search

cashapp / licensee

Gradle plugin which validates the licenses of your dependency graph match what you expect
https://cashapp.github.io/licensee/docs/1.x/
Apache License 2.0
626 stars 29 forks source link

Adding SPDX identifier for custom url #43

Open ILikeYourHat opened 3 years ago

ILikeYourHat commented 3 years ago

Can you provide a way to map a custom license url to a SPDX indentifier?

For example, one of our dependency has this license url: https://opensource.org/licenses/mit-license. It's pretty oblivious that this dependency has MIT license, but there is no way to pass this knowledge to the plugin. Something like:

licensee {
   assumeLicense('https://opensource.org/licenses/mit-license', 'MIT')
}

would be very helpful 🙂

JakeWharton commented 3 years ago

You can send a PR to add the link to the fallback list: https://github.com/cashapp/licensee/blob/41fd142921ef052df7cce5830f59df5f58a97634/src/main/kotlin/app/cash/licensee/licenses.kt#L61-L70

At present I do not plan on exposing the ability to change this list dynamically since ideally we are trending towards adhering to the URLs in the SPDX specification, or perhaps we should implore SPDX to allow multiple canonical URLs for a license.

ILikeYourHat commented 3 years ago

This link is just an example, in my app I have 15+ different links like those, some pointing to license file on library author site. Adding them all to the fallback list isn't probably what you mean. And suppressing stuff because "I've checked and that's MIT" doesn't scale very well on the library side.

Don't get me wrong, this is a great library. But I though it will be an alternative to OSS Licenses Gradle Plugin. Right now it does the validation very well, but not the licenses screen part :(

JakeWharton commented 3 years ago

The plugin outputs a JSON file that you can use to power a license screen in your web, desktop, or mobile application.

If they are relatively standard URLs the fallback list is where they should go. Otherwise you should encourage the libraries to migrate or simply allow the URL rather than the SPDX identifier it represents.

hfhbd commented 2 years ago

Changing the pom files of the libraries is only possible if it is merged, the library is updated regularly and you can use this new version. This is not always the case, or possible. My use case is reporting. We are uploading and aggregating the json files for legal and compliance reasons, so setting the spdx id in Gradle would be very nice, otherwise you get an unknown license error and you need to fix it in the upload tool, which is annoying and a manual step, required for each dependency and version bump.

hfhbd commented 1 year ago

@JakeWharton Do you accept a PR or are you still not convinced?

JakeWharton commented 1 year ago

Wanting to map custom URLs to existing IDs for the purpose of the JSON is pretty compelling.