-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Licensecheck will not fail when one of multiple licenses in a dependency are not allowed #285
Comments
… are matched against allowedLicenses The default behavior is that a dependency is fine when any of its licenses are found inside allowedLicenses. This fixes jk1#285
… are matched against allowedLicenses The default behavior is that a dependency is fine when any of its licenses are found inside allowedLicenses. The new configuration option is ALL, which requires that all licenses of a dependency are matched with the allowedLicenses. This fixes jk1#285
…endency licenses are matched against allowedLicenses The default behavior is that a dependency is fine when any of its licenses are found inside allowedLicenses. This may miss dependencies, which contain multiple licenses. When 'requireAllLicensesAllowed' is set to true, it will only approve a dependency when all of its discovered licenses are found in the allowedLicenses. This may report false-positives for dependencies which are dual-licensed. But in general I think a false-positive is better than missing a license violation. This fixes jk1#285
alternate suggestion: instead of a boolean flag, add a new extension point feature (called something like "evaluators" or "adjudicators") which decides whether a module is allowed. the output would contain both the judgment ("allowed", "rejected", "ambiguous") and rationale. interface ComplianceEvaluator {
ComplianceResult evaluate(ModuleData module);
}
record ComplianceResult(ModuleData module, Judgment outcome, Evidence rationale);
the existing behavior becomes the default implementation, so the scheme is backwards compatible. this would allow clients to implement their own Evaluator functions, chain them together, and so on. |
…enses are matched against allowedLicenses The default behavior is that a dependency is fine when any of its licenses are found inside allowedLicenses. This may miss dependencies, which contain multiple licenses. When 'AllRequiredLicenseChecker' is set, it will only approve a dependency when all of its discovered licenses are found in the allowedLicenses. This may report false-positives for dependencies which are dual-licensed. But in general I think a false-positive is better than missing a license violation. This fixes jk1#285
…enses are matched against allowedLicenses The default behavior is that a dependency is fine when any of its licenses are found inside allowedLicenses. This may miss dependencies, which contain multiple licenses. When 'AllRequiredLicenseChecker' is set, it will only approve a dependency when all of its discovered licenses are found in the allowedLicenses. This may report false-positives for dependencies which are dual-licensed. But in general I think a false-positive is better than missing a license violation. This fixes jk1#285
…enses are matched against allowedLicenses The default behavior is that a dependency is fine when any of its licenses are found inside allowedLicenses. This may miss dependencies, which contain multiple licenses. When 'AllRequiredLicenseChecker' is set, it will only approve a dependency when all of its discovered licenses are found in the allowedLicenses. This may report false-positives for dependencies which are dual-licensed. But in general I think a false-positive is better than missing a license violation. This fixes jk1#285
…enses are matched against allowedLicenses The default behavior is that a dependency is fine when any of its licenses are found inside allowedLicenses. This may miss dependencies, which contain multiple licenses. When 'AllRequiredLicenseChecker' is set, it will only approve a dependency when all of its discovered licenses are found in the allowedLicenses. This may report false-positives for dependencies which are dual-licensed. But in general I think a false-positive is better than missing a license violation. This fixes jk1#285
Just want to share my workaround to this issue. The idea is that I don't use I use the plugin to generate a markdown report (
The report is quite long but it should be quite easy to review the changes when libraries are updated or licenses change. However, the markdown report is not ideal for diffing as it contains a timestamp and a sequence number for all the items in the report. I still thought it is better than the json report but let's see how it goes. |
The Library 'com.itextpdf:itextpdf:5.5.13.3' results in 2 licenses:
In our allowed-licenses.json is only "apache 2" but not "agpl" but still, the checkLicense task reports everything is fine.
In this example, the main-code is licensed under agpl and the "notice.txt" describes how the author included some code, which is licensed under "apache 2". So every found license must match with our allowed-licenses.
Maybe a solution would be a config option, where one can configure which dependencies should have "anyOf" or "allOf" -logic inside LicenseChecker. Right not it is "anyOf": so when any of the licenses in a project matches with allowed, then it is fine.
So maybe config options like:
The text was updated successfully, but these errors were encountered: