Licensecheck will not fail when one of multiple licenses in a dependency are not allowed #285

balrok · 2024-04-11T07:57:39Z

The Library 'com.itextpdf:itextpdf:5.5.13.3' results in 2 licenses:

                "poms": [
                    {
                        "inceptionYear": "",
                        "projectUrl": "http://itextpdf.com",
                        "description": "A Free Java-PDF library",
                        "name": "iText Core",
                        "organization": null,
                        "licenses": [
                            {
                                "url": "http://www.fsf.org/licensing/licenses/agpl-3.0.html",
                                "name": "GNU Affero General Public License v3"
                            }
                        ]
                    }
                ],
                "licenseFiles": [
                    {
                        "fileDetails": [
                            {
                                "licenseUrl": null,
                                "file": "itextpdf-5.5.13.3.jar/com/itextpdf/text/LICENSE.txt",
                                "license": null
                            },
                            {
                                "licenseUrl": "https://www.apache.org/licenses/LICENSE-2.0",
                                "file": "itextpdf-5.5.13.3.jar/com/itextpdf/text/NOTICE.txt",
                                "license": "Apache License, Version 2.0"
                            }
                        ]
                    }
                ],

In our allowed-licenses.json is only "apache 2" but not "agpl" but still, the checkLicense task reports everything is fine.

In this example, the main-code is licensed under agpl and the "notice.txt" describes how the author included some code, which is licensed under "apache 2". So every found license must match with our allowed-licenses.

Maybe a solution would be a config option, where one can configure which dependencies should have "anyOf" or "allOf" -logic inside LicenseChecker. Right not it is "anyOf": so when any of the licenses in a project matches with allowed, then it is fine.

So maybe config options like:

licenseCheck.defaultCheckType = CheckType.ANY_OF
licenseCheck.perDependencyCheckType = { ".*itext.*": CheckType.ALL_OF }

… are matched against allowedLicenses The default behavior is that a dependency is fine when any of its licenses are found inside allowedLicenses. This fixes jk1#285

… are matched against allowedLicenses The default behavior is that a dependency is fine when any of its licenses are found inside allowedLicenses. The new configuration option is ALL, which requires that all licenses of a dependency are matched with the allowedLicenses. This fixes jk1#285

…endency licenses are matched against allowedLicenses The default behavior is that a dependency is fine when any of its licenses are found inside allowedLicenses. This may miss dependencies, which contain multiple licenses. When 'requireAllLicensesAllowed' is set to true, it will only approve a dependency when all of its discovered licenses are found in the allowedLicenses. This may report false-positives for dependencies which are dual-licensed. But in general I think a false-positive is better than missing a license violation. This fixes jk1#285

jct-tympanon · 2024-05-07T19:42:06Z

alternate suggestion: instead of a boolean flag, add a new extension point feature (called something like "evaluators" or "adjudicators") which decides whether a module is allowed. the output would contain both the judgment ("allowed", "rejected", "ambiguous") and rationale.

interface ComplianceEvaluator {
   ComplianceResult evaluate(ModuleData module);
}
record ComplianceResult(ModuleData module, Judgment outcome, Evidence rationale);

licenseReport {
   evaluators = [new RejectUnknown(), new RequireAll()]
}

the existing behavior becomes the default implementation, so the scheme is backwards compatible. this would allow clients to implement their own Evaluator functions, chain them together, and so on.

…enses are matched against allowedLicenses The default behavior is that a dependency is fine when any of its licenses are found inside allowedLicenses. This may miss dependencies, which contain multiple licenses. When 'AllRequiredLicenseChecker' is set, it will only approve a dependency when all of its discovered licenses are found in the allowedLicenses. This may report false-positives for dependencies which are dual-licensed. But in general I think a false-positive is better than missing a license violation. This fixes jk1#285

This was referenced Apr 17, 2024

implement 'licenseChecker' config option to change how dependency licenses are matched against allowedLicenses #297

Open

Improve support for checkLicense to allow license black listing #256

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Licensecheck will not fail when one of multiple licenses in a dependency are not allowed #285

Licensecheck will not fail when one of multiple licenses in a dependency are not allowed #285

balrok commented Apr 11, 2024

jct-tympanon commented May 7, 2024

Licensecheck will not fail when one of multiple licenses in a dependency are not allowed #285

Licensecheck will not fail when one of multiple licenses in a dependency are not allowed #285

Comments

balrok commented Apr 11, 2024

jct-tympanon commented May 7, 2024