add dependency license compatibility check

2022-08-08 10:03:26 +02:00 · 2022-08-08 10:03:26 +02:00 · c4531cb217
commit c4531cb217
parent 86128f5994
3 changed files with 70 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -351,8 +351,38 @@ In case of suppression, a note must be added to explain why it does not apply to

 See also: https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/index.html.

+### Dependency-License-Compatibility

-## How to Run the Appplication on a Different Port 
+The `gw check` phase depends on a dependency-license-compatibility check.
+If any dependency violates the configured [list of allowed licenses](etc/allowed-licenses.json), the build will fail.
+New licenses can be added to that list after a legal investigation.
+
+<big>**&#9888;**</big>
+*GPL* (*GNU General Public License*) is only allowed with classpath exception.
+Do <u>not</u> use any dependencies under *GPL* without this exception,
+except if these offer an alternative license which is allowed. 
+
+To run just the dependency-license-compatibility check, use:
+
+```shell
+gw checkLicense
+```
+
+If the check fails, a report can be found here: The generated license can be found under [dependencies-without-allowed-license.json](/build/reports/dependency-license/dependencies-without-allowed-license.json).
+
+And to generate a report, use:
+
+```shell
+gw generateLicenseReport
+```
+
+The generated license can be found here: [index.html](build/reports/dependency-license/index.html).
+
+More information can be found on the [project's website](https://github.com/jk1/Gradle-License-Report).
+
+## How To ...
+
+### How to Run the Application on a Different Port 

 By default, `gw bootRun` starts the application on port 8080.

--- a/build.gradle
+++ b/build.gradle
@ -2,6 +2,7 @@ plugins {
    id 'java'
    id 'org.springframework.boot' version '2.7.2'
    id 'io.spring.dependency-management' version '1.0.12.RELEASE'
+    id 'com.github.jk1.dependency-license-report' version '2.1'
    id "org.owasp.dependencycheck" version "7.1.1"
    id "com.diffplug.spotless" version "6.9.0"
 }
@ -91,3 +92,9 @@ dependencyCheck {
    failBuildOnCVSS = 7
 }
 project.tasks.check.dependsOn(dependencyCheckAnalyze)
+
+licenseReport {
+    excludeBoms = true
+    allowedLicensesFile = new File("$projectDir/etc/allowed-licenses.json")
+}
+project.tasks.check.dependsOn(checkLicense)
--- a/etc/allowed-licenses.json
+++ b/etc/allowed-licenses.json
@ -0,0 +1,32 @@
+{
+    "allowedLicenses": [
+        { "moduleLicense": "Apache 2.0" },
+        { "moduleLicense": "Apache License, Version 2.0" },
+        { "moduleLicense": "The Apache Software License, Version 2.0" },
+
+        { "moduleLicense": "BSD License" },
+        { "moduleLicense": "BSD-2-Clause" },
+
+        { "moduleLicense": "CDDL 1.1" },
+        { "moduleLicense": "CDDL/GPLv2+CE" },
+        { "moduleLicense": "COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0" },
+
+        { "moduleLicense": "EDL 1.0" },
+        { "moduleLicense": "Eclipse Distribution License 1.0" },
+
+        { "moduleLicense": "Eclipse Public License - v 1.0" },
+        { "moduleLicense": "Eclipse Public License - v 2.0" },
+        { "moduleLicense": "Eclipse Public License - v. 2.0" },
+        { "moduleLicense": "Eclipse Public License - v1.0" },
+        { "moduleLicense": "Eclipse Public License v 2.0" },
+        { "moduleLicense": "Eclipse Public License v. 2.0" },
+
+        { "moduleLicense": "GNU General Public License, version 2 with the GNU Classpath Exception" },
+        { "moduleLicense": "GPL2 w/ CPE" },
+
+        { "moduleLicense": "MIT License" },
+        { "moduleLicense": "MIT" },
+        { "moduleLicense": "The MIT License (MIT)" },
+        { "moduleLicense": "The MIT License" }
+    ]
+}