-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't fail the build if a dep has multiple licenses and at least one of them is not denylisted #25
Comments
BTW, here is what the plugin prints out for the license info for jakarta.json-api:
|
I'm not a great RegEx expert, can you provide examples on what this regex |
In any case, the problem is that we don't unescape the More than else, I'm surprised you don't get an exception during |
For example:
In other words, if the description of the dependency's license mentions GNU as well as another license. But I get the feeling that the plugin matches regexps agains each license individually. |
Actually, this string
is an example of a string that should NOT match the regex. But the following should:
|
You have to help me here, please provide some more examples. One single example where you also contradict from one post to another does not help (you can also edit the posts btw). I've done some tests in RegExr and it looks like you want to use "negative lookbehind" matching?
|
Oops. They were escaped originally, but they got unescaped in the process of commenting and uncommenting them out (using intelliJ). In any case, I have restored them to their escaped state:
but I still get the following failures:
Is there a way to see the exact string that the plugin is trying to match against the blacklist regexps and which of the blacklist regexps failed on it? That would greatly help in debugging the regexps. I wrote the regexps a few years ago so I am a bit fuzzy on the details. But I think they assume that they will be matched against a string that looks like this:
In other words, all available licenses are listed on a single line, joined by + signs. The regexps will flag strings that contain "GNU General Public License", "Affero" or "GPL", but only if they are NOT preceded by a + sign (and, in the case of GPL, the character L, because I am OK with LGPL dependencies). The properly escaped regexps seem to work as intended for this kind of one-line format, because following dependency does NOT get flagged:
But the jakkarta and parsson dependencies list the alternative licenses on separate lines and that's probably why they are getting flagged. If my hypothesis is correct, a simple way to fix that would be for the plugin to join all the license terms together with a + sign before checking that single string against the blacklist regexps. |
I can't provide you custom builds for debugging your regexes.
You are expecting a behaviour of the plugin here based on lots of assumptions: a regex of which we are unsure how it works and what should catch, the existence of Artefacts out there that have multiple licenses aggregated in one string with
The plugin correctly detects artefacts with multiple licenses as it uses the official Maven Metadata constructs. The plugin's current behaviour is that it flags build failure as soon as one of these licenses is matching one of the blacklisted, which is the behaviour that I guess you don't want. Can you confirm that is what you mean? |
Here is an example that pops up when I do my build:
I have seen several others over the years. Note that this particular dependency does NOT get flagged, specifically because the "GPL" keyword is preceded by a + sign. I presume that this particular convention means that jaxb-core is available under either CDDL or GPL. Another interpretation would be that the artifact contains some GPL code and some code that is CDDL.
Yes. More precisely, a dependency should be flagged if and only if all of the available licenses for that dependency match at least one of the black-list regexps. Thx for taking this into considerations. Alain |
Tnx. I was thinking of giving an option command to enable this, but the more I think of it, the more this actually looks like it should be the default behaviour. There is no point in failing the build if an artifact is dual-licensed and at least one of the two licenses is not blacklisted. I'll try to have this fix in place, but i need to do some refactorying first, this may take some time. |
Le jeu. 19 janv. 2023, 2 h 58 a.m., Carlo Morelli ***@***.***>
a écrit :
Tnx.
I was thinking of giving an option command to enable this, but the more I
think of it, the more this actually looks like it should be the default
behaviour.
There is no point in failing the build if an artifact is dual-licensed and
at least one of the two licenses is not blacklisted.
I agree. This should be the default behaviour.
Btw... Although I have never seen an actual case I imagine it's possible
for an artefact to have more than two licenses.
I'll try to have this fix in place, but i need to do some refactorying
first, this may take some time.
No problem. In the mean time I will just comment out the regexs in my pom.
Alain
|
This is now implemented. You can test it using release 3.0-RC3 just issues. |
On Sat, Jan 21, 2023 at 9:48 AM Carlo Morelli ***@***.***> wrote:
This is now implemented.
You can test it using release 3.0-RC3 just issues.
Works like a charm. Thx.
Alain
… Message ID: <carlomorelli/licensescan-maven-plugin/issues/25/1399265013@
github.com>
|
I don't want depdendancies that are only available under GPL. However I am available with GPL deps that also offer more permissive licenses.
Here is how I encode that in my pom:
I thought this worked because for the longest time I didn't get any failures. But today I added jakarta.json-api to my pom and it does cause the build to fail, eventhough it's available under both GPL and Apache licenses.
I am guessing that the problem comes from the fact that the plugin checks each of those licenses against the provided regexes.
Is there a way to support my use case?
Thx
The text was updated successfully, but these errors were encountered: