License audit

Making sure that your project license is compatible with the licenses of its dependencies is never an easy task, but this is required for legal purposes. To automate this process and avoid mistakes, you can use License audit currently supported by several Qodana linters:

Linter	Tools supported
Qodana for JVM	Maven and Gradle
Qodana for PHP	Composer
Qodana for JS	npm and Yarn
Qodana for Python	pip
Qodana for Go	Go Modules

How it works

License audit collects information about project and dependency licenses using configuration files of dependency management tools and files containing license texts. Based on the information collected, it builds the dependency tree containing information about:

The project license
Licenses of project dependencies
Licenses of the dependencies invoked by project dependencies

This tree shows which dependency licenses are (in)compatible with your project license.

For example, a project is licensed under the Apache-2.0 license and uses three dependencies licensed under the MIT, GPL-2.0-only, and Apache-2.0 licenses. This table explains which dependency licenses are compatible with the project license.

Software	Licensed under	Compatible with the project license
Project software	Apache-2.0	—
Dependency A	MIT	Yes
Dependency B	GPL-2.0-only	No
Dependency C	Apache-2.0	Yes

Depending on the location of license information, the Qodana for JVM linter performs a sequence of steps to find it. First of all, it searches for any license references in the LICENSE.* files. Next, it scans through the pom.xml file. If necessary, it then scans through dependency source files. Otherwise, the linter requests the PACKAGE-SEARCH plugin.

The Qodana for JS linter using npm reads information about project and dependency licenses using configuration files of package management tools. The Qodana for PHP linter also reads license information from the Composer configuration file.

The Qodana for Python, Qodana for Go, and Qodana for JS linter using Yarn require that the LICENSE.* file in the project root contains the project license.

For all linters except Qodana for JVM, you also need to have project dependencies installed using the bootstrap option of the qodana.yaml file.

After Qodana has finished analyzing your project, the results become available in the report.

Run License audit

To run License audit, enable the CheckDependencyLicenses inspection.

Below are the qodana.yaml configuration samples that tell Qodana to install project dependencies and enable License audit:

include:
  - name: CheckDependencyLicenses

bootstrap: |+
  # Install dependencies
  php composer.phar update

include:
  - name: CheckDependencyLicenses

bootstrap: |+
  # Use npm to install dependencies
  npm install

  # Install Yarn
  npm install -g yarn

  # Use Yarn to install dependencies
  yarn install --frozen-lockfile

include:
  - name: CheckDependencyLicenses

bootstrap: |+
  # Install dependencies
  pip install -r requirements.txt

include:
  - name: CheckDependencyLicenses

bootstrap: |+
  # Install dependencies
  go mod tidy

include:
  - name: CheckDependencyLicenses

You can also extend these samples using configuration options described below.

Ignore dependencies

You can use the dependencyIgnores option to ignore a license of a specific dependency in your project:

dependencyIgnores:
  - name: "aapt2-proto"
  - name: "dexlib2"

Allow or prohibit dependency licenses

You can override the license matrix and specify the list of dependency licenses that are allowed or prohibited for a specific project license.

In this snippet, the keys key accepts application licenses, and the allowed and prohibited keys accept the lists of allowed and prohibited dependency licenses respectively. As a result, the AGPL-3.0-only becomes compatible with the AFL-2.0 project license, while the Apache-1.0 dependency license becomes incompatible.

licenseRules:
  - keys:
      - "AFL-2.0"
    allowed:
      - "AGPL-3.0-only"
    prohibited:
      - "Apache-1.0"

All keys from this sample can accept several values:

licenseRules:
  - keys:
    - "PROPRIETARY-LICENSE"
    allowed: ["CC0-1.0", "CPL-1.0", "CC-BY-4.0", "EPL-1.0", "CDDL-1.0"]

Override a dependency license

You can override a dependency license identifier. This can be useful when a dependency is dual-licensed, and you want to omit some license, or when the license name cannot be detected from the dependency sources correctly.

Using this sample, you can tell Qodana to detect only the CDDL-1.1 and GPL-2.0-with-classpath-exception licenses for jaxb-runtime version 2.3.1.

In this sample, url is optional.

dependencyOverrides:
  - name: "jaxb-runtime"
    version: "2.3.1"
    url: "https://github.com/javaee/jaxb-v2"
    licenses:
      - key: "CDDL-1.1"
        url: "https://github.com/javaee/jaxb-v2/blob/master/LICENSE"
      - key: "GPL-2.0-with-classpath-exception"
        url: "https://github.com/javaee/jaxb-v2/blob/master/LICENSE"

Create custom dependencies

If you want to include the dependency that should be mentioned in the report but is impossible to detect from the project sources, you can use the customDependencies key to specify it:

customDependencies:
  - name: ".babelrc JSON Schema (.babelrc-schema.json)"
    version: "JSON schema for Babel 6+ configuration files"
    licenses:
      - key: "Apache-2.0"
        url: "https://github.com/SchemaStore/schemastore/blob/master/LICENSE"

Verify data

To overview License audit results, in the inspection report click the Project audit tab.

License audit inspection results are grouped into a dependency tree.

If applicable, you can expand a specific dependency to overview its dependency tree.
Using Only alerted, you can switch between all project dependencies and dependencies which licenses are incompatible with the project license.
Under Project licenses you can find the list of project licenses. Using License rules, you can overview the rules of license compatibility.
You can download the list of dependencies in various formats.

Last modified: 09 June 2023