License check updates (#1406)

* Add docs and special case comments * Add special cases * Add whitelist criteria * Fill out license whitelists + add more output * Now that we're passing, do not continue if script returns failure * Apply workflow to all PRs
2023-08-23 15:51:17 -04:00 · 2023-08-23 15:51:17 -04:00 · d468a61664
parent fb64a720c8
commit d468a61664
5 changed files with 107 additions and 4 deletions
--- a/.github/workflows/license-check.yml
+++ b/.github/workflows/license-check.yml
@ -3,6 +3,12 @@
 name: License Check
 on:
  # Triggers the workflow on push or pull request events but only for the main branch
  push:
    branches: [ master ]
  pull_request:
    branches: [ master ]
  workflow_dispatch:
@ -27,4 +33,4 @@ jobs:
      run: chmod u+x .github/workflows/license-check/license-check.sh
    - name: Run script
      run: .github/workflows/license-check/license-check.sh
-      continue-on-error: true
+      #continue-on-error: true
--- a/.github/workflows/license-check/README.md
+++ b/.github/workflows/license-check/README.md
@ -0,0 +1,65 @@
 # License Check
 The license check script is a basic bash script that consumes the output from maven license checks, and throws errors if any are found that are not in specified whitelists.
 ## Pre-requisite Maven commands
 The following two maven commands, executed in the root of the project, will generate license files in the target locations: `target/generated-sources/license/THIRD-PARTY.txt` 
 This command will generate all the license files for each module:
 ```shell
 mvn license:add-third-party
 ```
 This command will generate all the license files for the whole project (must be run after the first command, or it will have no licenses to aggregate):
 ```shell
 mvn license:aggregate-add-third-party
 ```
 ## Bash script
 From the root of the project, execute the following:
 ```shell
 ./.github/workflows/license-check/license-check.sh 
 ```
 Note that this requires a recent version of bash.
 ## Whitelists
 Whitelists are license names permitted for use within this project. This project uses an Apache 2.0 license. and follows the rule that a selection of dependencies with copyleft licenses can be included in the project as binaries, but shouldn't appear in the source release. https://www.apache.org/legal/resolved.html#weak-copyleft-licenses
 This list includes:
 * Common Development and Distribution Licenses: CDDL 1.0 and CDDL 1.1
 * Common Public License: CPL 1.0
 * Eclipse Public License: EPL 1.0
 * IBM Public License: IPL 1.0
 * Mozilla Public Licenses: MPL 1.0, MPL 1.1, and MPL 2.0
 * Sun Public License: SPL 1.0
 * Open Software License 3.0
 * Erlang Public License
 * UnRAR License (only for unarchiving)
 * SIL Open Font License
 * Ubuntu Font License Version 1.0
 * IPA Font License Agreement v1.0
 * Ruby License (including the older version when GPLv2 was a listed alternative Ruby 1.9.2 license)
 * Eclipse Public License 2.0: EPL 2.0
 There are two Whitelist files, necessitated by the sometimes inconsistent formatting of `THIRD-PARTY.txt`.
 `license-whitelist.txt` contains individual licenses that are permitted in the project. Note that these are repeated in multiple formats, as these are a strict string match, and licenses names do not have a single canonical text representation (example: 'Apache Software License 2.0',
 'The Apache License, Version 2.0',
 'The Apache Software License, Version 2.0')
 'license-special-cases.txt' contains entire lines from the `THIRD-PARTY.txt` to account for cases where the license name itself may be problematic to whitelist, such as `(Unknown License)`:
 ```text
 # Is not included in the dependency but is GNU Lesser GPL. See: https://code.google.com/archive/p/javaparser/
 (Unknown license) javaparser (com.google.code.javaparser:javaparser:1.0.11 - http://code.google.com/p/javaparser/)
 ```
 Note that for each of these there should be an explicit reason for the special case in a comment, to prevent unnecessarily re-evaluating of special cases.
--- a/.github/workflows/license-check/license-check.sh
+++ b/.github/workflows/license-check/license-check.sh
@ -46,4 +46,13 @@ do
    fi
 done
 echo "Check complete."
 if (( exitStatus == 0 ))
 then
  echo "All licenses OK"
 else
  echo "Possible license incompatibilities found. Check above logs."
 fi
 exit $exitStatus
--- a/.github/workflows/license-check/license-special-cases.txt
+++ b/.github/workflows/license-check/license-special-cases.txt
@ -1,3 +1,19 @@
 # Is not included in the dependency but is GNU Lesser GPL. See: https://code.google.com/archive/p/javaparser/
 (Unknown license) javaparser (com.google.code.javaparser:javaparser:1.0.11 - http://code.google.com/p/javaparser/)
-# IGNORE ME
+# Because of parsing issues, FHIR R4 shows up as a license. I really need to redo this script in Python for cleaner parsing. -dotasek
-(Apache Software License 2.0) HAPI FHIR - Validation Resources (FHIR R4) (ca.uhn.hapi.fhir:hapi-fhir-validation-resources-r4:6.4.1 - https://hapifhir.io/hapi-deployable-pom/hapi-fhir-validation-resources-r4)
+(Apache Software License 2.0) HAPI FHIR - Validation Resources (FHIR R4) (ca.uhn.hapi.fhir:hapi-fhir-validation-resources-r4:6.4.1 - https://hapifhir.io/hapi-deployable-pom/hapi-fhir-validation-resources-r4)
 # The following can be licensed with either license, of which the Apache is compatible
 (Apache Software License, version 1.1) (Indiana University Extreme! Lab Software License, vesion 1.1.1) (Public Domain) MXP1: Xml Pull Parser 3rd Edition (XPP3) (xpp3:xpp3:1.1.4c - http://www.extreme.indiana.edu/xgws/xsoap/xpp/mxp1/)
 (Indiana University Extreme! Lab Software License, vesion 1.1.1) MXP1: Xml Pull Parser 3rd Edition (XPP3) (xpp3:xpp3_xpath:1.1.4c - http://www.extreme.indiana.edu/xgws/xsoap/xpp/mxp1/)
 # Aggregator is incorrectly parsed as a license.
 (Eclipse Public License v2.0) JUnit Jupiter (Aggregator) (org.junit.jupiter:junit-jupiter:5.9.1 - https://junit.org/junit5/)
 # https://www.jcp.org/en/jsr/detail?id=374 specifies this as an OR relationship between possible licenses, of which CDDL is compatible
 (Dual license consisting of the CDDL v1.1 and GPL v2) JSR 353 (JSON Processing) Default Provider (org.glassfish:javax.json:1.0.4 - http://jsonp.java.net)
 # javax.xml.bind is incorrectly interpreted as a license name.
 (The Apache Software License, Version 2.0) Jackson module: Old JAXB Annotations (javax.xml.bind) (com.fasterxml.jackson.module:jackson-module-jaxb-annotations:2.15.2 - https://github.com/FasterXML/jackson-modules-base)
 # full is incorrectly interpreted as a license name
 (Apache License, Version 2.0) Apache POI - OOXML schemas (full) (org.apache.poi:poi-ooxml-full:5.2.1 - https://poi.apache.org/)
 # Actually a BSD license https://mvnrepository.com/artifact/org.antlr/ST4/4.1
 (Unknown license) StringTemplate 4 (org.antlr:ST4:4.1 - http://nexus.sonatype.org/oss-repository-hosting.html/ST4)
 # without dependencies is incorrectly intepreted as a license name
 (Apache License, Version 2.0) Byte Buddy (without dependencies) (net.bytebuddy:byte-buddy:1.12.14 - https://bytebuddy.net/byte-buddy)
--- a/.github/workflows/license-check/license-whitelist.txt
+++ b/.github/workflows/license-check/license-whitelist.txt
@ -6,6 +6,7 @@ The Apache Software License, Version 2.0
 MIT License
 The MIT License
 Apache Software License, version 1.1
 Apache-2.0
 Apache 2
 Apache 2.0
 Apache License 2.0
@ -17,9 +18,15 @@ BSD License 3
 New BSD License
 BSD 3 Clause
 The JSON License
 Eclipse Public License 1.0
 Eclipse Public License - v 1.0
 Eclipse Public License v. 2.0
 Eclipse Distribution License v. 1.0
 Eclipse Distribution License - v 1.0
 EDL 1.0
 Unicode/ICU License
-BSD 2-Clause License
+BSD 2-Clause License
 LGPL 2.1
 GNU Lesser General Public License
 MPL 1.1
 Mozilla Public License Version 2.0