Allow mapping licenses for dependencies

[marioschlipf]

Hi,

It can happen that same dependencies seem not to have license information provided or multiple licenses where you have to chose a license.

For these scenarios, in order for the checkLicense task to succeed, you currently need to add an entry with the module name/version and potentially the license in the whitelist, if I am not mistaken. For example, an added entry could look like this:

    {
      "moduleLicense": null,
      "moduleVersion": "2.1.0",
      "moduleName": "some.company:proprietary-lib-without-license-information"
    }

It would be great if you could map the library to override to a specific license. This would help generating a cleaner license report where the proper license information would be shown.

Thanks, Mario

[marco-schmidt]

Hi, this has been open for almost two years now. I'm in a similar situation. I would like to fail my build if there are licenses in the build not covered in "allowed licenses". However, like @marioschlipf I have at least two dependencies with a null license field (both on GitHub, both Apache 2.0):

• com.fasterxml.jackson:jackson-bom:2.13.3
• com.squareup.okio:okio:3.1.0

1. Is there any way to declare the license for them? However, that would only be a workaround, because in practice the next version of those artifacts could be released under a different license, and the manually declared license would override this.

2. The best solution would be to properly detect the license for those artifacts. Is there documentation on how to figure out these cases of the missing license?

I use several JARs from the jackson project, I would assume that their JARs are all generated the same way and that the license report plugin would either identify all of them with the same license or all as "NULL". But it is just the jackson-bom artifact that escapes proper detection.