checks the compatibility of the licenses (#2844)

# Description of Changes ### What was changed - An **automated license check** was integrated into the CI/CD workflow (`build.yml` and `licenses-update.yml`). - A new file, `allowed-licenses.json`, was added to explicitly define the permitted licenses. - The **Gradle build process** was updated to run `checkLicense` and detect any non-compliant licenses. ### Why the change was made - **Improved license compliance** to ensure only compatible licenses are used. - **Automated license validation** within the CI/CD workflow to detect potential incompatibilities early. - **Legal risk mitigation** by excluding problematic licenses like **GPL-2.0 (without Classpath Exception)**. ### Any challenges encountered - The **allowed license list had to be manually curated** to ensure all relevant open-source libraries were covered. - Some dependencies use **slightly different license names** (e.g., `"Apache License, Version 2.0"` vs. `"Apache-2.0"`), which needed to be handled in the validation process. --- ## Checklist ### General - [x] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [x] I have read the [Stirling-PDF Developer Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/DeveloperGuide.md) (if applicable) - [x] I have read the [How to add new languages to Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/HowToAddNewLanguage.md) (if applicable) - [x] I have performed a self-review of my own code - [x] My changes generate no new warnings ### Documentation - [x] I have updated relevant docs on [Stirling-PDF's doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) (if functionality has heavily changed) - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only) ### UI Changes (if applicable) - [ ] Screenshots or videos demonstrating the UI changes are attached (e.g., as comments or direct attachments in the PR) ### Testing (if applicable) - [x] I have tested my changes locally. Refer to the [Testing Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/DeveloperGuide.md#6-testing) for more details.
2025-02-07 00:17:07 +01:00 · 2025-02-03 11:13:02 +01:00 · 2025-02-03 11:13:02 +01:00 · 9e8c16f313
commit 9e8c16f313
parent 4a7df3fd3f
4 changed files with 207 additions and 4 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -64,6 +64,35 @@ jobs:
            build/reports/problems/
          retention-days: 3
  check-licence:
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
        with:
          egress-policy: audit
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Set up JDK 17
        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
        with:
          java-version: "17"
          distribution: "adopt"
      - name: check the licenses for compatibility
        run: ./gradlew clean checkLicense
      - name: FAILED - check the licenses for compatibility
        if: failure()
        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        with:
          name: dependencies-without-allowed-license.json
          path: |
            build/reports/dependency-license/dependencies-without-allowed-license.json
          retention-days: 3
  docker-compose-tests:
    # if: github.event_name == 'push' && github.ref == 'refs/heads/main' ||
    #     (github.event_name == 'pull_request' &&
--- a/.github/workflows/licenses-update.yml
+++ b/.github/workflows/licenses-update.yml
@ -28,7 +28,7 @@ jobs:
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-          
+
      - name: Check out code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -40,8 +40,17 @@ jobs:
      - uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
-      - name: Run Gradle Command
+      - name: check the licenses for compatibility
-        run: ./gradlew clean generateLicenseReport
+        run: ./gradlew clean checkLicense
      - name: FAILED - check the licenses for compatibility
        if: failure()
        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        with:
          name: dependencies-without-allowed-license.json
          path: |
            build/reports/dependency-license/dependencies-without-allowed-license.json
          retention-days: 3
      - name: Move and Rename License File
        run: |
--- a/allowed-licenses.json
+++ b/allowed-licenses.json
@ -0,0 +1,164 @@
 {
  "allowedLicenses": [
    {
      "moduleName": ".*",
      "moduleLicense": "BSD License"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "The BSD License"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "BSD-2-Clause"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "BSD 2-Clause License"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "The 2-Clause BSD License"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "BSD-3-Clause"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "The BSD 3-Clause License (BSD3)"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "BSD-4 License"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "MIT"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "MIT License"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "The MIT License"
    },
    {
      "moduleName": "com.github.jai-imageio:jai-imageio-core",
      "moduleLicense": "LICENSE.txt"
    },
    {
      "moduleName": "com.github.jai-imageio:jai-imageio-jpeg2000",
      "moduleLicense": "LICENSE-JJ2000.txt, LICENSE-Sun.txt"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "Apache 2"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "Apache 2.0"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "Apache-2.0"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "Apache-2.0 License"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "Apache License 2.0"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "Apache License Version 2.0"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "Apache License, Version 2.0"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "The Apache License, Version 2.0"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "The Apache Software License, Version 2.0"
    },
    {
      "moduleName": "com.nimbusds:oauth2-oidc-sdk",
      "moduleLicense": "\"Apache License, version 2.0\";link=\"https://www.apache.org/licenses/LICENSE-2.0.html\""
    },
    {
      "moduleName": ".*",
      "moduleLicense": "MPL 2.0"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "UnboundID SCIM2 SDK Free Use License"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "GPL2 w/ CPE"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "GPLv2+CE"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "GNU GENERAL PUBLIC LICENSE, Version 2 + Classpath Exception"
    },
    {
      "moduleName": "com.martiansoftware:jsap",
      "moduleLicense": "LGPL"
    },
    {
      "moduleName": "org.hibernate.orm:hibernate-core",
      "moduleLicense": "GNU Library General Public License v2.1 or later"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "Eclipse Public License - v 1.0"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "Eclipse Public License v. 2.0"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "Eclipse Public License - v 2.0"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "Eclipse Public License - Version 2.0"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "Eclipse Public License, Version 2.0"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "Ubuntu Font Licence 1.0"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "Bouncy Castle Licence"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "Public Domain, per Creative Commons CC0"
    },
    {
      "moduleName": ".*",
      "moduleLicense": "The W3C License"
    }
  ]
 }
--- a/build.gradle
+++ b/build.gradle
@ -41,6 +41,7 @@ repositories {
 licenseReport {
    renderers = [new JsonReportRenderer()]
    allowedLicensesFile = new File("$projectDir/allowed-licenses.json")
 }
 sourceSets {
@ -366,7 +367,7 @@ dependencies {
        exclude group: "commons-logging", module: "commons-logging"
    }
    implementation "org.apache.pdfbox:preflight:$pdfboxVersion"
-    
+
    implementation ("org.apache.pdfbox:xmpbox:$pdfboxVersion") {
        exclude group: "commons-logging", module: "commons-logging"