Implement license checks in Macaron

[vinkris01]

Implement license filtering in Macaron against a configurable, pre defined set of licenses. Macaron pulls down code and metadata today from GH repositories for performing various analyses. With this feature, the users would have a certain degree of control over the code and data being fetched and can make it conditional on specific licenses that the code and data are subject to.

Expected outcome: Set of licenses (as per SPDX identifier format) that are user configurable in a .ini file of similar Macaron produces suitable log messages while performing the license checks Macaron fetches code and data subject to license checks

[behnazh-w]

@vinkris01 Thanks for the opening this issue. We can also add a check to report whether the license complies with the allowed licenses and the user can enforce policies based on the check result.

One thing that we might need to do is to clone the repository to check the license. So, it might not be possible to totally avoid pulling down the source code.

[tromai]

One thing that we might need to do is to clone the repository to check the license.

We could obtain the content of the LICENSE from a github repository using GitHub API - https://docs.github.com/en/rest/licenses/licenses?apiVersion=2022-11-28#get-the-license-for-a-repository without cloning it. I'm not sure how much extra overhead it would introduce.