Add vendor license checks to PR (#744)

* Add vendor license checks to PR

This PR aims to add automatic detection of licenses of vendor-ed packages for every PR raised
to the Odo repository using a tool called [wwhrd](https://github.com/frapposelli/wwhrd) that
iterates on every vendored package, searches for the license file, detects the license type
and validates the detected license type against the different sections of the configuration
file .wwhrd.yml.

fixes #743
Signed-off-by: anmolbabu <anmolbudugutta@gmail.com>

* Incoporate comments from @surajnarwade

Signed-off-by: anmolbabu <anmolbudugutta@gmail.com>

* Incoporate @tkral Comments

Signed-off-by: anmolbabu <anmolbudugutta@gmail.com>

* Add documentation about the license checks

Signed-off-by: anmolbabu <anmolbudugutta@gmail.com>

* Incoporate @codeclimate comments

Signed-off-by: anmolbabu <anmolbudugutta@gmail.com>

* Incoporate @cdrage comments

Signed-off-by: anmolbabu <anmolbudugutta@gmail.com>

* Incoporate @cdrage and @kadel comments

Signed-off-by: anmolbabu <anmolbudugutta@gmail.com>

* Incorporate @cdrage comments

Signed-off-by: anmolbabu <anmolbudugutta@gmail.com>

.wwhrd.yml

@@ -0,0 +1,17 @@
+---
+blacklist:
+  # https://www.apache.org/licenses/GPL-compatibility.html
+  - GPL-2.0
+
+whitelist:
+  - Apache-2.0
+  - MIT
+  - NewBSD
+  - FreeBSD
+  - ISC
+
+exceptions:
+  # wwhrd currently does not detect ISC which is compatible with Odo so, add it under exceptions to avoid errors due to it being not recognised
+  - github.com/davecgh/go-spew/spew/...
+  # wwhrd currently does not detect ISC which is compatible with Odo so, add it under exceptions to avoid errors due to it being not recognised
+  - github.com/olekukonko/tablewriter

Makefile

@@ -16,7 +16,7 @@ install:
 
 # run all validation tests
 .PHONY: validate
-validate: gofmt check-vendor vet #lint
+validate: gofmt check-vendor vet validate-vendor-licenses #lint
 
 .PHONY: gofmt
 gofmt:
@@ -26,6 +26,9 @@ gofmt:
 check-vendor:
 	./scripts/check-vendor.sh
 
+.PHONY: validate-vendor-licenses
+validate-vendor-licenses:
+	wwhrd check
 # golint errors are only recommendations
 .PHONY: lint
 lint:
@@ -45,6 +48,7 @@ goget-tools:
 	go get -u github.com/Masterminds/glide
 	# go get -u golang.org/x/lint/golint
 	go get -u github.com/mitchellh/gox
+	go get github.com/frapposelli/wwhrd
 
 # Run unit tests and collect coverage
 .PHONY: test-coverage

docs/development.md

@@ -5,6 +5,7 @@
 - [Dependency Management](https://github.com/redhat-developer/odo/blob/master/docs/development.md#dependency-management)
 - [Release Guide](https://github.com/redhat-developer/odo/blob/master/docs/development.md#release-guide)
 - [Odo Bot](https://github.com/redhat-developer/odo/blob/master/docs/development.md#odo-bot)
+- [Licenses](https://github.com/redhat-developer/odo/blob/master/docs/development.md#licenses)
 
 ## Workflow
 
@@ -270,3 +271,21 @@ When new git tag is created, Travis-ci deploy job automatically builds binaries
 | Script      | What it is doing                          | Access via                                    |
 |-------------|-------------------------------------------|-----------------------------------------------|
 | .travis.yml | Uploading binaries to GitHub release page | Personal access token `deploy-github-release` |
+
+
+## Licenses
+
+[wwhrd](https://github.com/frapposelli/wwhrd) is used in Odo for checking license
+compatibilities of vendored packages.
+
+Configuration for `wwhrd` is stored in
+[`.wwhrd.yml`](https://github.com/redhat-developer/odo/blob/master/.wwhrd.yml).
+
+The `whitelist` section is for licenses that are always allowed.
+The `blacklist` section is for licenses that are never allowed and will
+always fail a build. Any licenses that are not explicitly mentioned are considered
+to be in a `exceptions` and will need to be explicitly allowed by adding the import
+path to the exceptions.
+
+More details about the license compatibility check tool can be found
+[here](https://github.com/frapposelli/wwhrd)