DART-356 Add license validation to sonar-dart plugin (#100)

Author: maksim-grebeniuk-sonarsource

gradle-modules/src/main/kotlin/org.sonarsource.cloud-native.dart-license-file-generator.gradle.kts

@@ -0,0 +1,193 @@
+/*
+ * SonarSource Cloud Native Gradle Modules
+ * Copyright (C) 2024-2026 SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource Sàrl.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+import groovy.json.JsonSlurper
+import java.io.File
+import java.net.URI
+import java.nio.file.Files
+import org.gradle.api.GradleException
+import org.gradle.kotlin.dsl.create
+import org.gradle.kotlin.dsl.findByType
+import org.sonarsource.cloudnative.gradle.DartLicenseGenerationConfig
+import org.sonarsource.cloudnative.gradle.areDirectoriesEqual
+import org.sonarsource.cloudnative.gradle.copyDirectory
+
+/**
+ * This plugin collects license files from third-party Dart runtime dependencies and places them
+ * into a resources folder. It provides:
+ * - A task to collect licenses from pub.dev packages referenced in pubspec.lock / package_config.json
+ * - A validation task to ensure committed license files are up-to-date
+ * - A task to regenerate the license files into the resources folder
+ */
+
+val dartLicenseConfig =
+    extensions.findByType<DartLicenseGenerationConfig>()
+        ?: extensions.create<DartLicenseGenerationConfig>("dartLicenseGenerationConfig")
+
+dartLicenseConfig.buildDartLicenseFilesDir.convention(
+    project.layout.buildDirectory.dir("dart-licenses").get().asFile
+)
+dartLicenseConfig.projectLicenseFile.convention(project.rootDir.resolve("LICENSE"))
+dartLicenseConfig.packageConfigFile.convention(
+    project.rootDir.resolve("analyzer/.dart_tool/package_config.json")
+)
+dartLicenseConfig.analyzerDir.convention(
+    project.rootDir.resolve("analyzer")
+)
+
+val resourceLicenseDir = project.layout.projectDirectory.dir("src/main/resources/dart-licenses")
+
+val collectDartLicenses = tasks.register("collectDartLicenses") {
+    description = "Collects license files from Dart pub.dev dependencies"
+    group = "licenses"
+    var dartPubGetTasks = getTasksByName("dartPubGet", true)
+    dependsOn(dartPubGetTasks)
+
+    doLast {
+        val nonDevPackages = parseNonDevPackages(dartLicenseConfig.analyzerDir.get())
+        val packageRoots = parsePackageRoots(dartLicenseConfig.packageConfigFile.get())
+
+        // Only include hosted packages (those resolved from pub.dev with file:// URIs in package_config.json)
+        val runtimePackages = nonDevPackages.filter { packageRoots.containsKey(it) }
+
+        val outputDir = dartLicenseConfig.buildDartLicenseFilesDir.get().resolve("THIRD_PARTY_LICENSES")
+        outputDir.deleteRecursively()
+        outputDir.mkdirs()
+
+        logger.lifecycle("Collecting licenses for ${runtimePackages.size} runtime Dart packages...")
+
+        var collected = 0
+        for (pkgName in runtimePackages.sorted()) {
+            val pkgRoot = packageRoots[pkgName]!!
+
+            val licenseFile = findLicenseFile(pkgRoot)
+            if (licenseFile != null) {
+                licenseFile.copyTo(outputDir.resolve("$pkgName-LICENSE.txt"), overwrite = true)
+                collected++
+            } else {
+                logger.warn("No LICENSE file found for package: $pkgName (looked in $pkgRoot)")
+            }
+        }
+
+        // Copy project license
+        val projectLicense = dartLicenseConfig.projectLicenseFile.get()
+        projectLicense.copyTo(
+            dartLicenseConfig.buildDartLicenseFilesDir.get().resolve("LICENSE"),
+            overwrite = true
+        )
+
+        logger.lifecycle("Collected $collected license files from ${runtimePackages.size} packages.")
+    }
+}
+
+val validateDartLicenses = tasks.register("validateDartLicenseFiles") {
+    description = "Validate that generated Dart license files match the committed ones"
+    group = "validation"
+    dependsOn(collectDartLicenses)
+
+    doLast {
+        val generated = dartLicenseConfig.buildDartLicenseFilesDir.get()
+        val committed = resourceLicenseDir.asFile
+        if (!areDirectoriesEqual(generated, committed, logger)) {
+            throw GradleException(
+                """
+                [FAILURE] Dart license file validation failed!
+                Generated license files differ from committed files at $resourceLicenseDir.
+                To update the committed license files, run './gradlew generateDartLicenseResources' and commit the changes.
+                """.trimIndent()
+            )
+        }
+        logger.lifecycle("Dart license file validation succeeded: generated files match committed ones.")
+    }
+}
+
+val generateDartLicenseResources = tasks.register("generateDartLicenseResources") {
+    description = "Copies generated Dart license files to the resources directory"
+    group = "licenses"
+    dependsOn(collectDartLicenses)
+
+    doLast {
+        val generated = dartLicenseConfig.buildDartLicenseFilesDir.get()
+        val destination = resourceLicenseDir.asFile
+        Files.createDirectories(destination.toPath())
+        copyDirectory(generated, destination, logger)
+    }
+}
+
+/**
+ * Runs `dart pub deps --no-dev --style=compact` in the analyzer directory and parses the output
+ * to extract non-dev dependency package names.
+ *
+ * Output format has lines like: `- package_name 1.0.0 [dep1 dep2]`
+ */
+fun parseNonDevPackages(analyzerDir: File): Set<String> {
+    val process = ProcessBuilder("dart", "pub", "deps", "--no-dev", "--style=compact")
+        .directory(analyzerDir)
+        .redirectErrorStream(false)
+        .start()
+    val output = process.inputStream.bufferedReader().readText()
+    val exitCode = process.waitFor()
+    if (exitCode != 0) {
+        val stderr = process.errorStream.bufferedReader().readText()
+        error("dart pub deps failed with exit code $exitCode: $stderr")
+    }
+
+    val packageLineRegex = Regex("^- (\\S+) .+$")
+    return output.lineSequence()
+        .mapNotNull { packageLineRegex.find(it)?.groupValues?.get(1) }
+        .toSet()
+}
+
+/**
+ * Parses package_config.json to build a map of package name to its root directory.
+ * Supports both absolute file:// URIs (hosted packages from pub.dev cache)
+ * and relative paths (path-based/local packages).
+ */
+fun parsePackageRoots(packageConfigFile: File): Map<String, File> {
+    val json = JsonSlurper().parse(packageConfigFile) as? Map<*, *>
+        ?: error("Invalid package_config.json: expected a JSON object")
+    val packages = json["packages"] as? List<*>
+        ?: error("Invalid package_config.json: missing 'packages' array")
+
+    val packageRoots = mutableMapOf<String, File>()
+    for (entry in packages) {
+        val pkg = entry as? Map<*, *> ?: continue
+        val name = pkg["name"] as? String ?: continue
+        val rootUri = pkg["rootUri"] as? String ?: continue
+
+        val rootDir = if (rootUri.startsWith("file://")) {
+            File(URI(rootUri))
+        } else {
+            packageConfigFile.parentFile.resolve(rootUri).canonicalFile
+        }
+        packageRoots[name] = rootDir
+    }
+    return packageRoots
+}
+
+/**
+ * Finds a LICENSE file in the given directory.
+ * Looks for common license file names: LICENSE, LICENSE.md, LICENSE.txt, LICENCE, etc.
+ */
+fun findLicenseFile(dir: File): File? {
+    if (!dir.isDirectory) return null
+    val candidates = listOf("LICENSE", "LICENSE.md", "LICENSE.txt", "LICENCE", "LICENCE.md", "LICENCE.txt")
+    for (candidate in candidates) {
+        val file = dir.resolve(candidate)
+        if (file.isFile) return file
+    }
+    return null
+}

gradle-modules/src/main/kotlin/org.sonarsource.cloud-native.go-license-file-generator.gradle.kts

@@ -74,6 +74,7 @@ tasks.named("validateLicenseFiles") {
  * during 'goLicenseGenerationConfig.generatingGoLicensesGradleTask.' task.
  */
 val generateGoLicenses = tasks.register("generateGoLicenses") {
+    group = "licenses"
     // Generating the licenses with go-license tool is done during 'dockerCompileGo' task
     dependsOn(goLicenseGenerationConfig.generatingGoLicensesGradleTask.get())
     doLast {
@@ -87,6 +88,7 @@ val generateGoLicenses = tasks.register("generateGoLicenses") {
 
 val generateGoLicenseResources = tasks.register("generateGoLicenseResources") {
     description = "Copies generated license files to the resources directory"
+    group = "licenses"
     dependsOn(generateGoLicenses)
 
     doLast {

gradle-modules/src/main/kotlin/org.sonarsource.cloud-native.license-file-generator.gradle.kts

@@ -76,6 +76,7 @@ abstract class NoParallelService : BuildService<BuildServiceParameters.None>
 
 // generateLicenseReport is the task exposed by `com.github.jk1.dependency-license-report`
 tasks.named("generateLicenseReport") {
+    group = "licenses"
     usesService(
         gradle.sharedServices.registerIfAbsent("noParallelProvider", NoParallelService::class) {
             // generateLicenseReport requires single threaded run with Gradle 9.0
@@ -99,6 +100,7 @@ tasks.named("generateLicenseReport") {
 // Requires LICENSE.txt to be present one level above the (project-)plugin directory
 tasks.register("generateLicenseResources") {
     description = "Copies generated license files to the resources directory"
+    group = "licenses"
     dependsOn("generateLicenseReport")
 
     doLast {

gradle-modules/src/main/kotlin/org/sonarsource/cloudnative/gradle/DartLicenseGenerationConfig.kt

@@ -0,0 +1,34 @@
+/*
+ * SonarSource Cloud Native Gradle Modules
+ * Copyright (C) 2024-2026 SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource Sàrl.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonarsource.cloudnative.gradle
+
+import java.io.File
+import org.gradle.api.provider.Property
+
+interface DartLicenseGenerationConfig {
+    /** Directory where collected Dart license files are placed during build. */
+    val buildDartLicenseFilesDir: Property<File>
+
+    /** The project's own license file (LICENSE in repo root). */
+    val projectLicenseFile: Property<File>
+
+    /** Path to the analyzer's package_config.json (generated by `dart pub get`). */
+    val packageConfigFile: Property<File>
+
+    /** Path to the analyzer directory (used to run `dart pub deps`). */
+    val analyzerDir: Property<File>
+}

gradle-modules/src/main/kotlin/org/sonarsource/cloudnative/gradle/LicenseGenerationUtils.kt

@@ -116,7 +116,7 @@ fun copyDirectory(
     )
 
     if (errors.isEmpty()) {
-        logger.lifecycle("Directory ${sourceDir.name} copied successfully to ${destinationDir.name}")
+        logger.lifecycle("Directory ${sourceDir.absolutePath} copied successfully to ${destinationDir.absolutePath}")
     } else {
         throw GradleException("Failed to copy ${errors.size} files.")
     }