• Stars
    star
    152
  • Rank 244,685 (Top 5 %)
  • Language
    Java
  • License
    Apache License 2.0
  • Created about 8 years ago
  • Updated 5 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

SonarQube Licensecheck Plugin

SonarQube License-Check

Sonarcloud Status

This SonarQube plugin ensures that projects use dependencies with compliant licenses. All dependencies and licenses can be viewed per projects and exported to Excel 2003 XML Format. This enables a simple governance of dependencies and licenses for the whole organization.

License

This software is licensed under the Apache Software License, Version 2.0

Table of Contents

Features

Analysis

The plugin scans for dependencies defined in your project including all transitive dependencies.

Currently, supported formats are:

  • Maven POM files - all dependencies with scope "compile" and "runtime" are checked
  • Gradle projects which use JK1 plugin
  • NPM package.json files - all dependencies (except "devDependencies") are checked
    • Note that transitive dependencies are not scanned unless licensecheck.npm.resolvetransitive is set to true.

      Transitive

Project Dashboard

The plugin contains a project dashboard showing a list of dependencies with version and a list of all used licences. Each table shows the status of the license (allowed, not allowed, not found). You can also export the data to Excel.

Project Dashboard

Compatibility

This plugin is compatible:

  • 5.x version with 8.9 LTS and < 10 (9.x is compatible)
  • 4.x version with SonarQube 8.x
  • 3.x version with SonarQube >= 7.9 LTS and < 8.
  • 2.x version with SonarQube >= 6.5 and < 7.
  • 1.x versions with SonarQube >= 5.3 and < 6.

For all changes see CHANGELOG.md

Installation

Put the pre-built jar-file (from release downloads) in the directory $SONARQUBE_HOME/extensions/plugins and restart the server to install the plugin. Activate the rules of this plugin ("License is not allowed", "Dependency has unknown license") in your SonarQube quality profiles - otherwise the plugin is not executed.

Configuration

After booting the SonarQube Server with the License-Check Plugin be found in the tab Administration or also in the Configuration -> LicenseCheck drop down menu.

Configuration via Administration Tab

  • Within the General Settings and License Check you find the settings for the plugin.
  • Within the general settings the plugin can be manually enabled or disabled. By default, it is enabled.
    • Under "Dependency Mapping" you can map a dependency name/key (with regex) to a license, e.g. ^asm:asm$ to "BSD-3-Clause"

    • Under "License Mapping" you can map a license name (with regex) to a license, e.g. .*Apache.*2.* to "Apache-2.0".

      License Configuration1

    • Under "Licenses" you can allow or disallow licenses globally and add/edit the list of known licenses.

      License Configuration2

    • Under "Project Licenses" you can allow and disallow licenses for a specific project.

      License Configuration2

Configuration via License Menu

Administration -> Configuration(dropdown) -> License Check

alternative License Configuration1

  • Under "Licenses" you can allow or disallow licenses globally and add/edit the list of known licenses.

    alternative License Configuration2

    alternative License Configuration3

  • Under "Project Licenses" you can allow and disallow licenses for a specific project.

    alternative License Configuration4

    alternative License Configuration5

  • Under "Dependency Mapping" you can map a dependency name/key (with regex) to a license, e.g. ^asm:asm$ to "BSD-3-Clause"

    alternative License Configuration6

    alternative License Configuration7

  • Under "License Mappings" you can map a license name (with regex) to a license, e.g. .*Apache.*2.* to "Apache-2.0".

    alternative License Configuration8

    alternative License Configuration9

Activation rules in Quality Profile

You have to activate the new rules in a (new) quality profile, for each supported language (Groovy, Kotlin, Java, JavaScript, TypeScript) And you have to use this profile for your project.

  1. Step 1

    activate 1

  2. Step 2

    activate 2

  3. Step 3

    activate 3

  4. Step 4

    activate 4

  5. Step 5

    activate 5

  6. Step 6

    activate 6

  7. Step 7

    activate 7

Execution

When a project is analyzed using the mvn sonar:sonar in command line the extension is started automatically.

Please make sure to have all dependencies installed before launching the SonarQube analysis. So your complete build should look something like this:

mvn -B org.jacoco:jacoco-maven-plugin:prepare-agent install org.jacoco:jacoco-maven-plugin:report
mvn -B sonar:sonar

Supported Languages

Groovy, Kotlin, Java, JavaScript, TypeScript

Supported Project Types

Maven + NPM

When using Maven and a Javascript Package Manager, define the sonar.sources property to point to the files which contain dependency information.

...
<properties>
  <sonar.sources>pom.xml,package.json</sonar.sources>
<properties>
...

Maven

Maven works if your project/module has a pom.xml on its root level (running with Maven, Gradle or SonarScanner).

NPM

NPM works if your project/module has a package.json on its root level (running with Maven, Gradle or SonarScanner).

Gradle

Gradle project should use JK1 plugin https://github.com/jk1/Gradle-License-Report

Note: Please check above link for instructions or follow as mentioned below

Step1: Update build.gradle file with following code for using JK1 plugin

import com.github.jk1.license.filter.LicenseBundleNormalizer
import com.github.jk1.license.render.JsonReportRenderer

plugins {
  id 'com.github.jk1.dependency-license-report' version '1.13'
}

licenseReport {
    allowedLicensesFile = new File("$projectDir/src/main/resources/licenses/allowed-licenses.json")
    renderers = new JsonReportRenderer('license-details.json', false)
    filters = [new LicenseBundleNormalizer()]
}

Step 2: Update build.gradle file with following code for using SonarQube plugin

plugins {
    id 'org.sonarqube' version "3.0"
}

jar {
    enabled = true
}

sonarqube {
    properties {
        property "sonar.host.url", "http://localhost:9000"
    }
}

Step 3: run following command to generate your report license-details.json in build/reports/dependency-license

> gradle generateLicenseReport

Step 4: run following command for SonarQube

> gradle sonarqube

Configuration via Sonar API

You can also use the Sonar API to configure the plugin.

Plugin Activation

  • Get the setting

    curl -X GET -v -u USERNAME:PASSWORD "http://localhost:9000/api/settings/values?keys=licensecheck.activation"
    
  • Enable

    curl -X POST -v -u USERNAME:PASSWORD "http://localhost:9000/api/settings/set?key=licensecheck.activation&value=true"
    
  • Disable

    curl -X POST -v -u USERNAME:PASSWORD "http://localhost:9000/api/settings/set?key=licensecheck.activation&value=false"
    

Global License Settings

  • Get the setting
    curl -X GET -v -u USERNAME:PASSWORD "http://localhost:9000/api/settings/values?keys=licensecheck.license-set"
    

Project License Settings

  • Get the setting
curl -X GET -v -u USERNAME:PASSWORD "http://localhost:9000/api/settings/values?keys=licensecheck.project-license-set"

License Mapping

  • Get the setting

    curl -X GET -v -u USERNAME:PASSWORD "http://localhost:9000/api/settings/values?keys=licensecheck.license-mapping"
    

Dependency Mapping

  • Get the setting

    curl -X GET -v -u USERNAME:PASSWORD "http://localhost:9000/api/settings/values?keys=licensecheck.dep-mapping"
    

NPM Transitive setting

  • Get the setting

    curl -X GET -v -u USERNAME:PASSWORD "http://localhost:9000/api/settings/values?keys=licensecheck.npm.resolvetransitive"
    
  • Enable

    curl -X POST -v -u USERNAME:PASSWORD "http://localhost:9000/api/settings/set?key=licensecheck.npm.resolvetransitive&value=true"
    
  • Disable

    curl -X POST -v -u USERNAME:PASSWORD "http://localhost:9000/api/settings/set?key=licensecheck.npm.resolvetransitive&value=false"
    

More Repositories

1

clarity-addons

Addons to Clarity Design System
TypeScript
80
star
2

cucumber-report-db

Stores results of BDD tests with Cucumber-JVM in a database and provides reporting capabilities
Java
17
star
3

angular-spring-heroes

Demo application for Angular and Spring Boot
Java
11
star
4

angular-spring-tutorial

Tutorial showing simple Todo app withj AngularJS and Spring backend
Java
10
star
5

material-addons

Material-Addons is an addon to Angular Material which is based on the Material Design system.
TypeScript
10
star
6

tapestry-csrf-protection

Tapestry CSRF Protection
Java
9
star
7

sonar-find-sec-bugs-plugin

Find Security Bugs Sonar Plugin
Java
8
star
8

tapestry-jaxws

Tapestry JAX-WS Integration
Java
8
star
9

tapestry-conversation

Tapestry Conversation and Window State Handling
Java
6
star
10

selenium-components

A small framework on top of Selenium to access web elements more easily.
Java
5
star
11

weblate-spring

Provides a Spring MessageSource backed by a Weblate Server.
Java
5
star
12

sonar-dependency-check-plugin

Sonar Dependency Check Plugin
Java
4
star
13

anti-mapper

Simple helpers for Java object mapping
Java
3
star
14

tapestry-component-extension

Dynamically inject components
Java
3
star
15

zanata-spring

Provides a Spring MessageSource backed by a Zanata Server.
Java
3
star
16

openshift-backup

Backup script for projects and databases in OpenShift Container Platform v3
Shell
2
star
17

hibernate-spring-tutorial

Hibernate Spring Tutorial
Java
1
star
18

spring-workshop

Spring Workshop (Hibernate (SessionFactory, EntityManager, Spring Data), Spring Configuration, Spring Batch, Spring WebServices)
Java
1
star
19

pnet-idp-client

Showcase for the client side of single sign on via the Patner.Net Identity Provider
Java
1
star
20

terraform-azurerm-aks

Terraform Module for AKS
HCL
1
star