License check updates (#1406)
* Add docs and special case comments * Add special cases * Add whitelist criteria * Fill out license whitelists + add more output * Now that we're passing, do not continue if script returns failure * Apply workflow to all PRs
This commit is contained in:
parent
fb64a720c8
commit
d468a61664
|
@ -3,6 +3,12 @@
|
|||
name: License Check
|
||||
|
||||
on:
|
||||
# Triggers the workflow on push or pull request events but only for the main branch
|
||||
push:
|
||||
branches: [ master ]
|
||||
pull_request:
|
||||
branches: [ master ]
|
||||
|
||||
workflow_dispatch:
|
||||
|
||||
|
||||
|
@ -27,4 +33,4 @@ jobs:
|
|||
run: chmod u+x .github/workflows/license-check/license-check.sh
|
||||
- name: Run script
|
||||
run: .github/workflows/license-check/license-check.sh
|
||||
continue-on-error: true
|
||||
#continue-on-error: true
|
|
@ -0,0 +1,65 @@
|
|||
# License Check
|
||||
|
||||
The license check script is a basic bash script that consumes the output from maven license checks, and throws errors if any are found that are not in specified whitelists.
|
||||
|
||||
## Pre-requisite Maven commands
|
||||
|
||||
The following two maven commands, executed in the root of the project, will generate license files in the target locations: `target/generated-sources/license/THIRD-PARTY.txt`
|
||||
|
||||
This command will generate all the license files for each module:
|
||||
|
||||
```shell
|
||||
mvn license:add-third-party
|
||||
```
|
||||
|
||||
This command will generate all the license files for the whole project (must be run after the first command, or it will have no licenses to aggregate):
|
||||
|
||||
```shell
|
||||
mvn license:aggregate-add-third-party
|
||||
```
|
||||
|
||||
## Bash script
|
||||
|
||||
From the root of the project, execute the following:
|
||||
|
||||
```shell
|
||||
./.github/workflows/license-check/license-check.sh
|
||||
```
|
||||
|
||||
Note that this requires a recent version of bash.
|
||||
|
||||
## Whitelists
|
||||
|
||||
Whitelists are license names permitted for use within this project. This project uses an Apache 2.0 license. and follows the rule that a selection of dependencies with copyleft licenses can be included in the project as binaries, but shouldn't appear in the source release. https://www.apache.org/legal/resolved.html#weak-copyleft-licenses
|
||||
|
||||
This list includes:
|
||||
|
||||
* Common Development and Distribution Licenses: CDDL 1.0 and CDDL 1.1
|
||||
* Common Public License: CPL 1.0
|
||||
* Eclipse Public License: EPL 1.0
|
||||
* IBM Public License: IPL 1.0
|
||||
* Mozilla Public Licenses: MPL 1.0, MPL 1.1, and MPL 2.0
|
||||
* Sun Public License: SPL 1.0
|
||||
* Open Software License 3.0
|
||||
* Erlang Public License
|
||||
* UnRAR License (only for unarchiving)
|
||||
* SIL Open Font License
|
||||
* Ubuntu Font License Version 1.0
|
||||
* IPA Font License Agreement v1.0
|
||||
* Ruby License (including the older version when GPLv2 was a listed alternative Ruby 1.9.2 license)
|
||||
* Eclipse Public License 2.0: EPL 2.0
|
||||
|
||||
There are two Whitelist files, necessitated by the sometimes inconsistent formatting of `THIRD-PARTY.txt`.
|
||||
|
||||
`license-whitelist.txt` contains individual licenses that are permitted in the project. Note that these are repeated in multiple formats, as these are a strict string match, and licenses names do not have a single canonical text representation (example: 'Apache Software License 2.0',
|
||||
'The Apache License, Version 2.0',
|
||||
'The Apache Software License, Version 2.0')
|
||||
|
||||
'license-special-cases.txt' contains entire lines from the `THIRD-PARTY.txt` to account for cases where the license name itself may be problematic to whitelist, such as `(Unknown License)`:
|
||||
|
||||
```text
|
||||
# Is not included in the dependency but is GNU Lesser GPL. See: https://code.google.com/archive/p/javaparser/
|
||||
(Unknown license) javaparser (com.google.code.javaparser:javaparser:1.0.11 - http://code.google.com/p/javaparser/)
|
||||
```
|
||||
|
||||
Note that for each of these there should be an explicit reason for the special case in a comment, to prevent unnecessarily re-evaluating of special cases.
|
|
@ -46,4 +46,13 @@ do
|
|||
fi
|
||||
done
|
||||
|
||||
echo "Check complete."
|
||||
|
||||
if (( exitStatus == 0 ))
|
||||
then
|
||||
echo "All licenses OK"
|
||||
else
|
||||
echo "Possible license incompatibilities found. Check above logs."
|
||||
fi
|
||||
|
||||
exit $exitStatus
|
|
@ -1,3 +1,19 @@
|
|||
# Is not included in the dependency but is GNU Lesser GPL. See: https://code.google.com/archive/p/javaparser/
|
||||
(Unknown license) javaparser (com.google.code.javaparser:javaparser:1.0.11 - http://code.google.com/p/javaparser/)
|
||||
# IGNORE ME
|
||||
# Because of parsing issues, FHIR R4 shows up as a license. I really need to redo this script in Python for cleaner parsing. -dotasek
|
||||
(Apache Software License 2.0) HAPI FHIR - Validation Resources (FHIR R4) (ca.uhn.hapi.fhir:hapi-fhir-validation-resources-r4:6.4.1 - https://hapifhir.io/hapi-deployable-pom/hapi-fhir-validation-resources-r4)
|
||||
# The following can be licensed with either license, of which the Apache is compatible
|
||||
(Apache Software License, version 1.1) (Indiana University Extreme! Lab Software License, vesion 1.1.1) (Public Domain) MXP1: Xml Pull Parser 3rd Edition (XPP3) (xpp3:xpp3:1.1.4c - http://www.extreme.indiana.edu/xgws/xsoap/xpp/mxp1/)
|
||||
(Indiana University Extreme! Lab Software License, vesion 1.1.1) MXP1: Xml Pull Parser 3rd Edition (XPP3) (xpp3:xpp3_xpath:1.1.4c - http://www.extreme.indiana.edu/xgws/xsoap/xpp/mxp1/)
|
||||
# Aggregator is incorrectly parsed as a license.
|
||||
(Eclipse Public License v2.0) JUnit Jupiter (Aggregator) (org.junit.jupiter:junit-jupiter:5.9.1 - https://junit.org/junit5/)
|
||||
# https://www.jcp.org/en/jsr/detail?id=374 specifies this as an OR relationship between possible licenses, of which CDDL is compatible
|
||||
(Dual license consisting of the CDDL v1.1 and GPL v2) JSR 353 (JSON Processing) Default Provider (org.glassfish:javax.json:1.0.4 - http://jsonp.java.net)
|
||||
# javax.xml.bind is incorrectly interpreted as a license name.
|
||||
(The Apache Software License, Version 2.0) Jackson module: Old JAXB Annotations (javax.xml.bind) (com.fasterxml.jackson.module:jackson-module-jaxb-annotations:2.15.2 - https://github.com/FasterXML/jackson-modules-base)
|
||||
# full is incorrectly interpreted as a license name
|
||||
(Apache License, Version 2.0) Apache POI - OOXML schemas (full) (org.apache.poi:poi-ooxml-full:5.2.1 - https://poi.apache.org/)
|
||||
# Actually a BSD license https://mvnrepository.com/artifact/org.antlr/ST4/4.1
|
||||
(Unknown license) StringTemplate 4 (org.antlr:ST4:4.1 - http://nexus.sonatype.org/oss-repository-hosting.html/ST4)
|
||||
# without dependencies is incorrectly intepreted as a license name
|
||||
(Apache License, Version 2.0) Byte Buddy (without dependencies) (net.bytebuddy:byte-buddy:1.12.14 - https://bytebuddy.net/byte-buddy)
|
|
@ -6,6 +6,7 @@ The Apache Software License, Version 2.0
|
|||
MIT License
|
||||
The MIT License
|
||||
Apache Software License, version 1.1
|
||||
Apache-2.0
|
||||
Apache 2
|
||||
Apache 2.0
|
||||
Apache License 2.0
|
||||
|
@ -17,9 +18,15 @@ BSD License 3
|
|||
New BSD License
|
||||
BSD 3 Clause
|
||||
The JSON License
|
||||
Eclipse Public License 1.0
|
||||
Eclipse Public License - v 1.0
|
||||
Eclipse Public License v. 2.0
|
||||
Eclipse Distribution License v. 1.0
|
||||
Eclipse Distribution License - v 1.0
|
||||
EDL 1.0
|
||||
Unicode/ICU License
|
||||
BSD 2-Clause License
|
||||
LGPL 2.1
|
||||
GNU Lesser General Public License
|
||||
MPL 1.1
|
||||
Mozilla Public License Version 2.0
|
||||
|
|
Loading…
Reference in New Issue