This SonarQube plugin ensures that projects use dependencies with compliant licenses. All dependencies and licenses can be viewed per projects and exported to CSV. This enables a simple governance of dependencies and licenses for the whole organization.
This software is licensed under the Apache Software License, Version 2.0
This plugin is compatible:
- 1.x versions with SonarQube >= 5.3 and < 6.
- 2.x version with SonarQube >= 6.5 and < 7.
- 3.x version with SonarQube >= 7.9 LTS and < 8.
- 4.x version with SonarQube 8.x
- 5.x version with 8.9 LTS and <= 9.2.x
For all changes see CHANGELOG.md
Put the pre-built jar-file (from release downloads) in the directory $SONARQUBE_HOME/extensions/plugins and
restart the server to install the plugin. Activate the rules of this plugin ("License is not allowed", "Dependency has unknown license") in your SonarQube quality profiles - otherwise the plugin is not executed.
When a project is analyzed using the mvn sonar:sonar in command line the extension is started automatically.
Please make sure to have all dependencies installed before launching the SonarQube analysis. So your complete build should look something like this:
mvn -B org.jacoco:jacoco-maven-plugin:prepare-agent -Dmaven.test.failure.ignore install
mvn -B sonar:sonar
After booting the SonarQube Server with the License-Check Plugin two new options can be found in the tab Administration.
Hint: please do not use the page "Administration" -> "General Settings" -> "SonarQube License Check Plugin" for changing the plugin's settings. This shows the plugin's config in plain JSON - you might use that as a backup/restore.
- Within the general settings the plugin can be manually enabled or disabled. By default it is enabled.
- All other configuration is under License-Check specific settings ("Configuration" > "License Check").
- Under "Licenses" you can allow or disallow licenses globally and add/edit the list of known licenses.
- Under "Project Licenses" you can allow and disallow licenses for a specific project.
- Under "Maven Dependencies" you can map the Maven key (groupId:artifactId) to licenses using regular expressions. E.g.
^asm:asm$to "BSD-3-Clause" - Under "Maven Licenses" you can map Maven license texts to licenses using regular expressions, e.g.
.*Apache.*2.*to "Apache-2.0".
Maven works if your project/module has a pom.xml on its root level (running with Maven, Gradle or SonarScanner).
NPM works if your project/module has a package.json on its root level (running with Maven, Gradle or SonarScanner).
Gradle project should use JK1 plugin https://github.com/jk1/Gradle-License-Report
Note: Please check above link for instructions or follow as mentioned below
Step1: Update build.gradle file with following code for using JK1 plugin
import com.github.jk1.license.filter.LicenseBundleNormalizer
import com.github.jk1.license.render.JsonReportRenderer
plugins {
id 'com.github.jk1.dependency-license-report' version '1.13'
}
licenseReport {
allowedLicensesFile = new File("$projectDir/src/main/resources/licenses/allowed-licenses.json")
renderers = new JsonReportRenderer('license-details.json', false)
filters = [new LicenseBundleNormalizer()]
}
Step 2: Update build.gradle file with following code for using SonarQube plugin
plugins {
id 'org.sonarqube' version "3.0"
}
jar {
enabled = true
}
sonarqube {
properties {
property "sonar.host.url", "http://localhost:9000"
}
}
Step 3: run following command to generate your report license-details.json in build/reports/dependency-license
> gradle generateLicenseReport
Step 4: run following command for SonarQube
> gradle sonarqube
NuGet uses the generated output from https://github.com/tomchavakis/nuget-license. Use nuget-license in your build process to create a licenses.json file and include it anywhere within the files scanned by SonarQube.
The new SonarQube license rules are only set against C# (not VB.NET).
The plugin scans for dependencies defined in your project including all transitive dependencies.
Currently supported formats are:
- Maven POM files - all dependencies with scope "compile" and "runtime" are checked
- NPM package.json files - all dependencies (except "devDependencies") are checked
- Note that transitive dependencies are not scanned unless
licensecheck.npm.resolvetransitiveis set totrue.
- Note that transitive dependencies are not scanned unless
The plugin contains a project dashboard showing a list of dependencies with version and a list of all used licences. Each table shows the status of the license (allowed, not allowed, not found). You can also export the data to Excel.
Example for "Dependencies" table:
| Name | Version | License | Status |
|---|---|---|---|
| org.springframework.boot:spring-boot | 1.4.0.RELEASE | Apache-2.0 | Allowed |
| core-js | 2.4.0 | MIT | Allowed |
| dk.brics.automaton:automaton | 1.11-8 | BSD-3-Clause | Not Allowed |
| saxon:saxon | 9.1.0.8j | Unknown |
Example for "Licenses" table:
| Identifier | Name | Allowed |
|---|---|---|
| Apache-2.0 | Apache License 2.0 | true |
| MIT | MIT License | true |
| BSD-3-Clause | BSD 3-clause New or Revised License | false |