Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Licensecheck will not fail when one of multiple licenses in a dependency are not allowed #285

Open
balrok opened this issue Apr 11, 2024 · 2 comments · May be fixed by #297
Open

Licensecheck will not fail when one of multiple licenses in a dependency are not allowed #285

balrok opened this issue Apr 11, 2024 · 2 comments · May be fixed by #297

Comments

@balrok
Copy link
Contributor

balrok commented Apr 11, 2024

The Library 'com.itextpdf:itextpdf:5.5.13.3' results in 2 licenses:

                "poms": [
                    {
                        "inceptionYear": "",
                        "projectUrl": "http://itextpdf.com",
                        "description": "A Free Java-PDF library",
                        "name": "iText Core",
                        "organization": null,
                        "licenses": [
                            {
                                "url": "http://www.fsf.org/licensing/licenses/agpl-3.0.html",
                                "name": "GNU Affero General Public License v3"
                            }
                        ]
                    }
                ],
                "licenseFiles": [
                    {
                        "fileDetails": [
                            {
                                "licenseUrl": null,
                                "file": "itextpdf-5.5.13.3.jar/com/itextpdf/text/LICENSE.txt",
                                "license": null
                            },
                            {
                                "licenseUrl": "https://www.apache.org/licenses/LICENSE-2.0",
                                "file": "itextpdf-5.5.13.3.jar/com/itextpdf/text/NOTICE.txt",
                                "license": "Apache License, Version 2.0"
                            }
                        ]
                    }
                ],

In our allowed-licenses.json is only "apache 2" but not "agpl" but still, the checkLicense task reports everything is fine.

In this example, the main-code is licensed under agpl and the "notice.txt" describes how the author included some code, which is licensed under "apache 2". So every found license must match with our allowed-licenses.

Maybe a solution would be a config option, where one can configure which dependencies should have "anyOf" or "allOf" -logic inside LicenseChecker. Right not it is "anyOf": so when any of the licenses in a project matches with allowed, then it is fine.

So maybe config options like:

licenseCheck.defaultCheckType = CheckType.ANY_OF
licenseCheck.perDependencyCheckType = { ".*itext.*": CheckType.ALL_OF }
balrok added a commit to balrok/Gradle-License-Report that referenced this issue Apr 16, 2024
… are matched against allowedLicenses

The default behavior is that a dependency is fine when any of its
licenses are found inside allowedLicenses.

This fixes jk1#285
balrok added a commit to balrok/Gradle-License-Report that referenced this issue Apr 17, 2024
… are matched against allowedLicenses

The default behavior is that a dependency is fine when any of its
licenses are found inside allowedLicenses.

The new configuration option is ALL, which requires that all licenses of
a dependency are matched with the allowedLicenses.

This fixes jk1#285
balrok added a commit to balrok/Gradle-License-Report that referenced this issue Apr 17, 2024
…endency licenses are matched against allowedLicenses

The default behavior is that a dependency is fine when any of its
licenses are found inside allowedLicenses. This may miss dependencies,
which contain multiple licenses.

When 'requireAllLicensesAllowed' is set to true, it will only approve a
dependency when all of its discovered licenses are found in the
allowedLicenses. This may report false-positives for dependencies which are
dual-licensed. But in general I think a false-positive is better than
missing a license violation.

This fixes jk1#285
@jct-tympanon
Copy link

alternate suggestion: instead of a boolean flag, add a new extension point feature (called something like "evaluators" or "adjudicators") which decides whether a module is allowed. the output would contain both the judgment ("allowed", "rejected", "ambiguous") and rationale.

interface ComplianceEvaluator {
   ComplianceResult evaluate(ModuleData module);
}
record ComplianceResult(ModuleData module, Judgment outcome, Evidence rationale);
licenseReport {
   evaluators = [new RejectUnknown(), new RequireAll()]
}

the existing behavior becomes the default implementation, so the scheme is backwards compatible. this would allow clients to implement their own Evaluator functions, chain them together, and so on.

balrok added a commit to balrok/Gradle-License-Report that referenced this issue May 17, 2024
…enses are matched against allowedLicenses

The default behavior is that a dependency is fine when any of its
licenses are found inside allowedLicenses. This may miss dependencies,
which contain multiple licenses.

When 'AllRequiredLicenseChecker' is set, it will only approve a
dependency when all of its discovered licenses are found in the
allowedLicenses. This may report false-positives for dependencies which are
dual-licensed. But in general I think a false-positive is better than
missing a license violation.

This fixes jk1#285
balrok added a commit to balrok/Gradle-License-Report that referenced this issue May 18, 2024
…enses are matched against allowedLicenses

The default behavior is that a dependency is fine when any of its
licenses are found inside allowedLicenses. This may miss dependencies,
which contain multiple licenses.

When 'AllRequiredLicenseChecker' is set, it will only approve a
dependency when all of its discovered licenses are found in the
allowedLicenses. This may report false-positives for dependencies which are
dual-licensed. But in general I think a false-positive is better than
missing a license violation.

This fixes jk1#285
balrok added a commit to balrok/Gradle-License-Report that referenced this issue May 26, 2024
…enses are matched against allowedLicenses

The default behavior is that a dependency is fine when any of its
licenses are found inside allowedLicenses. This may miss dependencies,
which contain multiple licenses.

When 'AllRequiredLicenseChecker' is set, it will only approve a
dependency when all of its discovered licenses are found in the
allowedLicenses. This may report false-positives for dependencies which are
dual-licensed. But in general I think a false-positive is better than
missing a license violation.

This fixes jk1#285
balrok added a commit to balrok/Gradle-License-Report that referenced this issue May 26, 2024
…enses are matched against allowedLicenses

The default behavior is that a dependency is fine when any of its
licenses are found inside allowedLicenses. This may miss dependencies,
which contain multiple licenses.

When 'AllRequiredLicenseChecker' is set, it will only approve a
dependency when all of its discovered licenses are found in the
allowedLicenses. This may report false-positives for dependencies which are
dual-licensed. But in general I think a false-positive is better than
missing a license violation.

This fixes jk1#285
@suntsa
Copy link

suntsa commented Dec 12, 2024

Just want to share my workaround to this issue. The idea is that I don't use checkLicense at all but instead make it so that developer's must review changes when dependencies or their licenses change.

I use the plugin to generate a markdown report (InventoryMarkdownReportRenderer) but then use a custom gradle task to instead of checkLicense. The workflow is:

  1. store the whole license report into version control
  2. CI runs a task that checks if the report is up-to-date and fails if not
  3. When necessary, developer updates the report (via another gradle task) and reviews the changes (git diff)

The report is quite long but it should be quite easy to review the changes when libraries are updated or licenses change. However, the markdown report is not ideal for diffing as it contains a timestamp and a sequence number for all the items in the report. I still thought it is better than the json report but let's see how it goes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
3 participants