SONARGO-768 Wrong license file for "stax2-api"

[mstachniuk]

No description provided.

[sonar-review-alpha]

Summary

Fixes incorrect license mapping for 'stax2-api' and other dependencies by replacing a hardcoded blacklist with a configurable override system. The change allows projects to specify custom license files for problematic dependencies while providing sensible defaults. License resolution now follows a clear priority: configured overrides → default overrides → packaged license → POM-based lookup.

What reviewers should know

The main logic is in AnalyzerLicensingPackagingRenderer.kt where generateDependencyFile() now checks overrides first before falling back to other methods. The stax2-api fix is in the defaultDependencyLicenseOverrides map (now BSD-2 instead of blacklisted). Note the dependency key format changed from 'group.name' to 'group:name' (Maven convention) throughout. New logging explains which override path was taken for each dependency, and a warning appears when multiple licenses are found in POM data. The Gradle plugin passes the new dependencyLicenseOverrides config through to the renderer.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[sonarqube-next]

Quality Gate passed for 'cloud-native-gradle-modules'

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[mstachniuk]

Successful usage: https://github.com/SonarSource/sonar-go-enterprise/pull/702

[jonas-wielage-sonarsource]

LGTM! Nice addition to the licensing :)