Update license URLs

[kbakdev]

Description

This PR updates the license URLs from HTTP to HTTPS to ensure secure links and resolve an issue with spring-boot:build-image failing to build Docker images due to HTTP links.

What does this PR do?

• Updates license URLs from HTTP to HTTPS to enhance security and ensure compatibility with the spring-boot:build-image process.

Types of changes

• [ ] Bug fix (non-breaking change which fixes an issue)
• [ ] New feature (non-breaking change which adds functionality)
• [ ] Breaking change (fix or feature that would cause existing functionality to change)
• [x] New chore (expected functionality to be implemented)

Checklist:

• [ ] My change requires a change to the documentation.
  • [ ] I have updated the documentation accordingly.
• [x] I've signed off with an email address that matches the commit author.

[astromechza]

@kbakdev could you please fill out the DCO and also provide a more detailed example of the error or stacktrace or a reproducer of the issues?

[kbakdev]

Yes sure, I will use this as an example:

https://github.com/spring-projects/spring-petclinic

Here are the commands I am running:

git clone https://github.com/spring-projects/spring-petclinic.git
cd spring-petclinic
score-compose init
./mvnw spring-boot:build-image

And this is the output I am getting:

➜  spring-petclinic git:(main) ✗ ./mvnw spring-boot:build-image
[INFO] Scanning for projects...
[INFO]
[INFO] ------------< org.springframework.samples:spring-petclinic >------------
[INFO] Building petclinic 3.3.0-SNAPSHOT
[INFO]   from pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] >>> spring-boot:3.3.0:build-image (default-cli) > package @ spring-petclinic >>>
[INFO]
[INFO] --- enforcer:3.4.1:enforce (enforce-java) @ spring-petclinic ---
[INFO] Rule 0: org.apache.maven.enforcer.rules.version.RequireJavaVersion passed
[INFO]
[INFO] --- spring-javaformat:0.0.41:validate (default) @ spring-petclinic ---
[INFO]
[INFO] --- checkstyle:3.3.1:check (nohttp-checkstyle-validation) @ spring-petclinic ---
[INFO] There is 1 error reported by Checkstyle 10.16.0 with src/checkstyle/nohttp-checkstyle.xml ruleset.
[ERROR] .score-compose/99-default.provisioners.yaml:[7,8] (extension) NoHttp: http:// URLs are not allowed but got 'http://www.apache.org/licenses/LICENSE-2.0'. Use https:// instead.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  0.983 s
[INFO] Finished at: 2024-07-04T16:56:28+02:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-checkstyle-plugin:3.3.1:check (nohttp-checkstyle-validation) on project spring-petclinic: You have 1 Checkstyle violation. -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException

The root cause is in the checkstyle rule in the nohttp-checkstyle.xml configuration:

➜  checkstyle git:(main) ✗ cat nohttp-checkstyle.xml
<?xml version="1.0"?>
<!DOCTYPE module PUBLIC
        "-//Puppy Crawl//DTD Check Configuration 1.2//EN"
        "https://checkstyle.org/dtds/configuration_1_2.dtd">
<module name="com.puppycrawl.tools.checkstyle.Checker">
    <module name="io.spring.nohttp.checkstyle.check.NoHttpCheck"/>
    <module name="SuppressionFilter">
        <property name="file" value="${config_loc}/nohttp-checkstyle-suppressions.xml"/>
    </module>
</module>

This rule enforces the use of https:// URLs instead of http://. The build fails because an http:// URL is detected in the .score-compose/99-default.provisioners.yaml file.

Apache is working with the URL provided in Pull Request, so it's better to use https://. Many tools now include similar checks to enforce secure URL usage and prevent developers from putting HTTP even in comments.

[kbakdev]

As a workaround right now, I am going to that place and changing the http:// to https://. However, this should not be the intended way of addressing this issue imo.

[astromechza]

@kbakdev the other work around would be add .score-compose to the gitignore to help indicate to tools that this isn't an artefact that's included in the sources. Ok will check with the other maintainers about any impact of changing the licence doc here..

[kbakdev]

@astromechza, I tried adding .score-compose to the .gitignore, but the problem still persists. If you want to run some of the works locally, the issue remains, making it impossible for local building. This workaround does not fully resolve the problem.

[astromechza]

@kbakdev ok, thanks for testing that out. Much appreciated. I think we're going to go with #162 as a solution - and just remove the license header from the config file entirely.

Another suitable workaround is that you add the file to the allowlist for checkstyle which is very common configuration: https://github.com/spring-io/nohttp/blob/main/nohttp-checkstyle/README.adoc

[kbakdev]

Ok, thanks