search

cashapp / licensee

Gradle plugin which validates the licenses of your dependency graph match what you expect
https://cashapp.github.io/licensee/docs/1.x/
Apache License 2.0
637 stars 30 forks source link

false positive report with 1.11.0 `Unkown license URL` #364

Closed StefMa closed 1 month ago

StefMa commented 1 month ago

Hey there,

starting with 1.11.0 we get a false positive report with the following error message:

com.ioki.textref:textref:3.0.0
 - ERROR: Unknown license URL 'https://opensource.org/licenses/MIT' is NOT allowed

When checking the output artifacts.json in <= 1.10 I see:

    {
        "groupId": "com.ioki.textref",
        "artifactId": "textref",
        "version": "3.0.0",
        "name": "TextRef",
        "spdxLicenses": [
            {
                "identifier": "MIT",
                "name": "MIT License",
                "url": "https://opensource.org/licenses/MIT"
            }
        ],
        "scm": {
            "url": "https://github.com/ioki-mobility/TextRef"
        }
    },

while on 1.11.0 I get:

    {
        "groupId": "com.ioki.textref",
        "artifactId": "textref",
        "version": "3.0.0",
        "name": "TextRef",
        "unknownLicenses": [
            {
                "name": "MIT",
                "url": "https://opensource.org/licenses/MIT"
            }
        ],
        "scm": {
            "url": "https://github.com/ioki-mobility/TextRef"
        }
    },

MIT is a valid identifier according to https://spdx.org/licenses/. The POM for that artifacts ooks also fine for me: https://repo1.maven.org/maven2/com/ioki/textref/textref/3.0.0/textref-3.0.0.pom

I haven't spotted anything that cause this in this diff https://github.com/cashapp/licensee/compare/1.10.0...1.11.0 🤷

Any help would be appreciated 😇

StefMa commented 1 month ago

I guess I found the problem. The license.json file has different "seeAlso" URLs. 1.10.0 (as commit because it renders better in GH):

https://github.com/cashapp/licensee/blob/94543d724e4b3c0eafe1a25b0082d76d055b2049/src/main/resources/app/cash/licensee/licenses.json#L4296

vs

1.11.0:

https://github.com/cashapp/licensee/blob/edcfed5b81a95f453a0cb5d55d8b807ea15b107b/src/main/resources/app/cash/licensee/licenses.json#L4555

So the URL https://opensource.org/licenses/MIT is not catched as valid MIT license anymore 😳

Is that an intendet behavior? 🤔 Given that it is defined as a fallbackUrl? 🤔 https://github.com/cashapp/licensee/blob/061ed1983e15046d154bd3d6f0b42072d4fe9285/gradle/build-logic/src/main/kotlin/app/cash/licensee/defaultFallbackUrls.kt#L44-L53

(PR that might be related to this)

StefMa commented 1 month ago

Alright. This is fixed in trunk already. The problem is in 1.11.0 that that URL changed in the licenses.json but was not added to the fallbackUrls.

In trunk the old valid url "https://opensource.org/licenses/MIT" is added to the falbackUrls.

With that said, 1.11.0 is broken because of this, all other versions working fine 🙃

Goind to close this, but would wish for a new release because of this 🙈 😁

JakeWharton commented 1 month ago

Released 1.12 with the fix.