Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Add license check #46

Closed
DreierF opened this issue Jan 3, 2022 · 9 comments · Fixed by #49
Closed

Add license check #46

DreierF opened this issue Jan 3, 2022 · 9 comments · Fixed by #49

Comments

@DreierF
Copy link
Contributor

DreierF commented Jan 3, 2022

Hi @vlsi,
I would like to have the possibility to specify a set of licenses that I want to allow for the project and a task that checks whether only matching licenses are found. This would allow to detect early when a dependency with an incompatible license is introduced. As the GatherLicenseTask already does the hard work of collecting that information this should not be very complicated to add I guess.
The API could look similar to https://github.com/cashapp/licensee#allow.
(Your plugin is way better in determining the correct SPDX identifier and allows overriding in contrast to licensee)

What do you think?
Would you accept a PR adding this feature?
@vlsi
Copy link
Owner

vlsi commented Jan 3, 2022

Hi,

I think it makes sense. Historically, the only license classification I saw was https://www.apache.org/legal/resolved.html (which was basically the only motivation for the plugin itself).

So I have

vlsi-release-plugins/plugins/stage-vote-release-plugin/src/main/kotlin/com/github/vlsi/gradle/release/Apache2LicenseRenderer.kt

Lines 173 to 186 in acaadb5

val licenseInterpreter = Apache2LicenseInterpreter()
licenseInterpreter.licenseCategory.putAll(licenseCategory.get())
dependencies
.map {
it.key to it.value.license
}
.groupByTo(TreeMap()) { (_, license) ->
licenseInterpreter.eval(license)
}
.filterKeys { it !in allowedTypes }
.forEach { (category, dependencies) ->
val header =
"Dependencies of license category $category are not allowed for $artifactType artifacts"
and https://github.com/vlsi/vlsi-release-plugins/blob/acaadb520a8ca9bc8e06403de97f8798c008a977/plugins/stage-vote-release-plugin/src/main/kotlin/com/github/vlsi/gradle/release/Apache2LicenseInterpreter.kt

Splitting "verify license" from Apache2LicenseRenderer into a separate task sounds like the right thing to do.

@vlsi
Copy link
Owner

vlsi commented Jan 3, 2022

Do you think you could prepare a PR for a "check license compatibility" or "verify license compatibility" (I'm not sure regarding the naming) task in license-gather-plugin?

@DreierF
Copy link
Contributor Author

DreierF commented Jan 4, 2022

Thanks for the quick response!
I tried to dig into it, but I have to admit I didn't understand yet how all the pieces fit together and won't have the time in the near future to continue working on it.

@vlsi
Copy link
Owner

vlsi commented Jan 4, 2022

By the way, do you have a use-case (a github project?) for this "license check"?

@DreierF
Copy link
Contributor Author

DreierF commented Jan 4, 2022

I have a use-case, but the project I'm working on is not open source unfortunately.

@vlsi
Copy link
Owner

vlsi commented Jan 5, 2022
edited
Loading

I see. Do you have a reference for the known compatible licenses? Are you going to add "allowed" licenses one by one?

For instance, the ASF has three license categories: A (allowed in source form), B (allowed only in binary artifacts), and X (forbidden everywhere).

So one of the configurations could be:

val gatherLicenes by tasks.registering(GatherLicenseTask::class) {
    configuration(configurations.runtimeClasspath)
    // configure license overrides, etc
}

val verifyLicenseCompatibility by tasks.register(VerifyLicenseCompatibilityTask::class) {
    metadata.set(gatherLicenes) // <-- "metadata" could probably have a better naming
    allow(AsfLicenseCategory.A)
}

@DreierF
Copy link
Contributor Author

DreierF commented Jan 5, 2022

Allowing whole categories would be a nice usability helper, but in the general case I think we would also need the ability to allow licenses one by one as well as custom named licenses (e.g. jgit which is detected as Eclipse Distribution License (New BSD License))

@vlsi
Copy link
Owner

vlsi commented Jan 5, 2022

I think behind the lines of VerifyLicenseCompatibilityTask below, so adding "non-standard" would be like

allow(
    SimpleLicense(
        "Java HTML Tidy License",
        uri("http://jtidy.svn.sourceforge.net/viewvc/jtidy/trunk/jtidy/LICENSE.txt?revision=95")
    )
)
class VerifyLicenseCompatibilityTask : DefaultTask() {
    /**
     * This is a file collected by [GatherLicenseTask].
     */
    @InputFiles
    val metadata = objectFactory.fileCollection()

    @Input
    val acceptableLicenses = objectFactory.setProperty<LicenseExpression>()

    /**
     * Outputs `OK` when verification is successful.
     */
    @OutputFile
    val resultFile = objectFactory.fileProperty()

    fun allow(license: License) {
        acceptableLicenses.add(license.asExpression())
    }

    fun allow(license: Set<License>) { // or vararg?
        acceptableLicenses.add(license.asExpression())
    }

    fun allow(licenseExpression: LicenseExpression) {
        acceptableLicenses.add(licenseExpression)
    }

    fun allow(licenseExpression: Set<LicenseExpression>) { // or vararg?
        acceptableLicenses.add(licenseExpression)
    }
...

@DreierF
Copy link
Contributor Author

DreierF commented Jan 5, 2022

Sounds good 🙂
Thank you very much for pushing that idea forward!

@vlsi vlsi mentioned this issue Jan 10, 2022
Merged
@vlsi vlsi closed this as completed in #49 Feb 13, 2022
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

license-gather: add a task for verifying license compatibility vlsi/vlsi-release-plugins
2 participants
@vlsi @DreierF