License audit
Making sure that your project license is compatible with the licenses of its dependencies is never an easy task, but this is required for legal purposes. To automate this process and avoid mistakes, you can use the license audit feature currently supported by several Qodana linters:
Linter | Tools supported |
---|---|
Maven and Gradle | |
Composer | |
npm and Yarn | |
pip | |
Go Modules | |
nuget |
This feature is available under the Ultimate Plus license and its trial version and enabled by default.
License audit collects information about project and dependency licenses using configuration files of dependency management tools and files containing license texts. Based on the information collected, it builds the dependency tree containing information about:
The project license.
Licenses for project dependencies.
Licenses of the dependencies invoked by project dependencies.
This tree shows which dependency licenses are (in)compatible with your project license.
For example, a project is licensed under the Apache-2.0 license and uses three dependencies licensed under the MIT, GPL-2.0-only, and Apache-2.0 licenses. This table explains which dependency licenses are compatible with the project license.
Software | Licensed under | Compatible with the project license |
---|---|---|
Project software | Apache-2.0 | — |
Dependency A | MIT | Yes |
Dependency B | GPL-2.0-only | No |
Dependency C | Apache-2.0 | Yes |
tip
You can specify dependency licenses manually using the
dependencyOverrides
option.
note
In case a project root contains several license files, the file with the
LICENSE.*
name receives the highest priority, and License audit uses its text as the project license text.
Depending on the location of license information, the Qodana for JVM linter performs a sequence of steps to find it. It searches for any license references in the LICENSE.*
files. Next, it scans through the pom.xml
file. If necessary, it then scans through dependency source files. Otherwise, the linter requests the PACKAGE-SEARCH
plugin.
The Qodana for JS linter using npm reads information about project and dependency licenses using configuration files of package management tools. The Qodana for PHP linter also reads license information from the Composer configuration file.
The Qodana for Python, Qodana for Go, and Qodana for JS linter using Yarn require that the LICENSE.*
file in the project root contains the project license.
For all linters except Qodana for JVM, you also need to have project dependencies installed using the bootstrap
key of the qodana.yaml
file.
After Qodana has finished analyzing your project, the results become available in the report.
note
While configuring inspection scopes, make sure that the file containing the build configuration is included in the scope.
Starting from version 2024.1 of Qodana, License audit is enabled dy default. You can see inspection results in the License audit tab of the Qodana report. To see them in the Actual problems tab too, in the configuration file enable the raiseLicenseProblems
option:
raiseLicenseProblems: true
To disable license audit, in the configuration file exclude the CheckDependencyLicenses
inspection, for example:
exclude:
- name: CheckDependencyLicenses
Starting from version 2024.1 of Qodana, package-search
is by default disabled because of inaccurate results and performance issues. To enable package-search
, in the configuration file enable the enablePackageSearch
option:
enablePackageSearch: true
In the configuration file, you can use the dependencyIgnores
option to ignore a license of a specific dependency in your project:
dependencyIgnores:
- name: "aapt2-proto"
- name: "dexlib2"
In the configuration file, you can override the license matrix and specify the list of dependency licenses that are allowed or prohibited for a specific project license.
In this snippet, the keys
key accepts application licenses, and the allowed
and prohibited
keys accept the lists of allowed and prohibited dependency licenses respectively. As a result, the AGPL-3.0-only
becomes compatible with the AFL-2.0
project license, while the Apache-1.0
dependency license becomes incompatible.
licenseRules:
- keys:
- "AFL-2.0"
allowed:
- "AGPL-3.0-only"
prohibited:
- "Apache-1.0"
All keys from this sample can accept several values:
licenseRules:
- keys:
- "PROPRIETARY-LICENSE"
allowed: ["CC0-1.0", "CPL-1.0", "CC-BY-4.0", "EPL-1.0", "CDDL-1.0"]
In the configuration file, you can override a dependency license identifier. This can be useful when a dependency is dual-licensed, and you want to omit some license, or when the license name cannot be detected from the dependency sources correctly.
Using this sample, you can tell Qodana to detect only the CDDL-1.1
and GPL-2.0-with-classpath-exception
licenses for jaxb-runtime
version 2.3.1.
In this sample, url
is optional.
dependencyOverrides:
- name: "jaxb-runtime"
version: "2.3.1"
url: "https://github.com/javaee/jaxb-v2"
licenses:
- key: "CDDL-1.1"
url: "https://github.com/javaee/jaxb-v2/blob/master/LICENSE"
- key: "GPL-2.0-with-classpath-exception"
url: "https://github.com/javaee/jaxb-v2/blob/master/LICENSE"
If you want to include the dependency that should be mentioned in the report but is impossible to detect from the project sources, in the configuration file you can use the customDependencies
key to specify it:
customDependencies:
- name: ".babelrc JSON Schema (.babelrc-schema.json)"
version: "JSON schema for Babel 6+ configuration files"
licenses:
- key: "Apache-2.0"
url: "https://github.com/SchemaStore/schemastore/blob/master/LICENSE"
To view license audit results, in the inspection report click the License audit tab.
License audit inspection results are grouped into a dependency tree.
If applicable, you can expand a specific dependency to see its dependency tree.
Using Only alerted, you can switch between all project dependencies and dependencies which licenses are incompatible with the project license.
In the Licenses section, you can find the list of project, module and dependency licenses. Using Open license rules, you can view the rules of license compatibility.
You can download the list of licenses in various formats.
Thanks for your feedback!