search

codepunkt / webpack-license-plugin

Manage third-party license compliance in your webpack build
MIT License
87 stars 17 forks source link

Handle custom license with no valid SPDX identifier #460

Closed pathmapper closed 3 years ago

pathmapper commented 3 years ago

According https://github.com/codepunkt/webpack-license-plugin/issues/443#issuecomment-742060966

As of now, this plugin requires valid SPDX identifiers in the license field and checks for the license text in a licen[cs]e file.

There are use cases where there is no valid SPDX identifiers in package.json but something like SEE LICENSE IN LICENSE.txt.

Here is an example (which was also valid before the recent license change when BSD-3-Clause used to be the license):

https://github.com/mapbox/mapbox-gl-js/blob/20b953937ac54e3743aed06066b0bbe0092f5c9a/package.json#L7

What about a licenseOverrides option:

"license": "see licenseText"

which takes the license text of a licen[cs]e file for licenseText?

codepunkt commented 3 years ago

You need to differentiate between the license text and the license identifier. This plugin aims to get both:

The text in the LICENSE.txt file from that repository should be found - however, SEE LICENSE IN LICENSE.txt is not a valid identifier and it is hard if not impossible to parse the identifier from arbitrary licen[cs]e files. So this plugin will error, and you need to decide how you deal with your mapbox-gl-js dependency in terms of license compliance. Typically, you would let your legal team check the license and if it's allowed, just licenseOverride it so the plugin doesn't error.

pathmapper commented 3 years ago

just licenseOverride it so the plugin doesn't error.

But if it's a custom license I'm fine with using it (and there is no valid SPDX identifier available), there is currently nothing I could use for licenseOverride to make the plugin happy so it will not error, right?

So what would help in this case would be one specific placeholder like see licenseText which could be used instead of a valid SPDX identifier for licenseOverride and which would be accepted by the plugin so it won't error.

Sorry if it wasn't clear.

codepunkt commented 3 years ago

Ohh, so the things you pass to licenseOverride are also checked for being valid SPDX identifiers? I could see how that would be a problem 😁

pathmapper commented 3 years ago

Yes, exactly, this is currently the case :-)

codepunkt commented 3 years ago

Will hopefully get to this early next year. Feel free to open a pull request changing this.

Edit: Early march, still haven't found the time. Help is welcome!

codepunkt commented 3 years ago

I finally had some time to reflect about this.

mapbox-gl-js license is problematic, because

With default settings, this will throw an Error. You can the licenseOverrides option to define a different license than the one listed in package.json to prevent this error if you override with a valid SPDX license. The LICENSE.TXT shows that mapbox-gl-js is not licensed under a valid SPDX license. If you use some variation of the custom license name as a string in the licenseOverrides option, the plugin will Error because it expects valid SPDX license identifiers.

One solution to this problem might be to exclude the check for valid SPDX identifiers for licenses overriden with licenseOverrides. This would, however, allow mistakenly wrong entries in licenseOverrides that are supposed to replace with a valid SPDX identifier, but have typos or other mistakes in them, which is why I decided to not do this.

What you can do as a user of mapbox-gl-js is to exclude the package from license checks altogether using the excludedPackageTest option and combine the output of this plugin with an additional entry for mapbox-gl-js like this:

new LicensePlugin({
  excludedPackageTest: name => name === 'mapbox-gl-js',
  additionalFiles: {
     'with-mapbox.json': packages => [...packages, {
        name: 'mapbox-gl-js',
        version: '1.13.1',
        repository: 'https://github.com/mapbox/mapbox-gl-js',
        license: "Mapbox license",
        licenseText: 'content of LICENSE.txt in mapbox-gl-js root directory'
     }]
  }
})

This code is not tested, but it should work like this. To be honest, i'm not sure what happens when you take the default filename "oss-licenses.json" as additionalFiles key. It might throw an error, it might just write a single file, which would probably be what you want.

@pathmapper Does this help?

codepunkt commented 3 years ago

Closed due to inactivity, possible solution provided in comment.

pathmapper commented 3 years ago

@codepunkt sorry for not getting back to you earlier, thanks a lot for your thoughts.

Adding JSON.stringify to your suggestion and using "oss-licenses.json" as additionalFiles key, the following worked for me (resulting in a single file which is exactly what I want 😄 ):

additionalFiles: {
   'oss-licenses.json': packages => JSON.stringify([...packages, {
      'name': 'mapbox-gl-js',
      'version': '1.13.1',
      'repository': 'https://github.com/mapbox/mapbox-gl-js',
      'license': "Mapbox license",
      'licenseText': 'content of LICENSE.txt in mapbox-gl-js root directory'
   }], null, 2)
}