Qodana
 
2022.3
You are viewing the documentation for an earlier version of Qodana.
  1. Features
  2. License audit

License audit

Edit page Last modified: 22 December 2022

Making sure your project license is compatible with the licenses of its dependencies is never an easy task, but this is required for legal purposes. To automate this process and avoid mistakes, you can use the License audit feature currently supported by the following Qodana linters:

Depending on the linter, you can explore the JPS, Maven, Gradle, npm, yarn, pip and Composer projects. License audit reads information about project dependencies from the IntelliJ IDEA project model and package manager configuration files.

How it works

For example, a project is licensed under the Apache-2.0 license and uses three dependencies licensed under the MIT, GPL-2.0-only, and Apache-2.0 licenses. This table explains which dependency licenses are compatible with the project license.

Software

Licensed under

Compatible with the project license

Project software

Apache-2.0

Dependency A

MIT

Yes

Dependency B

GPL-2.0-only

No

Dependency C

Apache-2.0

Yes

After Qodana has finished analyzing your project, the results become available in the report.

Running License audit

After you enable License audit, you can also configure it to:

Enable License audit

To enable License audit, add these lines to the qodana.yaml file in your project root:

include:
  - name: CheckDependencyLicenses

Ignore dependencies

For some reasons, you may need to ignore a specific dependency in your project, which can be specified in qodana.yaml:

dependencyIgnores:
  - name: "dependency/name"

Allow or prohibit dependency licenses

You can override the license matrix and specify the list of dependency licenses that are allowed or prohibited for a specific project license.

In this snippet, the keys key accepts application licenses, and the allowed and prohibited keys accept the lists of allowed and prohibited dependency licenses respectively. As a result, the AGPL-3.0-only becomes compatible with the AFL-2.0 project license, while the Apache-1.0 dependency license becomes incompatible.

licenseRules:
  - keys:
      - "AFL-2.0"
    allowed:
      - "AGPL-3.0-only"
    prohibited:
      - "Apache-1.0"

tip

All keys from this sample can accept several values.

Override a dependency license

You can override a dependency license identifier. This can be useful when a dependency is dual-licensed and you want to omit some license, or when the license name cannot be detected from the dependency sources correctly.

Using this sample, Qodana will detect only the CDDL-1.1 and GPL-2.0-with-classpath-exception licenses for jaxb-runtime version 2.3.1.

dependencyOverrides:
  - name: "jaxb-runtime"
    version: "2.3.1"
    url: "https://github.com/javaee/jaxb-v2"
    licenses:
      - key: "CDDL-1.1"
        url: "https://github.com/javaee/jaxb-v2/blob/master/LICENSE"
      - key: "GPL-2.0-with-classpath-exception"
        url: "https://github.com/javaee/jaxb-v2/blob/master/LICENSE"

Create custom dependencies

If you want to include the dependency that should be mentioned in the report but is impossible to detect from the project sources, you can use the customDependencies key to specify it:

customDependencies:
  - name: ".babelrc JSON Schema (.babelrc-schema.json)"
    version: "JSON schema for Babel 6+ configuration files"
    licenses:
      - key: "Apache-2.0"
        url: "https://github.com/SchemaStore/schemastore/blob/master/LICENSE"

Verifying data

Open the Qodana report and click the Project audit tab to see the inspection results.

The License audit tab

This tab contains several other tabs:

  • Languages enumerates all technologies currently supported by Qodana

  • Translators lists all technologies that were involved for inspecting the codebase

  • Project License contains information about the license used in the project

  • Third-party licenses lists all project dependencies and the licenses they use including dependencies that cannot be used under the current project license.

    The Third-party licenses tab

    If you want to filter the list by dependencies that cannot be used under the current project license, you can enable the Only alerted switch.

    The Only alerted switch

  • License rules contains the table of license compatibility.

    The License rules tab

    The Project license column lists license names, while the Allowed licenses and the Prohibited licenses columns list the licenses that are compatible and incompatible with the license respectively. This can be helpful when you need to override licenses.