Strictly Typed blog

Checking third party licenses

June 10, 2021

Disclaimer: I’m not a lawyer, this article is about setting up tools to check you third party libraries. It’s by no mean a legal advice.

Some open source licenses are said to be viral licenses.
A viral license can contaminate your proprietary software and force you to release your code to the public with the same license as the library.

You need to audit your third parties to check the licenses transitively, but who wants to do that by hand ?

Not me for sure… What if we setup a task to our CI build to check for third parties ?!
Our goal is to make the build fail if some of our libraries are not in your allowed list.

A failed build will have our full attention.

1. List the licenses to allow

First thing first, we need to setup a list of licenses that we want to allow.
You can refer to this article to assess the risk level of the different licenses.

For this article, let’s say we only allow the Apache 2.0 and MIT licenses.

2. Configure your build

This step will depend on your team’s ecosystem, at MyCoach most of our services are built with Scala an Maven. MojoHaus provides an awesome plugin to work with licenses, wether your project’s license or your dependencies licenses.

We can configure this plugin with our allowed list and ask it to fail the build if one of the libraries does not belong to this list.

I’ve added some comments in the XML below to explain how to configure the plugin to allow only Apache 2.0 and MIT licenses.

<plugin>
                <groupId>org.codehaus.mojo</groupId>
                <artifactId>license-maven-plugin</artifactId>
                <version>2.0.0</version>
                <executions>
                    <execution>
                        <id>add-third-party</id>
						<!-- We hook this plugin to the compile phase, you can change the phase it's up to you. -->
                        <phase>compile</phase>
                        <goals>
                            <goal>add-third-party</goal>
                        </goals>
                        <configuration>
							<!-- Do not check our internal libraries -->
                            <excludedGroups>com.globalsport.*</excludedGroups>
							<!-- Fail the build if the license is not Apache 2.0 or MIT. -->
                            <failOnBlacklist>true</failOnBlacklist>
                            <licenseMerges>
								<!-- Aggreagate different ways to write Apache 2.0 to 'The Apache Software License, Version 2.0'. -->
                                <licenseMerge>The Apache Software License, Version 2.0|Apache2|
                                    Apache-2.0|Apache 2|APL2|Apache 2.0|Apache License, Version 2.0|
                                    The Apache License, Version 2.0|Apache Software License - Version 2.0|
                                    the Apache License, ASL Version 2.0|ASL 2.0|Apache License 2.0|ASL, version 2
                                </licenseMerge>
								<!-- Aggreagate different ways to write MIT License to 'The MIT License'. -->
                                <licenseMerge>The MIT License|
                                    MIT license|The MIT License (MIT)|MIT License|MIT|MIT-style
                                </licenseMerge>
                            </licenseMerges>
							<!-- This is our allowed list, since we aggregate all Apache 2.0/MIT ways of writing the license names to 'The Apache Software License, Version 2.0' and 'The MIT License' we can only include those names here. -->
							<!-- If one of our library license is not one of those the build will fail -->
                            <includedLicenses>
                                <includedLicense>The Apache Software License, Version 2.0</includedLicense>
                                <includedLicense>The MIT License</includedLicense>
                            </includedLicenses>
                        </configuration>
                    </execution>
                </executions>
            </plugin>

The most interesting thing is probably the licenseMerge parameter, it allows you to regroup different ways to write a license name as a single one.

For example, within all our third parties we’ve found the MIT license written as

  • The MIT License
  • MIT license
  • The MIT License (MIT)
  • MIT License
  • MIT
  • MIT-style

The licenseMerge contains the list of all possible ways to write the name of the license, it will replace them in the output by the first occurence.

With the configuration above, all these names MIT,The MIT License (MIT),MIT License,MIT,MIT-style will all be replaced by The MIT license.
Thanks to this we only have to allow The MIT license in the includedLicenses configuration.

The license-maven-plugin has a lot of other configuration options, for example: you can configure includedLicenses and licenseMerges with an url, this way you can share the configuration for all your projects.
See licenseMergesUrl and includedLicenses for reference.

This plugins is just an example for maven, there are equivalent tools for different ecosystems.

Conclusion

Each time we run mvn compile all our third party libraries are checked transitively.\ If someone makes a mistake add a new ‘viral’ third party he/she will know right away because the build will fail both locally and on your CI server.

We now have the guarantee that no ‘viral’ libraries will make it to production !

Hi 👋
I'm Clément Agarini a software engineer working for MyCoach . I've been building software for the past 13 years.
You can follow me on Twitter