From c4531cb217b3d842eeb19afc6bceb085747c1190 Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Mon, 8 Aug 2022 10:03:26 +0200 Subject: [PATCH] add dependency license compatibility check --- README.md | 32 +++++++++++++++++++++++++++++++- build.gradle | 7 +++++++ etc/allowed-licenses.json | 32 ++++++++++++++++++++++++++++++++ 3 files changed, 70 insertions(+), 1 deletion(-) create mode 100644 etc/allowed-licenses.json diff --git a/README.md b/README.md index 985322cf..68cdaf14 100644 --- a/README.md +++ b/README.md @@ -351,8 +351,38 @@ In case of suppression, a note must be added to explain why it does not apply to See also: https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/index.html. +### Dependency-License-Compatibility -## How to Run the Appplication on a Different Port +The `gw check` phase depends on a dependency-license-compatibility check. +If any dependency violates the configured [list of allowed licenses](etc/allowed-licenses.json), the build will fail. +New licenses can be added to that list after a legal investigation. + +**⚠** +*GPL* (*GNU General Public License*) is only allowed with classpath exception. +Do not use any dependencies under *GPL* without this exception, +except if these offer an alternative license which is allowed. + +To run just the dependency-license-compatibility check, use: + +```shell +gw checkLicense +``` + +If the check fails, a report can be found here: The generated license can be found under [dependencies-without-allowed-license.json](/build/reports/dependency-license/dependencies-without-allowed-license.json). + +And to generate a report, use: + +```shell +gw generateLicenseReport +``` + +The generated license can be found here: [index.html](build/reports/dependency-license/index.html). + +More information can be found on the [project's website](https://github.com/jk1/Gradle-License-Report). + +## How To ... + +### How to Run the Application on a Different Port By default, `gw bootRun` starts the application on port 8080. diff --git a/build.gradle b/build.gradle index 60569c99..f5e6a0a3 100644 --- a/build.gradle +++ b/build.gradle @@ -2,6 +2,7 @@ plugins { id 'java' id 'org.springframework.boot' version '2.7.2' id 'io.spring.dependency-management' version '1.0.12.RELEASE' + id 'com.github.jk1.dependency-license-report' version '2.1' id "org.owasp.dependencycheck" version "7.1.1" id "com.diffplug.spotless" version "6.9.0" } @@ -91,3 +92,9 @@ dependencyCheck { failBuildOnCVSS = 7 } project.tasks.check.dependsOn(dependencyCheckAnalyze) + +licenseReport { + excludeBoms = true + allowedLicensesFile = new File("$projectDir/etc/allowed-licenses.json") +} +project.tasks.check.dependsOn(checkLicense) diff --git a/etc/allowed-licenses.json b/etc/allowed-licenses.json new file mode 100644 index 00000000..cbacbf0b --- /dev/null +++ b/etc/allowed-licenses.json @@ -0,0 +1,32 @@ +{ + "allowedLicenses": [ + { "moduleLicense": "Apache 2.0" }, + { "moduleLicense": "Apache License, Version 2.0" }, + { "moduleLicense": "The Apache Software License, Version 2.0" }, + + { "moduleLicense": "BSD License" }, + { "moduleLicense": "BSD-2-Clause" }, + + { "moduleLicense": "CDDL 1.1" }, + { "moduleLicense": "CDDL/GPLv2+CE" }, + { "moduleLicense": "COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0" }, + + { "moduleLicense": "EDL 1.0" }, + { "moduleLicense": "Eclipse Distribution License 1.0" }, + + { "moduleLicense": "Eclipse Public License - v 1.0" }, + { "moduleLicense": "Eclipse Public License - v 2.0" }, + { "moduleLicense": "Eclipse Public License - v. 2.0" }, + { "moduleLicense": "Eclipse Public License - v1.0" }, + { "moduleLicense": "Eclipse Public License v 2.0" }, + { "moduleLicense": "Eclipse Public License v. 2.0" }, + + { "moduleLicense": "GNU General Public License, version 2 with the GNU Classpath Exception" }, + { "moduleLicense": "GPL2 w/ CPE" }, + + { "moduleLicense": "MIT License" }, + { "moduleLicense": "MIT" }, + { "moduleLicense": "The MIT License (MIT)" }, + { "moduleLicense": "The MIT License" } + ] +}