Normalize licenses to improve License Compliance reliability
Summary
After releasing 1.4.0 in LM we realised that LM changed some of the license names which can cause and issue for existing customers. In some releases License finder has changed the pretty names of the licenses. A license that's been approved or blacklisted may not be recognized.
Between v5.6.2 and v5.9.2 some license's pretty names changed. If user blacklisted some licenses and pretty name of that license has changed, this will result in the license not being blacklisted anymore.
Some highlighted changes between v5.6.2 and v5.9.2
- https://github.com/pivotal/LicenseFinder/commit/15b524fa52f63e04a82d160a7fc3d49c288d01e8
- https://github.com/pivotal/LicenseFinder/commit/15b524fa52f63e04a82d160a7fc3d49c288d01e8#diff-ec177d4a88942f4297ebdf6e020b9e44
- https://github.com/pivotal/LicenseFinder/commit/f1da96d4a72912787e5aeaadf96f69fde738f353#diff-ec177d4a88942f4297ebdf6e020b9e44
What is the current bug behaviour?
https://gitlab.com/gitlab-org/security-products/tests/java-maven-multimodules/-/jobs/259711503
We can observe that our test project's QA failed due to change in license name. Difference can be seen in the MR:
gitlab-org/security-products/tests/java-maven-multimodules!15 (diffs)
If we blacklisted as LGPL 2.1
we wouldn't be able to catch it since it has changed to GNU Lesser General Public License version 2.1
Example Project
What is the expected correct behaviour?
Changes in license names should be backwards compatible with our customer's blacklist/whitelist items for license manager.
Possible fixes
- Use customised report format for generating license report which considers
short_name
instead ofpretty_name
.(https://github.com/pivotal/LicenseFinder/blob/master/lib/license_finder/license/definitions.rb). Short names doesn't seem to be changing version to version maybe we can leverage that to compare with blacklisted/whitelisted items.