implement 'LicenseChecker' config option to change how dependency licenses are matched against allowedLicenses

balrok · balrok · commit cb795e2288e8 · 2024-05-17T23:31:33.000+02:00
The default behavior is that a dependency is fine when any of its licenses are found inside allowedLicenses. This may miss dependencies, which contain multiple licenses. When 'AllRequiredLicenseChecker' is set, it will only approve a dependency when all of its discovered licenses are found in the allowedLicenses. This may report false-positives for dependencies which are dual-licensed. But in general I think a false-positive is better than missing a license violation. This fixes jk1#285
diff --git a/README.md b/README.md
@@ -85,6 +85,11 @@ licenseReport {
     // This is for the allowed-licenses-file in checkLicense Task
     // Accepts File, URL or String path to local or remote file
     allowedLicensesFile = new File("$projectDir/config/allowed-licenses.json")
+
+    // (default) OneRequiredLicenseChecker: a dependency is good, if any of its licenses are matched with allowedLicenses
+    // AllRequiredLicenseChecker: a dependency is good, if all of its (non-null) licenses are matched with allowedLicenses
+    // any class implementing LicenseChecker can be provided here
+    licenseChecker = new com.github.jk1.license.check.OneRequiredLicenseChecker()
 }
 ```
 
diff --git a/src/main/groovy/com/github/jk1/license/LicenseReportExtension.groovy b/src/main/groovy/com/github/jk1/license/LicenseReportExtension.groovy
@@ -15,6 +15,8 @@
  */
 package com.github.jk1.license
 
+import com.github.jk1.license.check.LicenseChecker
+import com.github.jk1.license.check.OneRequiredLicenseChecker
 import com.github.jk1.license.filter.DependencyFilter
 import com.github.jk1.license.importer.DependencyDataImporter
 import com.github.jk1.license.render.ReportRenderer
@@ -41,6 +43,7 @@ class LicenseReportExtension {
     public String[] excludeGroups
     public String[] excludes
     public Object allowedLicensesFile
+    public LicenseChecker licenseChecker
 
     LicenseReportExtension(Project project) {
         unionParentPomLicenses = true
@@ -55,6 +58,7 @@ class LicenseReportExtension {
         excludes = []
         importers = []
         filters = []
+        licenseChecker = new OneRequiredLicenseChecker()
     }
 
     @Nested
@@ -104,6 +108,8 @@ class LicenseReportExtension {
         snapshot += excludes
         snapshot << 'unionParentPomLicenses'
         snapshot += unionParentPomLicenses
+        snapshot << "licenseChecker"
+        snapshot += licenseChecker.class.name
         snapshot.join("!")
     }
 
diff --git a/src/main/groovy/com/github/jk1/license/check/AllRequiredLicenseChecker.groovy b/src/main/groovy/com/github/jk1/license/check/AllRequiredLicenseChecker.groovy
@@ -0,0 +1,69 @@
+/*
+ * Copyright 2018 Evgeny Naumenko <jk.vc@mail.ru>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.github.jk1.license.check
+
+/**
+ * All licenses of a dependency must be found inside allowedLicenses to pass.
+ */
+class AllRequiredLicenseChecker implements LicenseChecker {
+    @Override
+    List<Tuple2<Dependency, List<ModuleLicense>>> checkAllDependencyLicensesAreAllowed(List<AllowedLicense> allowedLicenses, List<Dependency> allDependencies) {
+        removeNullLicenses(allDependencies)
+        List<Tuple2<Dependency, List<ModuleLicense>>> result = new ArrayList<>()
+        for (Dependency dependency : (allDependencies)) {
+            List<AllowedLicense> perDependencyAllowedLicenses = allowedLicenses.findAll { isDependencyNameMatchesAllowedLicense(dependency, it) && isDependencyVersionMatchesAllowedLicense(dependency, it) }
+            // allowedLicense matches anything, so we don't need to further check
+            if (perDependencyAllowedLicenses.any { it.moduleLicense == null || it.moduleLicense == ".*" }) {
+                continue
+            }
+            List<ModuleLicense> notAllowedLicenses = dependency.moduleLicenses.findAll { !isDependencyLicenseMatchesAllowedLicense(it, perDependencyAllowedLicenses) }
+            if (!notAllowedLicenses.isEmpty()) {
+                result.add(new Tuple2(dependency, notAllowedLicenses))
+            }
+        }
+        return result
+    }
+
+    private static boolean isDependencyNameMatchesAllowedLicense(Dependency dependency, AllowedLicense allowedLicense) {
+        return dependency.moduleName ==~ allowedLicense.moduleName || allowedLicense.moduleName == null || dependency.moduleName == allowedLicense.moduleName
+    }
+
+    private static boolean isDependencyVersionMatchesAllowedLicense(Dependency dependency, AllowedLicense allowedLicense) {
+        return dependency.moduleVersion ==~ allowedLicense.moduleVersion || allowedLicense.moduleVersion == null || dependency.moduleVersion == allowedLicense.moduleVersion
+    }
+
+    private static boolean isDependencyLicenseMatchesAllowedLicense(ModuleLicense moduleLicense, List<AllowedLicense> allowedLicenses) {
+        for (AllowedLicense allowedLicense : allowedLicenses) {
+            if (allowedLicense.moduleLicense == null || allowedLicense.moduleLicense == ".*") return true
+
+            if (moduleLicense.moduleLicense ==~ allowedLicense.moduleLicense || moduleLicense.moduleLicense == allowedLicense.moduleLicense) return true
+        }
+        return false
+    }
+
+    /**
+     * removes 'null'-licenses from dependencies which have at least one more license
+     */
+    private static void removeNullLicenses(List<Dependency> dependencies) {
+        for (Dependency dependency : dependencies) {
+            if (dependency.moduleLicenses.any { it.moduleLicense == null } && !dependency.moduleLicenses.every {
+                it.moduleLicense == null
+            }) {
+                dependency.moduleLicenses = dependency.moduleLicenses.findAll { it.moduleLicense != null }
+            }
+        }
+    }
+}
diff --git a/src/main/groovy/com/github/jk1/license/check/LicenseChecker.groovy b/src/main/groovy/com/github/jk1/license/check/LicenseChecker.groovy
@@ -18,70 +18,50 @@ package com.github.jk1.license.check
 import groovy.json.JsonOutput
 import org.gradle.api.GradleException
 
-class LicenseChecker {
+/**
+ * This class compares the found licences with the allowed licenses and creates a report for any missing license
+ */
+interface LicenseChecker {
+    List<Tuple2<Dependency, List<ModuleLicense>>> checkAllDependencyLicensesAreAllowed(
+            List<AllowedLicense> allowedLicenses,
+            List<Dependency> allDependencies)
 
-    void checkAllDependencyLicensesAreAllowed(
-        Object allowedLicensesFile, File projectLicensesDataFile, File notPassedDependenciesOutputFile) {
-        List<Dependency> allDependencies = LicenseCheckerFileReader.importDependencies(projectLicensesDataFile)
-        List<AllowedLicense> allowedLicenses = LicenseCheckerFileReader.importAllowedLicenses(allowedLicensesFile)
-        List<Dependency> notPassedDependencies = searchForNotAllowedDependencies(allDependencies, allowedLicenses)
-        generateNotPassedDependenciesFile(notPassedDependencies, notPassedDependenciesOutputFile)
+    default void checkAllDependencyLicensesAreAllowed(
+            Object allowedLicensesFile, File projectLicensesDataFile, File notPassedDependenciesOutputFile) {
+        def notPassedDependencies = checkAllDependencyLicensesAreAllowed(
+                parseAllowedLicenseFile(allowedLicensesFile), getProjectDependencies(projectLicensesDataFile))
 
+        generateNotPassedDependenciesFile(notPassedDependencies, notPassedDependenciesOutputFile)
         if (!notPassedDependencies.isEmpty()) {
-            throw new GradleException("Some library licenses are not allowed.\n" +
-                "Read [$notPassedDependenciesOutputFile.path] for more information.")
-        }
-    }
-
-    private List<Dependency> searchForNotAllowedDependencies(
-        List<Dependency> dependencies, List<AllowedLicense> allowedLicenses) {
-        return dependencies.findAll { !isDependencyHasAllowedLicense(it, allowedLicenses) }
-    }
-
-    private void generateNotPassedDependenciesFile(
-        List<Dependency> notPassedDependencies, File notPassedDependenciesOutputFile) {
-        notPassedDependenciesOutputFile.text =
-            JsonOutput.prettyPrint(JsonOutput.toJson(
-                ["dependenciesWithoutAllowedLicenses": notPassedDependencies.collect { toAllowedLicenseList(it) }.flatten()]))
-    }
-
-    private boolean isDependencyHasAllowedLicense(Dependency dependency, List<AllowedLicense> allowedLicenses) {
-        for(allowedLicense in allowedLicenses) {
-            if (isDependencyMatchesAllowedLicense(dependency, allowedLicense)) return true
+            throw new GradleException("Some library licenses are not allowed:\n" +
+                    "$notPassedDependenciesOutputFile.text\n\n" +
+                    "Read [$notPassedDependenciesOutputFile.path] for more information.")
         }
-        return false
-    }
-
-    private boolean isDependencyMatchesAllowedLicense(Dependency dependency, AllowedLicense allowedLicense) {
-        return isDependencyNameMatchesAllowedLicense(dependency, allowedLicense) &&
-            isDependencyLicenseMatchesAllowedLicense(dependency, allowedLicense) &&
-            isDependencyVersionMatchesAllowedLicense(dependency, allowedLicense)
     }
 
-    private boolean isDependencyNameMatchesAllowedLicense(Dependency dependency, AllowedLicense allowedLicense) {
-        return dependency.moduleName ==~ allowedLicense.moduleName || allowedLicense.moduleName == null ||
-            dependency.moduleName == allowedLicense.moduleName
+    default List<AllowedLicense> parseAllowedLicenseFile(File allowedLicenseFile) {
+        return LicenseCheckerFileReader.importAllowedLicenses(allowedLicenseFile)
     }
 
-    private boolean isDependencyVersionMatchesAllowedLicense(Dependency dependency, AllowedLicense allowedLicense) {
-        return dependency.moduleVersion ==~ allowedLicense.moduleVersion || allowedLicense.moduleVersion == null ||
-            dependency.moduleVersion == allowedLicense.moduleVersion
+    default List<Dependency> getProjectDependencies(File depenenciesFile) {
+        return LicenseCheckerFileReader.importDependencies(depenenciesFile)
     }
 
-    private boolean isDependencyLicenseMatchesAllowedLicense(Dependency dependency, AllowedLicense allowedLicense) {
-        if (allowedLicense.moduleLicense == null || allowedLicense.moduleLicense == ".*") return true
 
-        for (moduleLicenses in dependency.moduleLicenses)
-            if (moduleLicenses.moduleLicense ==~ allowedLicense.moduleLicense ||
-                moduleLicenses.moduleLicense == allowedLicense.moduleLicense) return true
-        return false
+    default void generateNotPassedDependenciesFile(List<Tuple2<Dependency, List<ModuleLicense>>> notPassedDependencies, File notPassedDependenciesOutputFile) {
+        notPassedDependenciesOutputFile.text = JsonOutput.prettyPrint(
+                JsonOutput.toJson([
+                        "dependenciesWithoutAllowedLicenses": notPassedDependencies.collect {
+                            toAllowedLicenseList(it.getV1(), it.getV2())
+                        }.flatten()
+                ]))
     }
 
-    private List<AllowedLicense> toAllowedLicenseList(Dependency dependency) {
-        if (dependency.moduleLicenses.isEmpty()) {
-            return [ new AllowedLicense(dependency.moduleName, dependency.moduleVersion, null) ]
+    default List<AllowedLicense> toAllowedLicenseList(Dependency dependency, List<ModuleLicense> moduleLicenses) {
+        if (moduleLicenses.isEmpty()) {
+            return [new AllowedLicense(dependency.moduleName, dependency.moduleVersion, null)]
         } else {
-            return dependency.moduleLicenses.collect { new AllowedLicense(dependency.moduleName, dependency.moduleVersion, it.moduleLicense) }
+            return moduleLicenses.findAll { it }.collect { new AllowedLicense(dependency.moduleName, dependency.moduleVersion, it.moduleLicense) }
         }
     }
 }
diff --git a/src/main/groovy/com/github/jk1/license/check/OneRequiredLicenseChecker.groovy b/src/main/groovy/com/github/jk1/license/check/OneRequiredLicenseChecker.groovy
@@ -0,0 +1,60 @@
+/*
+ * Copyright 2018 Evgeny Naumenko <jk.vc@mail.ru>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.github.jk1.license.check
+
+/**
+ * A Dependency, which has at least one license inside allowedLicenses, will pass.
+ */
+class OneRequiredLicenseChecker implements LicenseChecker {
+
+    @Override
+    List<Tuple2<Dependency, List<ModuleLicense>>> checkAllDependencyLicensesAreAllowed(List<AllowedLicense> allowedLicenses, List<Dependency> allDependencies) {
+        List<Dependency> notPassedDependencies = allDependencies.findAll { !isDependencyHasAllowedLicense(it, allowedLicenses) }
+        return notPassedDependencies.collect { new Tuple2(it, it.moduleLicenses.isEmpty() ? null : it.moduleLicenses) }
+    }
+
+    private boolean isDependencyHasAllowedLicense(Dependency dependency, List<AllowedLicense> allowedLicenses) {
+        for (allowedLicense in allowedLicenses) {
+            if (isDependencyMatchesAllowedLicense(dependency, allowedLicense)) return true
+        }
+        return false
+    }
+
+    private boolean isDependencyMatchesAllowedLicense(Dependency dependency, AllowedLicense allowedLicense) {
+        return isDependencyNameMatchesAllowedLicense(dependency, allowedLicense) &&
+                isDependencyLicenseMatchesAllowedLicense(dependency, allowedLicense) &&
+                isDependencyVersionMatchesAllowedLicense(dependency, allowedLicense)
+    }
+
+    private boolean isDependencyNameMatchesAllowedLicense(Dependency dependency, AllowedLicense allowedLicense) {
+        return dependency.moduleName ==~ allowedLicense.moduleName || allowedLicense.moduleName == null ||
+                dependency.moduleName == allowedLicense.moduleName
+    }
+
+    private boolean isDependencyVersionMatchesAllowedLicense(Dependency dependency, AllowedLicense allowedLicense) {
+        return dependency.moduleVersion ==~ allowedLicense.moduleVersion || allowedLicense.moduleVersion == null ||
+                dependency.moduleVersion == allowedLicense.moduleVersion
+    }
+
+    private boolean isDependencyLicenseMatchesAllowedLicense(Dependency dependency, AllowedLicense allowedLicense) {
+        if (allowedLicense.moduleLicense == null || allowedLicense.moduleLicense == ".*") return true
+
+        for (moduleLicenses in dependency.moduleLicenses)
+            if (moduleLicenses.moduleLicense ==~ allowedLicense.moduleLicense ||
+                    moduleLicenses.moduleLicense == allowedLicense.moduleLicense) return true
+        return false
+    }
+}
diff --git a/src/main/groovy/com/github/jk1/license/task/CheckLicenseTask.groovy b/src/main/groovy/com/github/jk1/license/task/CheckLicenseTask.groovy
@@ -53,6 +53,11 @@ class CheckLicenseTask extends DefaultTask {
         return new File("${config.absoluteOutputDir}/${PROJECT_JSON_FOR_LICENSE_CHECKING_FILE}")
     }
 
+    @Input
+    LicenseChecker getLicenseChecker() {
+        return config.licenseChecker
+    }
+
     @OutputFile
     File getNotPassedDependenciesFile() {
         new File("${config.absoluteOutputDir}/$NOT_PASSED_DEPENDENCIES_FILE")
@@ -61,9 +66,9 @@ class CheckLicenseTask extends DefaultTask {
     @TaskAction
     void checkLicense() {
         LOGGER.info("Startup CheckLicense for ${getProject().name}")
-        LicenseChecker licenseChecker = new LicenseChecker()
+        LicenseChecker licenseChecker = getLicenseChecker()
         LOGGER.info("Check licenses if they are allowed to use.")
         licenseChecker.checkAllDependencyLicensesAreAllowed(
-            getAllowedLicenseFile(), getProjectDependenciesData(), notPassedDependenciesFile)
+                getAllowedLicenseFile(), getProjectDependenciesData(), notPassedDependenciesFile)
     }
 }
diff --git a/src/test/groovy/com/github/jk1/license/check/LicenseCheckerSpec.groovy b/src/test/groovy/com/github/jk1/license/check/LicenseCheckerSpec.groovy
