diff --git a/README.md b/README.md index a10555847..b0816ebbe 100755 --- a/README.md +++ b/README.md @@ -37,6 +37,7 @@ __Features:__ * Remove existing header (`remove` goal). * Custom mappings: enables easy support of new file extensions. * Variable replacement: you can add some variable in your header, such as ${year} or ${owner} and they will be replaced by the corresponding values taken from the pom or system properties. + * [Dependency enforcement](./src/site/markdown/dependency-enforcement.md): optionally fail the build if the dependencies do not meet your license policies __Project:__ diff --git a/src/site/markdown/dependency-enforcement.md b/src/site/markdown/dependency-enforcement.md new file mode 100644 index 000000000..4059fb85e --- /dev/null +++ b/src/site/markdown/dependency-enforcement.md @@ -0,0 +1,59 @@ +# Dependency Enforcement + +This plugin can be configured to break the build when its dependencies do not adhere to a configured license policy. This plugin relies on the accuracy of the `` maven property configured in the pom of artifacts your project declares in ``. + +There are currently three types of policies which can be enforced: +1. LICENSE_URL - strict match on the URL element of a License +2. LICENSE_NAME - strict match on the name of a License +3. ARTIFACT_PATTERN - regex on a groupdId:artifactId + +Rules can be defined in the plugin configuration like so: +```xml + + com.mycila + license-maven-plugin + + true + A custom error message for how to handle approvals in your organization + + + LICENSE_NAME + APPROVE + Public Domain + + + LICENSE_URL + APPROVE + https://www.apache.org/licenses/LICENSE-2.0.txt + + + ARTIFACT_PATTERN + APPROVE + com.mycila.* + + + ARTIFACT_PATTERN + DENY + com.example.* + + + ARTIFACT_PATTERN + ALLOW + com.example.subpackage:other-artifact:jar:1.0.0 + + + + +``` + +There is also an implicit default deny artifact pattern policy, so if you enable dependency enforcement and have any dependencies, you must configure a policy. The ordering of the declared dependencyPolicies does not matter, and in aggregate they will be enforced in the following way: +1. defaultPolicy included in the plugin, matching all artifacts with a deny rule +2. APPROVE policies +3. DENY policies + +Given the above configuration example, you could state: +* the allow rule for com.example.subpackage:other-artifact:jar:1.0.0 will never do anything, because there is a deny rule for com.example.* +* all com.mycila artifacts will be allowed, regardless of their license +* any other artifact with a license name of 'Public Domain' will be allowed +* any other artifact with a license URL of explicitely 'https://www.apache.org/licenses/LICENSE-2.0.txt' will be allowed +* all other artifacts will fail the build with the following message header: "A custom error message for how to handle approvals in your organization" along with the list of artifacts which violated the policies diff --git a/src/site/site.xml b/src/site/site.xml new file mode 100644 index 000000000..bb1137b9b --- /dev/null +++ b/src/site/site.xml @@ -0,0 +1,27 @@ + + + + + + + + + +