Support multi-licensed dependencies in our License Compliance report
Summary
License Management fails to accurately report the multiple licenses of a dependency.
For instance, it would report LGPL, version 2.1, ASL, version 2
instead of reporting LGPL version 2.1
and ASL version 2
separately. As a consequence, it's difficult if not impossible to properly present these licenses and to block the ones that have been blacklisted.
The multiple licensed are properly reported by https://mvnrepository.com.
Example Project
See https://gitlab.com/gitlab-org/security-products/tests/java-maven
jna
is published under LGPL v2.1 and ASL v2. It looks like one can choose between these two. See LICENSE.
Here's the output of License Management:
{
"license": {
"name": "LGPL, version 2.1, ASL, version 2"
},
"dependency": {
"name": "jna",
"description": "",
"pathes": [
"."
]
}
}
javax.resource-api
is published under CDDL, GPLv2, with classpath exception. It looks like ALL licenses apply at the same time. See LICENSE.md.
Here's the output of License Management:
{
"license": {
"name": "CDDL + GPLv2 with classpath exception"
},
"dependency": {
"name": "javax.resource-api",
"description": "",
"pathes": [
"."
]
}
}
What is the current bug behavior?
A multi-licensed dependency appears as having one license (comma-separated list of all the licenses that have been found). There's only one JSON object corresponding to one composite license.
What is the expected correct behavior?
All the licenses found for a dependency reported as a JSON array.
Possible fixes
To be fixed upstream in LicenseFinder.