How to collect license information for libraries in a .NET application using NuGet License Utility

TL;DR

Install Nuget License Utility as .NET global tool:

dotnet tool install --global dotnet-project-licenses

Collecting license information and output it into a json file:

dotnet-project-licenses --input [directory|solution_file|project_file] --unique --json --output-directory [output_dir] --outfile [filename].json

Problem

When developing an app you might have found yourself in a situation where you actually have to show the license information of all third party libraries used in your app, e.g. for legal reasons.

Since the whole .NET ecosystem contains quite a lot of open source libraries, most of time you can actually go to nuget.org, search for a library and there you will find the license information for a library, meaning under which license the author has published the library:

But especially for larger projects this manual process can become quite tedious. The information you grabbed there also can become outdated quite quickly. For example, each time you update a library you have to check whether the license information you put in your app are still valid and up to date.

So wouldn't it be cool if you could scan a .NET project or even a whole .NET solution for all used libraries, gather all license information and output these information into one simple file you can then embed into your application?

Well, thanks to a nice gentleman named Thomas Chavakis (and a couple of other contributors) there is a .NET tool called NuGet License Utility that does exactly that.

Installing NuGet License Utility as a .NET global tool

dotnet tool install --global dotnet-project-licenses

After you installed the tool you should check if the installation went well by calling it with the --version option:

dotnet-project-licenses --version

This should print out the current version of the tool which at the time writing this post is 2.3.11:

> dotnet-project-licenses --version

NugetUtility 2.3.11

By calling dotnet-project-licenses --help you can list all the available options.

The next step is to actually scan your project for all used libraries.

Example: Scan a Xamarin.iOS application for licenses

When calling dotnet-project-licenses on the command line you can pass several options to it that control the outcome of the scan. However, the one mandatory option you have to pass to the tool is the --input option. Depending on the scope you want the tool to gather license information in, you can pass a directory, a solution file or a project file.

The example in this article is based on a sample app you can find on GitHub: https://github.com/AndreasHennig/OnionArchitectureAppSample

I want to scan the iOS app and determine which libraries with which licenses are used in this app. I will first give you the whole command and then we will unravel the different bits and pieces of it:

dotnet-project-licenses --input src/OnionArchitectureApp.iOS/OnionArchitectureApp.iOS.csproj --unique --json --output-directory src --outfile licenses.json

The first option that is passed is the (mandatory) --input option, which expects a path to the application you want to collect license information of, in this case the path to the project file of the Xamarin.iOS project.

The second option that is passed is the --unique option which makes sure that the list of generated libraries does not contain any doublets.

With the --json option you control that the result of the scan is not just an output on the command line but actually written into a json file.

With the to options --outfile and --output-directory you can control filename and path of the genereted json file. Here is an excerpt of the generated json file in this example:

[
    (...)
    {
        "PackageName": "Xamarin.Forms",
        "PackageVersion": "5.0.0.2012+671-sha.68c17772d-azdo.4465181",
        "PackageUrl": "http://xamarin.com/forms",
        "Copyright": "© Microsoft Corporation. All rights reserved.",
        "Authors": [
            "Microsoft"
        ],
        "Description": "Build native UIs for iOS, Android, UWP, macOS, Tizen and many more from a single, shared C# codebase",
        "LicenseUrl": "https://licenses.nuget.org/MIT",
        "LicenseType": "MIT"
    }
    (...)
]

So as you can see for each library that is used in your project you have information like the package name, it's version and, most importantly, the license type under which the library is published and a URL to the license text.

This generated json file you can now use in your app to show license information about all the libraries you are using. In case of a Xamarin application like this example I recommend to add the licenses.json file to your project as an embedded ressource.

When you are building your app using continuous integration and an automated build process you could also consider to run the scan as part of the build process instead of running the scanning for used libraries / licenses once and submitting the generated licenses.json to version control.

That way you can be absolutely sure that the licenses file distributed with your application is always up to date with the libraries actually used in your app.

Conclusion

Manually collecting license information about all 3rd party NuGet packages used in a .NET application can be a pretty tedious process.

In this article I described a way to automatically collect these license information using the NuGet License Utility dotnet tool.

By automatically collecting the license information it is way easier to keep these information up to date. For even more convenience you can collect the license information as part of an automatic build process and thus make sure that the license information deployed with your app fit with the libraries you are actually using.

Additional resources

https://github.com/tomchavakis/nuget-license