug.h, sort.h, attr.h, iiod/ops.h
--     LGPL-v2-or-later: iiod/dns-sd.c, iiod/dns-sd.h
--     BSD-3-Clause: iiod/queue.h
--     Missing SPDX: deps/libini/libini.c, deps/libini/ini.h
--     External libraries: /usr/lib/x86_64-linux-gnu/libpthread.so, /usr/lib/x86_64-linux-gnu/libavahi-common.so, /usr/lib/x86_64-linux-gnu/libavahi-client.so, /usr/lib/x86_64-linux-gnu/libaio.so, /usr/lib/x86_64-linux-gnu/libzstd.so

I know this works on gcc, but have not tested on clang, or on MSVC yet. Feedback welcome.

[dNechita]

I know this works on gcc, but have not tested on clang, or on MSVC yet. Feedback welcome.

On Windows it doesn't work but it can be easily fixed by including Utilities.cmake at the top of the main cmake file. include(cmake/Utilities.cmake)

Error was:

CMake Error at CMakeLists.txt:765 (spdx_check_all_targets):
  Unknown CMake command "spdx_check_all_targets".

[rgetz]

Thanks - will fix that shortly.

[rgetz]

Any other feedback? The list is pretty dense - it might use an empty line between targets?

[rgetz]

Missing SPDX: deps/libini/libini.c, deps/libini/ini.h

I don't know if you want me to fix that locally as part of this patchset? or wait for @pcercuei to have a look at https://github.com/pcercuei/libini/pull/5

I think my preference would be to fix things, and then turn missing SPDX lines into a error - and then turn this on in CI, to make sure that we catch things in the future, but I'm open to opinions.

[dNechita]

Missing SPDX: deps/libini/libini.c, deps/libini/ini.h

I don't know if you want me to fix that locally as part of this patchset? or wait for @pcercuei to have a look at pcercuei/libini#5

I think my preference would be to fix things, and then turn missing SPDX lines into a error - and then turn this on in CI, to make sure that we catch things in the future, but I'm open to opinions.

From a technical point of view, you can't touch the files from deps as you would for a regular source file. The original repository would need to be updated first and then make libiio repo point to the updated libini repo. This is a snipped from the readme of the deps dir:

Commits of the Libiio repository must *not* touch any file or directory
present in the deps/ folder.

[pcercuei]

I merged the libini PR with the SPDX headers btw.

[rgetz]

From a technical point of view, you can't touch the files from deps as you would for a regular source file.

@dNechita - do you want to take care of this then?

[rgetz]

#1298 needs to be merged first, and then I will rebased on top of that.

[rgetz]

still work in progress - need to look at it a little deeper.

[dNechita]

From a technical point of view, you can't touch the files from deps as you would for a regular source file.

@dNechita - do you want to take care of this then?

Yes. I just made a PR (#1299) that updates the libini submodule so that it would point to the latest commit. Once merged, you can rebase your work on the main branch.