add dependency license compatibility check

This commit is contained in:
Michael Hoennig 2022-08-08 10:03:26 +02:00
parent 86128f5994
commit c4531cb217
3 changed files with 70 additions and 1 deletions

View File

@ -351,8 +351,38 @@ In case of suppression, a note must be added to explain why it does not apply to
See also: https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/index.html. See also: https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/index.html.
### Dependency-License-Compatibility
## How to Run the Appplication on a Different Port The `gw check` phase depends on a dependency-license-compatibility check.
If any dependency violates the configured [list of allowed licenses](etc/allowed-licenses.json), the build will fail.
New licenses can be added to that list after a legal investigation.
<big>**&#9888;**</big>
*GPL* (*GNU General Public License*) is only allowed with classpath exception.
Do <u>not</u> use any dependencies under *GPL* without this exception,
except if these offer an alternative license which is allowed.
To run just the dependency-license-compatibility check, use:
```shell
gw checkLicense
```
If the check fails, a report can be found here: The generated license can be found under [dependencies-without-allowed-license.json](/build/reports/dependency-license/dependencies-without-allowed-license.json).
And to generate a report, use:
```shell
gw generateLicenseReport
```
The generated license can be found here: [index.html](build/reports/dependency-license/index.html).
More information can be found on the [project's website](https://github.com/jk1/Gradle-License-Report).
## How To ...
### How to Run the Application on a Different Port
By default, `gw bootRun` starts the application on port 8080. By default, `gw bootRun` starts the application on port 8080.

View File

@ -2,6 +2,7 @@ plugins {
id 'java' id 'java'
id 'org.springframework.boot' version '2.7.2' id 'org.springframework.boot' version '2.7.2'
id 'io.spring.dependency-management' version '1.0.12.RELEASE' id 'io.spring.dependency-management' version '1.0.12.RELEASE'
id 'com.github.jk1.dependency-license-report' version '2.1'
id "org.owasp.dependencycheck" version "7.1.1" id "org.owasp.dependencycheck" version "7.1.1"
id "com.diffplug.spotless" version "6.9.0" id "com.diffplug.spotless" version "6.9.0"
} }
@ -91,3 +92,9 @@ dependencyCheck {
failBuildOnCVSS = 7 failBuildOnCVSS = 7
} }
project.tasks.check.dependsOn(dependencyCheckAnalyze) project.tasks.check.dependsOn(dependencyCheckAnalyze)
licenseReport {
excludeBoms = true
allowedLicensesFile = new File("$projectDir/etc/allowed-licenses.json")
}
project.tasks.check.dependsOn(checkLicense)

32
etc/allowed-licenses.json Normal file
View File

@ -0,0 +1,32 @@
{
"allowedLicenses": [
{ "moduleLicense": "Apache 2.0" },
{ "moduleLicense": "Apache License, Version 2.0" },
{ "moduleLicense": "The Apache Software License, Version 2.0" },
{ "moduleLicense": "BSD License" },
{ "moduleLicense": "BSD-2-Clause" },
{ "moduleLicense": "CDDL 1.1" },
{ "moduleLicense": "CDDL/GPLv2+CE" },
{ "moduleLicense": "COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0" },
{ "moduleLicense": "EDL 1.0" },
{ "moduleLicense": "Eclipse Distribution License 1.0" },
{ "moduleLicense": "Eclipse Public License - v 1.0" },
{ "moduleLicense": "Eclipse Public License - v 2.0" },
{ "moduleLicense": "Eclipse Public License - v. 2.0" },
{ "moduleLicense": "Eclipse Public License - v1.0" },
{ "moduleLicense": "Eclipse Public License v 2.0" },
{ "moduleLicense": "Eclipse Public License v. 2.0" },
{ "moduleLicense": "GNU General Public License, version 2 with the GNU Classpath Exception" },
{ "moduleLicense": "GPL2 w/ CPE" },
{ "moduleLicense": "MIT License" },
{ "moduleLicense": "MIT" },
{ "moduleLicense": "The MIT License (MIT)" },
{ "moduleLicense": "The MIT License" }
]
}