No way to Normalize a missing license

Question

No way to Normalize a missing license

fsparv opened this issue 2 years ago · 1 comments

The jackson-bom dependency does not report a license, but I know Jackson has Apache 2.0.

I want to normalize it to encode the information I can find on the web, that just isn't available to the plugin. I'm trying to normalize all licenses so I can then check I have a directory in my /licenses directory that matches the normalized license name

I intend to write some custom groovy code as a task in my gradle build, based on parsing the out put of the JSON report renderer, and then verifying that everything in the report has a dir with a license name, and below that a dir matching the artifact-version, if not I'll fail the build and thus force any upgraded dependencies to be dealt with immediately rather than leaving myself a 2-3 day slog through a 250 dependency hellscape to verify license compliance at release time.

I had hoped after reading the code for the normalizer I could match on the name of the module in the dependency with modulePattern but after tracking that back it appears that that refers to the name of the "module" from which a dependency was imported, not the module section of the dependency coordinate.

As far as I can tell, there's just no way to normalize anything that didn't have a license url or name.

So TLDR; it would be nice to be able to match on the maven coordinates too.

Answer 1 · 2024-05-07T17:42:59.000Z

i ran into a similar issue, and worked around it by adding an "Unknown License Filter". This filter runs before any normalizers and inserts a dummy license into the data model.

In the normalizer code, there's an "empty set" problem: if there are no licenses anywhere in the data model, none of the rules are evaluated, even if the rule should match based on module name. for example: https://github.com/jk1/Gradle-License-Report/blob/master/src/main/groovy/com/github/jk1/license/filter/LicenseBundleNormalizer.groovy#L162

Downstream normalizers are then able to operate on that. In my case, I used a bundle normalizer which has a list of licenses I looked up in source for the missing projects/artifacts in question. gradle-license-report was one of those projects :)

/**
 * Substitutes an "Unknown" license declaration into modules which have no licenses
 * declared at all, making them available for license normalization.
 */
class LicenseDeclarationFilter implements DependencyFilter {
    @Override
    public ProjectData filter(final ProjectData source) {
        source.getAllDependencies().forEach(module -> {
            if (module.getLicenseFiles().isEmpty()
               && module.getManifests().stream().noneMatch(m -> m.isHasPackagedLicense() || m.getLicense() != null || m.getLicenseUrl() != null)
               && module.getPoms().stream().allMatch(p -> p.getLicenses().isEmpty())) {
                module.getLicenseFiles().add(unknownLicenseFile());
            }
        });
        return source;
    }

    private static LicenseFileData unknownLicenseFile() {
        final var details = new LicenseFileDetails();
        details.setLicense("Unknown");

        final var license = new LicenseFileData();
        license.getFileDetails().add(details);
        return license;
    }
}

So then you do something like

licenseReport {
   filters = [new LicenseDeclarationFilter(), new LicenseBundleNormalizer("missing-licenses.json", false)]
}