search

cashapp / licensee

Gradle plugin which validates the licenses of your dependency graph match what you expect
https://cashapp.github.io/licensee/docs/1.x/
Apache License 2.0
626 stars 29 forks source link

Parent pom licenses incorrectly merged with local ones instead of being overridden #87

Closed hfhbd closed 2 years ago

hfhbd commented 2 years ago

I use org.ow2.asm:asm-util:9.3, which is licensed under BSD-3-Clause: https://asm.ow2.io/license.html

The pom file https://repo.maven.apache.org/maven2/org/ow2/asm/asm-util/9.3/asm-util-9.3.pom and the gradle file use this name: https://gitlab.ow2.org/asm/asm/-/blob/master/build.gradle#L384

But licensee finds the Apache-2.0 license: 

org.ow2.asm:asm-util:9.3
 - ERROR: SPDX identifier 'Apache-2.0' is NOT allowed
 - ERROR: Unknown license URL 'https://asm.ow2.io/license.html' is NOT allowed

repro:

plugins {
    kotlin("jvm") version "1.6.21"
    id("app.cash.licensee") version "1.3.1"
}

repositories {
    mavenCentral()
}

dependencies {
    // https://repo.maven.apache.org/maven2/org/ow2/asm/asm-util/9.3/asm-util-9.3.pom
    implementation("org.ow2.asm:asm-util:9.3")
    """
    org.ow2.asm:asm-util:9.3
    - ERROR: SPDX identifier 'Apache-2.0' is NOT allowed
    - ERROR: Unknown license URL 'https://asm.ow2.io/license.html' is NOT allowed
    """
    // but is: BSD-3-Clause
}

fo.zip

JakeWharton commented 2 years ago

This is because the parent pom has Apache 2 and it seems like we're merging the licenses rather than applying inheritance (i.e., overriding). Should be an easy fix to only take the parent pom's licenses if the current one's are empty.