search

cashapp / licensee

Gradle plugin which validates the licenses of your dependency graph match what you expect
https://cashapp.github.io/licensee/docs/1.x/
Apache License 2.0
626 stars 29 forks source link

Kotlin Native without dependencies: Stdlib not found #109

Closed hfhbd closed 2 years ago

hfhbd commented 2 years ago

I know this is a very very rare case, so feel free to close it if you don't see a useful use-case.

plugins {
    kotlin("multiplatform") version "1.7.10"
    id("app.cash.licensee") version "1.5.0"
}

repositories {
    mavenCentral()
}

kotlin {
    linuxX64()
    macosArm64()
}

licensee {
    allow("Apache-2.0")
}

The artifact.json file is empty, so the licensee task succeeds:

[
]

But the default std lib is missing, so the warning Allowed SPDX identifier 'Apache-2.0' is unused is printed. Using the jvm works as expected: 

[
    {
        "groupId": "org.jetbrains",
        "artifactId": "annotations",
        "version": "13.0",
        "name": "IntelliJ IDEA Annotations",
        "spdxLicenses": [
            {
                "identifier": "Apache-2.0",
                "name": "Apache License 2.0",
                "url": "https://www.apache.org/licenses/LICENSE-2.0"
            }
        ],
        "scm": {
            "url": "https://github.com/JetBrains/intellij-community"
        }
    },
    {
        "groupId": "org.jetbrains.kotlin",
        "artifactId": "kotlin-stdlib",
        "version": "1.7.10",
        "name": "Kotlin Stdlib",
        "spdxLicenses": [
            {
                "identifier": "Apache-2.0",
                "name": "Apache License 2.0",
                "url": "https://www.apache.org/licenses/LICENSE-2.0"
            }
        ],
        "scm": {
            "url": "https://github.com/JetBrains/kotlin"
        }
    },
    {
        "groupId": "org.jetbrains.kotlin",
        "artifactId": "kotlin-stdlib-common",
        "version": "1.7.10",
        "name": "Kotlin Stdlib Common",
        "spdxLicenses": [
            {
                "identifier": "Apache-2.0",
                "name": "Apache License 2.0",
                "url": "https://www.apache.org/licenses/LICENSE-2.0"
            }
        ],
        "scm": {
            "url": "https://github.com/JetBrains/kotlin"
        }
    },
    {
        "groupId": "org.jetbrains.kotlin",
        "artifactId": "kotlin-stdlib-jdk7",
        "version": "1.7.10",
        "name": "Kotlin Stdlib Jdk7",
        "spdxLicenses": [
            {
                "identifier": "Apache-2.0",
                "name": "Apache License 2.0",
                "url": "https://www.apache.org/licenses/LICENSE-2.0"
            }
        ],
        "scm": {
            "url": "https://github.com/JetBrains/kotlin"
        }
    },
    {
        "groupId": "org.jetbrains.kotlin",
        "artifactId": "kotlin-stdlib-jdk8",
        "version": "1.7.10",
        "name": "Kotlin Stdlib Jdk8",
        "spdxLicenses": [
            {
                "identifier": "Apache-2.0",
                "name": "Apache License 2.0",
                "url": "https://www.apache.org/licenses/LICENSE-2.0"
            }
        ],
        "scm": {
            "url": "https://github.com/JetBrains/kotlin"
        }
    }
]
org.jetbrains:annotations:13.0
 - SPDX identifier 'Apache-2.0' allowed
org.jetbrains.kotlin:kotlin-stdlib:1.7.10
 - SPDX identifier 'Apache-2.0' allowed
org.jetbrains.kotlin:kotlin-stdlib-common:1.7.10
 - SPDX identifier 'Apache-2.0' allowed
org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.7.10
 - SPDX identifier 'Apache-2.0' allowed
org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.7.10
 - SPDX identifier 'Apache-2.0' allowed
JakeWharton commented 2 years ago

This is working as expected, although it's not very intuitive. There are no published artifacts for the Kotlin stdlib for native targets (see https://search.maven.org/search?q=g:org.jetbrains.kotlin%20kotlin-stdlib). Instead, the Kotlin/Native compiler is responsible for injecting the stdlib directly. You could file a feature request on Kotlin for publishing empty artifacts so that tools like this one and others which validate aspects of the dependency graph still mostly work, but I don't want to specifically special-case this setup.

hfhbd commented 2 years ago

Thanks for the explanation. I don't expect a special handling in this tool but would like to see uploaded empty artifacts to have the possibility to analyze the dependencies for Kotlin native too, with other tools too. https://youtrack.jetbrains.com/issue/KT-53185/Kotlin-Native-Publish-empty-artifacts-and-pom-information