From 9e8c16f313cc771bb513e9b844e1bf9fe2d9c67c Mon Sep 17 00:00:00 2001
From: Ludy <Ludy87@users.noreply.github.com>
Date: Mon, 3 Feb 2025 11:13:02 +0100
Subject: [PATCH] checks the compatibility of the licenses (#2844)

# Description of Changes

### What was changed
- An **automated license check** was integrated into the CI/CD workflow
(`build.yml` and `licenses-update.yml`).
- A new file, `allowed-licenses.json`, was added to explicitly define
the permitted licenses.
- The **Gradle build process** was updated to run `checkLicense` and
detect any non-compliant licenses.

### Why the change was made
- **Improved license compliance** to ensure only compatible licenses are
used.
- **Automated license validation** within the CI/CD workflow to detect
potential incompatibilities early.
- **Legal risk mitigation** by excluding problematic licenses like
**GPL-2.0 (without Classpath Exception)**.

### Any challenges encountered
- The **allowed license list had to be manually curated** to ensure all
relevant open-source libraries were covered.
- Some dependencies use **slightly different license names** (e.g.,
`"Apache License, Version 2.0"` vs. `"Apache-2.0"`), which needed to be
handled in the validation process.

---

## Checklist

### General

- [x] I have read the [Contribution
Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md)
- [x] I have read the [Stirling-PDF Developer
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/DeveloperGuide.md)
(if applicable)
- [x] I have read the [How to add new languages to
Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/HowToAddNewLanguage.md)
(if applicable)
- [x] I have performed a self-review of my own code
- [x] My changes generate no new warnings

### Documentation

- [x] I have updated relevant docs on [Stirling-PDF's doc
repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/)
(if functionality has heavily changed)
- [ ] I have read the section [Add New Translation
Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/HowToAddNewLanguage.md#add-new-translation-tags)
(for new translation tags only)

### UI Changes (if applicable)

- [ ] Screenshots or videos demonstrating the UI changes are attached
(e.g., as comments or direct attachments in the PR)

### Testing (if applicable)

- [x] I have tested my changes locally. Refer to the [Testing
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/DeveloperGuide.md#6-testing)
for more details.
---
 .github/workflows/build.yml           |  29 +++++
 .github/workflows/licenses-update.yml |  15 ++-
 allowed-licenses.json                 | 164 ++++++++++++++++++++++++++
 build.gradle                          |   3 +-
 4 files changed, 207 insertions(+), 4 deletions(-)
 create mode 100644 allowed-licenses.json

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index b53f1c43..edb9aaa5 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -64,6 +64,35 @@ jobs:
             build/reports/problems/
           retention-days: 3
 
+  check-licence:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up JDK 17
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
+        with:
+          java-version: "17"
+          distribution: "adopt"
+
+      - name: check the licenses for compatibility
+        run: ./gradlew clean checkLicense
+
+      - name: FAILED - check the licenses for compatibility
+        if: failure()
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: dependencies-without-allowed-license.json
+          path: |
+            build/reports/dependency-license/dependencies-without-allowed-license.json
+          retention-days: 3
+
   docker-compose-tests:
     # if: github.event_name == 'push' && github.ref == 'refs/heads/main' ||
     #     (github.event_name == 'pull_request' &&
diff --git a/.github/workflows/licenses-update.yml b/.github/workflows/licenses-update.yml
index d2206f1f..dd213b3c 100644
--- a/.github/workflows/licenses-update.yml
+++ b/.github/workflows/licenses-update.yml
@@ -28,7 +28,7 @@ jobs:
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-          
+
       - name: Check out code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
@@ -40,8 +40,17 @@ jobs:
 
       - uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
 
-      - name: Run Gradle Command
-        run: ./gradlew clean generateLicenseReport
+      - name: check the licenses for compatibility
+        run: ./gradlew clean checkLicense
+
+      - name: FAILED - check the licenses for compatibility
+        if: failure()
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: dependencies-without-allowed-license.json
+          path: |
+            build/reports/dependency-license/dependencies-without-allowed-license.json
+          retention-days: 3
 
       - name: Move and Rename License File
         run: |
diff --git a/allowed-licenses.json b/allowed-licenses.json
new file mode 100644
index 00000000..12d82d48
--- /dev/null
+++ b/allowed-licenses.json
@@ -0,0 +1,164 @@
+{
+  "allowedLicenses": [
+    {
+      "moduleName": ".*",
+      "moduleLicense": "BSD License"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "The BSD License"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "BSD-2-Clause"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "BSD 2-Clause License"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "The 2-Clause BSD License"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "BSD-3-Clause"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "The BSD 3-Clause License (BSD3)"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "BSD-4 License"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "MIT"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "MIT License"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "The MIT License"
+    },
+    {
+      "moduleName": "com.github.jai-imageio:jai-imageio-core",
+      "moduleLicense": "LICENSE.txt"
+    },
+    {
+      "moduleName": "com.github.jai-imageio:jai-imageio-jpeg2000",
+      "moduleLicense": "LICENSE-JJ2000.txt, LICENSE-Sun.txt"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "Apache 2"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "Apache 2.0"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "Apache-2.0"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "Apache-2.0 License"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "Apache License 2.0"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "Apache License Version 2.0"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "Apache License, Version 2.0"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "The Apache License, Version 2.0"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "The Apache Software License, Version 2.0"
+    },
+    {
+      "moduleName": "com.nimbusds:oauth2-oidc-sdk",
+      "moduleLicense": "\"Apache License, version 2.0\";link=\"https://www.apache.org/licenses/LICENSE-2.0.html\""
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "MPL 2.0"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "UnboundID SCIM2 SDK Free Use License"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "GPL2 w/ CPE"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "GPLv2+CE"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "GNU GENERAL PUBLIC LICENSE, Version 2 + Classpath Exception"
+    },
+    {
+      "moduleName": "com.martiansoftware:jsap",
+      "moduleLicense": "LGPL"
+    },
+    {
+      "moduleName": "org.hibernate.orm:hibernate-core",
+      "moduleLicense": "GNU Library General Public License v2.1 or later"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "Eclipse Public License - v 1.0"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "Eclipse Public License v. 2.0"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "Eclipse Public License - v 2.0"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "Eclipse Public License - Version 2.0"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "Eclipse Public License, Version 2.0"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "Ubuntu Font Licence 1.0"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "Bouncy Castle Licence"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "Public Domain, per Creative Commons CC0"
+    },
+    {
+      "moduleName": ".*",
+      "moduleLicense": "The W3C License"
+    }
+  ]
+}
diff --git a/build.gradle b/build.gradle
index 4f4f3e32..926872db 100644
--- a/build.gradle
+++ b/build.gradle
@@ -41,6 +41,7 @@ repositories {
 
 licenseReport {
     renderers = [new JsonReportRenderer()]
+    allowedLicensesFile = new File("$projectDir/allowed-licenses.json")
 }
 
 sourceSets {
@@ -366,7 +367,7 @@ dependencies {
         exclude group: "commons-logging", module: "commons-logging"
     }
     implementation "org.apache.pdfbox:preflight:$pdfboxVersion"
-    
+
 
     implementation ("org.apache.pdfbox:xmpbox:$pdfboxVersion") {
         exclude group: "commons-logging", module: "commons-logging"