Merge pull request #1579 from thehyve/license-validation

Implement package license scanner for backend components.
thehyve · Jan 3, 2025 · 776db5d · 776db5d
2 parents c49ee8c + 85937f9
commit 776db5d
Show file tree

Hide file tree

Showing 8 changed files with 115 additions and 0 deletions.
diff --git a/projects/pluto/README.md b/projects/pluto/README.md
@@ -34,4 +34,12 @@ To format the code, run the following command:
 
 NOTE: The Spotless plugin also runs as part of the CI pipeline. Build will fail if the code is not formatted correctly.
 
+### Licenses
 
+The project uses the Gradle license plugin to manage licenses. To check if the licenses of the dependencies 
+are compatible with list of allowed licenses defined in [allowed-licenses.json](allowed-licenses.json),
+run the following command:
+
+```bash
+./gradlew :checkLicense
+```
diff --git a/projects/pluto/allowed-licenses.json b/projects/pluto/allowed-licenses.json
@@ -0,0 +1,28 @@
+{
+  "allowedLicenses": [
+    {
+      "moduleLicense": "Apache License, Version 2.0"
+    },
+    {
+      "moduleLicense": "MIT License"
+    },
+    {
+      "moduleLicense": "MIT-0"
+    },
+    {
+      "moduleLicense": "Eclipse Public License - v 1.0"
+    },
+    {
+      "moduleLicense": "Eclipse Public License - v 2.0"
+    },
+    {
+      "moduleLicense": "Creative Commons Legal Code"
+    },
+    {
+      "moduleLicense": "Bouncy Castle Licence"
+    },
+    {
+      "moduleLicense": "PUBLIC DOMAIN"
+    }
+  ]
+}
diff --git a/projects/pluto/build.gradle b/projects/pluto/build.gradle
@@ -13,6 +13,7 @@ plugins {
     id "org.owasp.dependencycheck" version '8.2.1'
     id 'io.spring.dependency-management' version '1.1.4'
     id "com.diffplug.spotless" version "6.25.0"
+    id 'com.github.jk1.dependency-license-report' version '2.9'
 }
 
 group 'nl.fairspace'
@@ -98,3 +99,9 @@ dependencyManagement {
         mavenBom "org.springframework.cloud:spring-cloud-dependencies:${springCloudVersion}"
     }
 }
+
+import com.github.jk1.license.filter.LicenseBundleNormalizer
+licenseReport {
+    filters = [new LicenseBundleNormalizer(bundlePath: "$projectDir/license-normalizer-bundle.json")]
+    allowedLicensesFile = new File("$projectDir/allowed-licenses.json")
+}
diff --git a/projects/pluto/license-normalizer-bundle.json b/projects/pluto/license-normalizer-bundle.json
@@ -0,0 +1,10 @@
+{
+  "bundles" : [
+    { "bundleName" : "apache2", "licenseName" : "Apache License, Version 2.0", "licenseUrl" : "http://www.apache.org/licenses/LICENSE-2.0" }
+  ],
+  "transformationRules" : [
+    { "bundleName" : "apache2", "licenseNamePattern" : ".*The Apache Software License, Version 2.0.*" },
+    { "bundleName" : "apache2", "licenseNamePattern" : "Apache 2" },
+    { "bundleName" : "apache2", "licenseNamePattern" : "Apache License 2.0" }
+  ]
+}
diff --git a/projects/saturn/README.md b/projects/saturn/README.md
@@ -34,4 +34,12 @@ To format the code, run the following command:
 
 NOTE: The Spotless plugin also runs as part of the CI pipeline. Build will fail if the code is not formatted correctly.
 
+### Licenses
 
+The project uses the Gradle license plugin to manage licenses. To check if the licenses of the dependencies
+are compatible with list of allowed licenses defined in [allowed-licenses.json](allowed-licenses.json),
+run the following command:
+
+```bash
+./gradlew :checkLicense
+```
diff --git a/projects/saturn/allowed-licenses.json b/projects/saturn/allowed-licenses.json
@@ -0,0 +1,37 @@
+{
+  "allowedLicenses": [
+    {
+      "moduleLicense": "Apache License, Version 2.0"
+    },
+    {
+      "moduleLicense": "MIT License"
+    },
+    {
+      "moduleLicense": "MIT-0"
+    },
+    {
+      "moduleLicense": "Eclipse Public License - v 1.0"
+    },
+    {
+      "moduleLicense": "Eclipse Public License - v 2.0"
+    },
+    {
+      "moduleLicense": "The 3-Clause BSD License"
+    },
+    {
+      "moduleLicense": "The 2-Clause BSD License"
+    },
+    {
+      "moduleLicense": "Creative Commons Legal Code"
+    },
+    {
+      "moduleLicense": "Bouncy Castle Licence"
+    },
+    {
+      "moduleLicense": "Similar to Apache License but with the acknowledgment clause removed"
+    },
+    {
+      "moduleLicense": "PUBLIC DOMAIN"
+    }
+  ]
+}
diff --git a/projects/saturn/build.gradle b/projects/saturn/build.gradle
@@ -17,6 +17,7 @@ plugins {
     id 'jacoco'
     id "org.owasp.dependencycheck" version "8.2.1"
     id "com.diffplug.spotless" version "6.25.0"
+    id 'com.github.jk1.dependency-license-report' version '2.9'
 }
 
 group 'io.fairspace'
@@ -116,3 +117,9 @@ test {
     jvmArgs = ['--add-opens', 'java.base/java.util=ALL-UNNAMED']
     useJUnitPlatform()
 }
+
+import com.github.jk1.license.filter.LicenseBundleNormalizer
+licenseReport {
+    filters = [new LicenseBundleNormalizer(bundlePath: "$projectDir/license-normalizer-bundle.json")]
+    allowedLicensesFile = new File("$projectDir/allowed-licenses.json")
+}
diff --git a/projects/saturn/license-normalizer-bundle.json b/projects/saturn/license-normalizer-bundle.json
@@ -0,0 +1,10 @@
+{
+  "bundles" : [
+    { "bundleName" : "apache2", "licenseName" : "Apache License, Version 2.0", "licenseUrl" : "http://www.apache.org/licenses/LICENSE-2.0" }
+  ],
+  "transformationRules" : [
+    { "bundleName" : "apache2", "licenseNamePattern" : ".*The Apache Software License, Version 2.0.*" },
+    { "bundleName" : "apache2", "licenseNamePattern" : "Apache 2" },
+    { "bundleName" : "apache2", "licenseNamePattern" : "Apache License 2.0" }
+  ]
+}