search

jk1 / Gradle-License-Report

A plugin for generating reports about the licenses of third party software using Gradle
Other
333 stars 99 forks source link

Request to update license information #105

Open karynritter opened 6 years ago

karynritter commented 6 years ago

When we use this plugin, the output for a number of packages is "No license information found". I can make a copy of the resulting csv and manually update it to reflect the appropriate license for each package each time I need it, but that would mean that every subsequent run will return the same "No license information found".

It would be helpful to be able to manually update the csv to retain the changes across runs (an exception file or something?).

Being able to tag an OSS package in gradle with its license so that others don't have to also look up the license info would also be great, but I'm not sure if this is possible or desirable (since licenses sometimes change).

Do others think this would be a good change? Is this something that you all would consider?

karynritter commented 6 years ago

A further bit of info I've been given is that the “overrides” functionality already exists for the InventoryHtmlReportRenderer, but doesn’t exist for the CsvReportRenderer.

guenhter commented 6 years ago

Do you have an example for a library without license information? Would be helpful for the integration tests.

karynritter commented 6 years ago

Here are a few I copied from the output:

aopalliance:aopalliance v1.0

Project URL

License URL

No license information found

==

com.github.fge:btf v1.2

Project URL

License URL

No license information found

==

jacl:jacl v1.4.1

Project URL

License URL

No license information found

==

org.opensaml:opensaml v2.6.4

Project URL

License URL

No license information found

Thanks!

Karyn

On Wed, Aug 1, 2018 at 10:17 PM Günther Grill notifications@github.com wrote:

Do you have an example for a library without license information? Would be helpful for the integration tests.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/jk1/Gradle-License-Report/issues/105#issuecomment-409808476, or mute the thread https://github.com/notifications/unsubscribe-auth/AiFjyKu90ciSoTnf1hipMLAx57j1LBliks5uMotXgaJpZM4VrLVB .

jk1 commented 6 years ago

I'd say a custom DependencyFilter implementation is a good place for that

jk1 commented 5 years ago

So I have checked these libraries in detail and all of them turned out to have license information associated. Moreover, the plugin is able to identify them correctly*. The problem is in the renderer, which fails to output the data.

*Opensaml library has its packaged pom.xml file different from the published one. We can work this around with a small adjustment to pom discovery.

The solution would be to make SimpleHtmlReportRenderer and TextReportRenderer use LicenseDataCollector utility class.

JLLeitschuh commented 5 years ago

@jk1 I've got some examples of where this is necessary.

Ktor-Swagger:

https://bintray.com/ktor-swagger/maven-artifacts/download_file?file_path=de%2Fnielsfalk%2Fktor%2Fktor-swagger%2F0.3.0%2Fktor-swagger-0.3.0.pom

Klaxon: https://bintray.com/cbeust/maven/klaxon/5.0.5

Ktor (version 0.9.3):

https://bintray.com/kotlin/ktor/ktor/0.9.3

Having a way to manually set the licence for these when they are absent would be an incredibly useful feature.

JLLeitschuh commented 5 years ago

This is the code I've used to hack the solution on to the CSV formatter. I'm not proud of this code, but it does work for me.

data class DependencyMatcher(
    /**
     * Matches the group of the dependency.
     */
    val groupMatcher: String,
    /**
     * Matches the name of the dependency.
     */
    val nameMatcher: String? = null
) {
    fun justGroup() = copy(nameMatcher = null)
}

data class LicenseData(
    val moduleLicense: String,
    val moduleLicenseUrl: String
) {
    fun toFakeLicenseFile(): LicenseFileDetails {
        return LicenseFileDetails(
            null, // file
            moduleLicense,
            moduleLicenseUrl
        )
    }
}

data class CustomLicenseData(
    val moduleUrl: String,
    private val license: LicenseData
) {

    constructor(
        moduleUrl: String,
        moduleLicense: String,
        moduleLicenseUrl: String
    ): this(
        moduleUrl,
        LicenseData(
            moduleLicense,
            moduleLicenseUrl
        )
    )

    fun toFakeManifest(): ManifestData {
        return ManifestData(
            null, // name
            null, // version
            null, // description
            null, // vendor
            null, // license
            moduleUrl
        )
    }

    fun toFakeLicenseFile(): LicenseFileDetails {
        return license.toFakeLicenseFile()
    }
}

val apacheTwo = LicenseData(
    moduleLicense = "The Apache Software License, Version 2.0",
    moduleLicenseUrl = "http://www.apache.org/licenses/LICENSE-2.0.txt"
)

val licenseOverride = mapOf(
    DependencyMatcher(groupMatcher = "com.beust", nameMatcher = "klaxon") to CustomLicenseData(
        moduleUrl = "https://github.com/cbeust/klaxon",
        license = apacheTwo
    ),
    DependencyMatcher(groupMatcher = "de.nielsfalk.ktor") to CustomLicenseData(
        moduleUrl = "https://github.com/nielsfalk/ktor-swagger",
        license = apacheTwo
    ),
    DependencyMatcher(groupMatcher = "io.ktor") to CustomLicenseData(
        moduleUrl = "https://ktor.io/",
        license = apacheTwo
    ),
    DependencyMatcher(groupMatcher = "org.jlleitschuh.guice") to CustomLicenseData(
        moduleUrl = "https://github.com/JLLeitschuh/kotlin-guiced",
        moduleLicense = "MIT License",
        moduleLicenseUrl = "http://www.opensource.org/licenses/mit-license.php"
    )
)

/**
 * I'm not proud of this code, but it works.
 * This is an incredibly hacky solution and probably won't work if we ever
 * update this plugin.
 *
 * There will hopefully be a fix for this soon:
 *
 * https://github.com/jk1/Gradle-License-Report/issues/105
 */
class CustomCsvReportRenderer : CsvReportRenderer() {

    override fun renderDependency(file: File, data: ModuleData) {
        val dependencyMatcherExact = DependencyMatcher(
            groupMatcher = data.group,
            nameMatcher = data.name
        )
        val dependencyMatcherGeneric =
            dependencyMatcherExact.justGroup()

        // Match the exact one over the generic matcher
        val matchingOverride =
            sequenceOf(dependencyMatcherExact, dependencyMatcherGeneric)
                .mapNotNull { licenseOverride[it] }
                .firstOrNull()

        if (matchingOverride != null) {
            data.manifests.add(matchingOverride.toFakeManifest())
            data.licenseFiles.add(
                LicenseFileData().apply {
                    fileDetails.add(matchingOverride.toFakeLicenseFile())
                }
            )
        }

        super.renderDependency(file, data)
    }
}
jk1 commented 5 years ago

@JLLeitschuh thank you for sharing.

These ktor libraries seems to contain, well, nothing: https://bintray.com/kotlin/ktor/ktor/0.9.3#files/io%2Fktor%2Fktor%2F0.9.3. The real ktor repo seems to have a license set in pom.xml: http://central.maven.org/maven2/io/ktor/ktor-server-core/1.1.3/

Nevertheless I can imagine a lot more libraries to have similar problems.

JLLeitschuh commented 5 years ago

Regardless of this minor issue, I really want to thank you for this library. You saved me hours of tedious work! Awesome project!

estrnod commented 5 years ago

https://github.com/jk1/Gradle-License-Report/issues/154 (I recently posted) seems to be a dup of this. There are a couple that I have that are still in "Unknown" after having worked the rest into their appropriate categories by updating repositories: 'com.github.PhilJay:MPAndroidChart:v3.1.0' (https://github.com/PhilJay/MPAndroidChart) 'com.github.drawers:SpinnerDatePicker:2.0.1' (https://github.com/drawers/SpinnerDatePicker)

They both report as using Apache 2.0. None of the reports I have tried so far have been able to find this (InventoryHtmlReportRenderer, SimpleHtmlReportRenderer, JsonReportRenderer).

marco-schmidt commented 5 years ago

Is there now a way to handle "null" licenses? I've read the messages under this issue, but I'm still unclear. I've got those left over:

{
    "dependenciesWithoutAllowedLicenses": [
        {
            "moduleLicense": null,
            "moduleVersion": "1.8.1",
            "moduleName": "org.apache.deltaspike.cdictrl:cdictrl-project"
        },
        {
            "moduleLicense": null,
            "moduleVersion": "2.5.0",
            "moduleName": "org.hsqldb:hsqldb"
        },
        {
            "moduleLicense": null,
            "moduleVersion": "1.3.40",
            "moduleName": "org.jetbrains.kotlin:kotlin-stdlib"
        }
    ]
}

Anyway, thanks for the plugin and the license checking functionality, they are really helpful.

npetzall commented 3 years ago

@marco-schmidt

I had this issue with net.jcip:jcip-annotations

So in allowed license I added

{
  "allowedLicenses": [
    {
      "moduleVersion": "1.0",
      "moduleName": "net.jcip:jcip-annotations"
    }
  ]
}

And in my license-normilizer i added

{
  "bundles": [
    { "bundleName" : "CC-2.5", "licenseName" : "Creative Commons Legal Code 2.5", "licenseUrl" : "https://creativecommons.org/licenses/by/2.5/legalcode" }
  ],
  "transformationRules": [
    { "bundleName" : "CC-2.5", "modulePattern": "net.jcip:jcip-annotations:1\\.0" }
  ]
}

So now it's allowed and with the TextRenderer i get

[number]. Group: net.jcip  Name: jcip-annotations  Version: 1.0

Manifest license URL: https://creativecommons.org/licenses/by/2.5/legalcode

POM Project URL: http://jcip.net/