Allow project-specific license file overrides#107
Conversation
mstachniuk
left a comment
mstachniuk
left a comment
There was a problem hiding this comment.
I'm not approving it as this contributions shows hidden issue in current logic. It will be great that @jonas-wielage-sonarsource (as first author) will look on that more deeply.
There was a problem hiding this comment.
Please update the comment to keep it up to date
There was a problem hiding this comment.
Generally speaking, I like the contribution and possibility to override/configure the task.
However, looking how you are using it https://github.com/SonarSource/sonar-apex/pull/184/changes#diff-d146424e9fbbf2e55c7c4d66cf3c6fdbb2a6b2b37ee15e7113994fb8654a4f0b
licenseGenerationConfig {
projectLicenseFile.set(file("../LICENSE.txt"))
dependencyLicenseOverrides.put("com.salesforce:apex-jorje-lsp-minimized", file("../build-logic/common/gradle-modules/src/main/resources/licenses/BSD-3.txt"))
dependencyLicenseOverrides.put("org.codehaus.woodstox:stax2-api", file("../build-logic/common/gradle-modules/src/main/resources/licenses/BSD-2.txt"))
}
shows that there is some issue in existing logic, because org.codehaus.woodstox.stax2-api is already on the list and e.x. in sonar-go the wrong license is chosen: https://github.com/SonarSource/sonar-go-enterprise/blob/19952be1ac2d0f5de5f7b026a3b99edff11f4351/private/sonar-go-enterprise-plugin/src/main/resources/licenses/THIRD_PARTY_LICENSES/org.codehaus.woodstox.stax2-api-LICENSE.txt
@jonas-wielage-sonarsource would you like to investigate?
IMO there should be one mechanism for fixing invalid license information (with smart default), and the one that is configurable is better.
There was a problem hiding this comment.
When running the task I miss the logging on --info level: what license were chosen and why. Currently there are only logs from Gradle-License-Report.
There was a problem hiding this comment.
When running the task I miss the logging on --info level: what license were chosen and why. Currently there are only logs from Gradle-License-Report.
I added the missing logs in 24f58e1
The added logs look like (example from sonar-apex)
Importing external dependency data. A total of 0 configured.
Applying dependency filters. A total of 0 configured.
Building report for project sonar-apex-plugin
com.eclipsesource.minimal-json:minimal-json: used bundled resource 'MIT.txt' for POM license 'MIT License'
com.fasterxml.woodstox:woodstox-core: used bundled resource 'Apache-2.0.txt' for POM license 'The Apache License, Version 2.0'
com.google.code.findbugs:jsr305: used bundled resource 'Apache-2.0.txt' for POM license 'The Apache Software License, Version 2.0'
com.salesforce:apex-jorje-lsp-minimized: used configured override 'BSD-3.txt'
commons-codec:commons-codec: copied packaged license 'commons-codec-1.18.0.jar/META-INF/LICENSE.txt'
javax.annotation:javax.annotation-api: copied packaged license 'javax.annotation-api-1.3.2.jar/META-INF/LICENSE.txt'
org.codehaus.woodstox:stax2-api: used configured override 'BSD-2.txt'
org.sonarsource.analyzer-commons:sonar-analyzer-commons: used bundled resource 'GNU-LGPL-3.txt' for POM license 'GNU LGPL 3'
org.sonarsource.analyzer-commons:sonar-xml-parsing: used bundled resource 'GNU-LGPL-3.txt' for POM license 'GNU LGPL 3'
xerces:xercesImpl: copied packaged license 'xercesImpl-2.12.2.jar/META-INF/LICENSE'
xml-apis:xml-apis: copied packaged license 'xml-apis-1.4.01.jar/license/LICENSE'
Dependency license report for project sonar-apex-plugin created in C:\Users\romain.birling\Documents\sonar-apex\sonar-apex-plugin\build\reports\dependency-license
Stored cache entry for task ':sonar-apex-plugin:generateLicenseReport' with cache key a28909eb19b13b44b2b4af78d0fccf12
Resolve mutations for :sonar-apex-plugin:generateLicenseResources (Thread[#613,included builds,5,main]) started.
:sonar-apex-plugin:generateLicenseResources (Thread[#613,included builds,5,main]) started.
There was a problem hiding this comment.
shows that there is some issue in existing logic, because org.codehaus.woodstox.stax2-api is already on the list and e.x. in sonar-go the wrong license is chosen
I proposed a fix for this problem in a09a260
|
|
||
| @Throws(IOException::class) | ||
| private fun copyOverriddenLicense(data: ModuleData): Status { | ||
| val dependencyKey = "${data.group}:${data.name}" |
There was a problem hiding this comment.
I like the : as separator, most probably we should adapt values in dependenciesWithUnusableLicenseFileInside and logic in copyIncludedLicenseFromDependency()
rombirli
force-pushed
the
rombirli/license-generator-dependency-overrides
branch
from
b2bd9cf to
24f58e1
Compare
|
2 participants
No description provided.