jk1
Request to update license information
When we use this plugin, the output for a number of packages is "No license information found". I can make a copy of the resulting csv and manually update it to reflect the appropriate license for each package each time I need it, but that would mean that every subsequent run will return the same "No license information found".
It would be helpful to be able to manually update the csv to retain the changes across runs (an exception file or something?).
Being able to tag an OSS package in gradle with its license so that others don't have to also look up the license info would also be great, but I'm not sure if this is possible or desirable (since licenses sometimes change).
Do others think this would be a good change? Is this something that you all would consider?
A further bit of info I've been given is that the “overrides” functionality already exists for the InventoryHtmlReportRenderer, but doesn’t exist for the CsvReportRenderer.
Do you have an example for a library without license information? Would be helpful for the integration tests.
Here are a few I copied from the output:
aopalliance:aopalliance v1.0
Project URL
License URL
No license information found
==
com.github.fge:btf v1.2
Project URL
License URL
No license information found
==
jacl:jacl v1.4.1
Project URL
License URL
No license information found
==
org.opensaml:opensaml v2.6.4
Project URL
License URL
No license information found
Thanks!
Karyn
On Wed, Aug 1, 2018 at 10:17 PM Günther Grill [email protected] wrote:
Do you have an example for a library without license information? Would be helpful for the integration tests.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/jk1/Gradle-License-Report/issues/105#issuecomment-409808476, or mute the thread https://github.com/notifications/unsubscribe-auth/AiFjyKu90ciSoTnf1hipMLAx57j1LBliks5uMotXgaJpZM4VrLVB .
So I have checked these libraries in detail and all of them turned out to have license information associated. Moreover, the plugin is able to identify them correctly*. The problem is in the renderer, which fails to output the data.
*Opensaml library has its packaged pom.xml file different from the published one. We can work this around with a small adjustment to pom discovery.
The solution would be to make SimpleHtmlReportRenderer and TextReportRenderer use LicenseDataCollector utility class.
@jk1 I've got some examples of where this is necessary.
Ktor-Swagger:
https://bintray.com/ktor-swagger/maven-artifacts/download_file?file_path=de%2Fnielsfalk%2Fktor%2Fktor-swagger%2F0.3.0%2Fktor-swagger-0.3.0.pom
Klaxon: https://bintray.com/cbeust/maven/klaxon/5.0.5
Ktor (version 0.9.3):
https://bintray.com/kotlin/ktor/ktor/0.9.3
Having a way to manually set the licence for these when they are absent would be an incredibly useful feature.
This is the code I've used to hack the solution on to the CSV formatter. I'm not proud of this code, but it does work for me.
data class DependencyMatcher(
/**
* Matches the group of the dependency.
*/
val groupMatcher: String,
/**
* Matches the name of the dependency.
*/
val nameMatcher: String? = null
) {
fun justGroup() = copy(nameMatcher = null)
}
data class LicenseData(
val moduleLicense: String,
val moduleLicenseUrl: String
) {
fun toFakeLicenseFile(): LicenseFileDetails {
return LicenseFileDetails(
null, // file
moduleLicense,
moduleLicenseUrl
)
}
}
data class CustomLicenseData(
val moduleUrl: String,
private val license: LicenseData
) {
constructor(
moduleUrl: String,
moduleLicense: String,
moduleLicenseUrl: String
): this(
moduleUrl,
LicenseData(
moduleLicense,
moduleLicenseUrl
)
)
fun toFakeManifest(): ManifestData {
return ManifestData(
null, // name
null, // version
null, // description
null, // vendor
null, // license
moduleUrl
)
}
fun toFakeLicenseFile(): LicenseFileDetails {
return license.toFakeLicenseFile()
}
}
val apacheTwo = LicenseData(
moduleLicense = "The Apache Software License, Version 2.0",
moduleLicenseUrl = "http://www.apache.org/licenses/LICENSE-2.0.txt"
)
val licenseOverride = mapOf(
DependencyMatcher(groupMatcher = "com.beust", nameMatcher = "klaxon") to CustomLicenseData(
moduleUrl = "https://github.com/cbeust/klaxon",
license = apacheTwo
),
DependencyMatcher(groupMatcher = "de.nielsfalk.ktor") to CustomLicenseData(
moduleUrl = "https://github.com/nielsfalk/ktor-swagger",
license = apacheTwo
),
DependencyMatcher(groupMatcher = "io.ktor") to CustomLicenseData(
moduleUrl = "https://ktor.io/",
license = apacheTwo
),
DependencyMatcher(groupMatcher = "org.jlleitschuh.guice") to CustomLicenseData(
moduleUrl = "https://github.com/JLLeitschuh/kotlin-guiced",
moduleLicense = "MIT License",
moduleLicenseUrl = "http://www.opensource.org/licenses/mit-license.php"
)
)
/**
* I'm not proud of this code, but it works.
* This is an incredibly hacky solution and probably won't work if we ever
* update this plugin.
*
* There will hopefully be a fix for this soon:
*
* https://github.com/jk1/Gradle-License-Report/issues/105
*/
class CustomCsvReportRenderer : CsvReportRenderer() {
override fun renderDependency(file: File, data: ModuleData) {
val dependencyMatcherExact = DependencyMatcher(
groupMatcher = data.group,
nameMatcher = data.name
)
val dependencyMatcherGeneric =
dependencyMatcherExact.justGroup()
// Match the exact one over the generic matcher
val matchingOverride =
sequenceOf(dependencyMatcherExact, dependencyMatcherGeneric)
.mapNotNull { licenseOverride[it] }
.firstOrNull()
if (matchingOverride != null) {
data.manifests.add(matchingOverride.toFakeManifest())
data.licenseFiles.add(
LicenseFileData().apply {
fileDetails.add(matchingOverride.toFakeLicenseFile())
}
)
}
super.renderDependency(file, data)
}
}
@JLLeitschuh thank you for sharing.
These ktor libraries seems to contain, well, nothing: https://bintray.com/kotlin/ktor/ktor/0.9.3#files/io%2Fktor%2Fktor%2F0.9.3. The real ktor repo seems to have a license set in pom.xml: http://central.maven.org/maven2/io/ktor/ktor-server-core/1.1.3/
Nevertheless I can imagine a lot more libraries to have similar problems.
Regardless of this minor issue, I really want to thank you for this library. You saved me hours of tedious work! Awesome project!
https://github.com/jk1/Gradle-License-Report/issues/154 (I recently posted) seems to be a dup of this. There are a couple that I have that are still in "Unknown" after having worked the rest into their appropriate categories by updating repositories: 'com.github.PhilJay:MPAndroidChart:v3.1.0' (https://github.com/PhilJay/MPAndroidChart) 'com.github.drawers:SpinnerDatePicker:2.0.1' (https://github.com/drawers/SpinnerDatePicker)
They both report as using Apache 2.0. None of the reports I have tried so far have been able to find this (InventoryHtmlReportRenderer, SimpleHtmlReportRenderer, JsonReportRenderer).
Is there now a way to handle "null" licenses? I've read the messages under this issue, but I'm still unclear. I've got those left over:
{
"dependenciesWithoutAllowedLicenses": [
{
"moduleLicense": null,
"moduleVersion": "1.8.1",
"moduleName": "org.apache.deltaspike.cdictrl:cdictrl-project"
},
{
"moduleLicense": null,
"moduleVersion": "2.5.0",
"moduleName": "org.hsqldb:hsqldb"
},
{
"moduleLicense": null,
"moduleVersion": "1.3.40",
"moduleName": "org.jetbrains.kotlin:kotlin-stdlib"
}
]
}
Anyway, thanks for the plugin and the license checking functionality, they are really helpful.
@marco-schmidt
I had this issue with net.jcip:jcip-annotations
So in allowed license I added
{
"allowedLicenses": [
{
"moduleVersion": "1.0",
"moduleName": "net.jcip:jcip-annotations"
}
]
}
And in my license-normilizer i added
{
"bundles": [
{ "bundleName" : "CC-2.5", "licenseName" : "Creative Commons Legal Code 2.5", "licenseUrl" : "https://creativecommons.org/licenses/by/2.5/legalcode" }
],
"transformationRules": [
{ "bundleName" : "CC-2.5", "modulePattern": "net.jcip:jcip-annotations:1\\.0" }
]
}
So now it's allowed and with the TextRenderer i get
[number]. Group: net.jcip Name: jcip-annotations Version: 1.0
Manifest license URL: https://creativecommons.org/licenses/by/2.5/legalcode
POM Project URL: http://jcip.net/
