Add license check

[DreierF]

Hi @vlsi,
I would like to have the possibility to specify a set of licenses that I want to allow for the project and a task that checks whether only matching licenses are found. This would allow to detect early when a dependency with an incompatible license is introduced. As the GatherLicenseTask already does the hard work of collecting that information this should not be very complicated to add I guess.
The API could look similar to https://github.com/cashapp/licensee#allow.
(Your plugin is way better in determining the correct SPDX identifier and allows overriding in contrast to licensee)

What do you think?
Would you accept a PR adding this feature?

[vlsi]

Hi,

I think it makes sense. Historically, the only license classification I saw was https://www.apache.org/legal/resolved.html (which was basically the only motivation for the plugin itself).

So I have

vlsi-release-plugins/plugins/stage-vote-release-plugin/src/main/kotlin/com/github/vlsi/gradle/release/Apache2LicenseRenderer.kt

Lines 173 to 186 in acaadb5

	val licenseInterpreter = Apache2LicenseInterpreter()
	licenseInterpreter.licenseCategory.putAll(licenseCategory.get())
	dependencies
	.map {
	it.key to it.value.license
	}
	.groupByTo(TreeMap()) { (_, license) ->
	licenseInterpreter.eval(license)
	}
	.filterKeys { it !in allowedTypes }
	.forEach { (category, dependencies) ->
	val header =
	"Dependencies of license category $category are not allowed for $artifactType artifacts"

and https://github.com/vlsi/vlsi-release-plugins/blob/acaadb520a8ca9bc8e06403de97f8798c008a977/plugins/stage-vote-release-plugin/src/main/kotlin/com/github/vlsi/gradle/release/Apache2LicenseInterpreter.kt

Splitting "verify license" from Apache2LicenseRenderer into a separate task sounds like the right thing to do.

[vlsi]

Do you think you could prepare a PR for a "check license compatibility" or "verify license compatibility" (I'm not sure regarding the naming) task in license-gather-plugin?

[DreierF]

Thanks for the quick response!
I tried to dig into it, but I have to admit I didn't understand yet how all the pieces fit together and won't have the time in the near future to continue working on it.

[vlsi]

By the way, do you have a use-case (a github project?) for this "license check"?

[DreierF]

I have a use-case, but the project I'm working on is not open source unfortunately.

[vlsi]

I see. Do you have a reference for the known compatible licenses? Are you going to add "allowed" licenses one by one?

For instance, the ASF has three license categories: A (allowed in source form), B (allowed only in binary artifacts), and X (forbidden everywhere).

So one of the configurations could be:

val gatherLicenes by tasks.registering(GatherLicenseTask::class) {
    configuration(configurations.runtimeClasspath)
    // configure license overrides, etc
}

val verifyLicenseCompatibility by tasks.register(VerifyLicenseCompatibilityTask::class) {
    metadata.set(gatherLicenes) // <-- "metadata" could probably have a better naming
    allow(AsfLicenseCategory.A)
}

[DreierF]

Allowing whole categories would be a nice usability helper, but in the general case I think we would also need the ability to allow licenses one by one as well as custom named licenses (e.g. jgit which is detected as Eclipse Distribution License (New BSD License))

[vlsi]

I think behind the lines of VerifyLicenseCompatibilityTask below, so adding "non-standard" would be like

allow(
    SimpleLicense(
        "Java HTML Tidy License",
        uri("http://jtidy.svn.sourceforge.net/viewvc/jtidy/trunk/jtidy/LICENSE.txt?revision=95")
    )
)

class VerifyLicenseCompatibilityTask : DefaultTask() {
    /**
     * This is a file collected by [GatherLicenseTask].
     */
    @InputFiles
    val metadata = objectFactory.fileCollection()

    @Input
    val acceptableLicenses = objectFactory.setProperty<LicenseExpression>()

    /**
     * Outputs `OK` when verification is successful.
     */
    @OutputFile
    val resultFile = objectFactory.fileProperty()

    fun allow(license: License) {
        acceptableLicenses.add(license.asExpression())
    }

    fun allow(license: Set<License>) { // or vararg?
        acceptableLicenses.add(license.asExpression())
    }

    fun allow(licenseExpression: LicenseExpression) {
        acceptableLicenses.add(licenseExpression)
    }

    fun allow(licenseExpression: Set<LicenseExpression>) { // or vararg?
        acceptableLicenses.add(licenseExpression)
    }
...

[DreierF]

Sounds good 🙂
Thank you very much for pushing that idea forward!