search

eclipse-dash / dash-licenses

Extract license information from content.
http://projects.eclipse.org/projects/technology.dash
Eclipse Public License 2.0
48 stars 33 forks source link

gradle - {strict} marker #55

Open boaks opened 3 years ago

boaks commented 3 years ago

Using

./gradlew app:dependencies | grep -Poh "[^:\s]+:[^:]+:[^:\s]+" | sort | uniq

on a project I get:

com.android.support.constraint:constraint-layout:1.1.3 com.android.support.constraint:constraint-layout-solver:1.1.3 com.android.support.constraint:constraint-layout-solver:{strictly com.android.support.constraint:constraint-layout:{strictly

The original gradle output looks like

com.android.support.constraint:constraint-layout-solver:{strictly 1.1.3} -> 1.1.3

Adapting the regex to

./gradlew app:dependencies | grep -Poh "[^:\s]+:[^:]+:[^:\s\{]+" | sort | uniq

suppress these extra lines. I'm not sure, if the suppress the {strictly 1.1.3} -> 1.1.3 has some downsides.

boaks commented 3 years ago

Applying the result file (without the strict) to this tool I get:

License information could not be automatically verified for the following content: ... maven/mavencentral/com.android.support.constraint/constraint-layout-solver/1.1.3 maven/mavencentral/com.android.support.constraint/constraint-layout/1.1.3 ... This content is either not correctly mapped by the system, or requires review.

I'm not sure, if that would help at all, but android artifacts are maintained in

https://dl.google.com/android/maven2

or

https://maven.google.com

That repos contains the pom and a aar (instead of a jar).

waynebeaton commented 3 years ago

Clearly, the default type/source ("maven/mavencentral") assumed by the tool isn't correct. AFAIK, ClearlyDefined currently doesn't point at the Google Maven repository, but are in the process of sorting that out. Once they do, I'll have to provide some advice on how to convince the tool to look there instead.

Independent of this, I'd like to sort out how we can review the identified libraries. I can't find a link to the source. Do you have the link?

boaks commented 3 years ago

There is something as support - sources. But it's hard to ensure, that the right files are used.

Maybe it is also possible to let gradle download the sources with:

implementation 'com.android.support:appcompat-v7:26.1.0'
implementation 'com.android.support:appcompat-v7:26.1.0:sources'

and then pick them from "~/.gradle/caches/modules-2/files-2.1/com.android.support/appcompat-v7/26.1.0/?????/appcompat-v7-26.1.0-sources.jar"

I found, that appcompat-v7-26.1.0-sources may work as well to get the sources.

Last year, not for all modules the sources could be downloaded by gradle, some of the modules are only containing "style-files" or similar resources.

Anyway, if there will be a midterm solution with clearlydefined, there is, at least from my side, no urgent request for an earlier additional approach.

nagyesta commented 6 months ago

Hi, I know it is an old issue, but wanted to share a possible workaround. I have created a Gradle plugin which is using the resolved versions for the check. This way, the syntax you have used in your build files can not mess up the regexp based replacements.

Please feel free to use the plugin here if it makes sense: https://github.com/nagyesta/run-dash-license-tool-gradle-plugin

Best of luck!