Licensecheck will not fail when one of multiple licenses in a dependency are not allowed

Question

Licensecheck will not fail when one of multiple licenses in a dependency are not allowed

balrok opened this issue 9 months ago · 1 comments

The Library 'com.itextpdf:itextpdf:5.5.13.3' results in 2 licenses:

                "poms": [
                    {
                        "inceptionYear": "",
                        "projectUrl": "http://itextpdf.com",
                        "description": "A Free Java-PDF library",
                        "name": "iText Core",
                        "organization": null,
                        "licenses": [
                            {
                                "url": "http://www.fsf.org/licensing/licenses/agpl-3.0.html",
                                "name": "GNU Affero General Public License v3"
                            }
                        ]
                    }
                ],
                "licenseFiles": [
                    {
                        "fileDetails": [
                            {
                                "licenseUrl": null,
                                "file": "itextpdf-5.5.13.3.jar/com/itextpdf/text/LICENSE.txt",
                                "license": null
                            },
                            {
                                "licenseUrl": "https://www.apache.org/licenses/LICENSE-2.0",
                                "file": "itextpdf-5.5.13.3.jar/com/itextpdf/text/NOTICE.txt",
                                "license": "Apache License, Version 2.0"
                            }
                        ]
                    }
                ],

In our allowed-licenses.json is only "apache 2" but not "agpl" but still, the checkLicense task reports everything is fine.

In this example, the main-code is licensed under agpl and the "notice.txt" describes how the author included some code, which is licensed under "apache 2". So every found license must match with our allowed-licenses.

Maybe a solution would be a config option, where one can configure which dependencies should have "anyOf" or "allOf" -logic inside LicenseChecker. Right not it is "anyOf": so when any of the licenses in a project matches with allowed, then it is fine.

So maybe config options like:

licenseCheck.defaultCheckType = CheckType.ANY_OF
licenseCheck.perDependencyCheckType = { ".*itext.*": CheckType.ALL_OF }

Answer 1 · 2024-05-07T19:42:06.000Z

alternate suggestion: instead of a boolean flag, add a new extension point feature (called something like "evaluators" or "adjudicators") which decides whether a module is allowed. the output would contain both the judgment ("allowed", "rejected", "ambiguous") and rationale.

interface ComplianceEvaluator {
   ComplianceResult evaluate(ModuleData module);
}
record ComplianceResult(ModuleData module, Judgment outcome, Evidence rationale);

licenseReport {
   evaluators = [new RejectUnknown(), new RequireAll()]
}

the existing behavior becomes the default implementation, so the scheme is backwards compatible. this would allow clients to implement their own Evaluator functions, chain them together, and so on.