SONARIAC-2199 Cloud-Security License Packaging Standard (#77)

Author: jonas-wielage-sonarsource

gradle-modules/build.gradle.kts

@@ -31,6 +31,7 @@ dependencies {
         exclude("ch.qos.logback", "logback-core")
     }
     implementation(libs.shadow)
+    implementation(libs.license.report)
 }
 
 gradlePlugin {

gradle-modules/src/main/kotlin/org.sonarsource.cloud-native.license-file-generator.gradle.kts

@@ -0,0 +1,210 @@
+/*
+ * SonarSource Cloud Native Gradle Modules
+ * Copyright (C) 2024-2025 SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource Sàrl.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+import com.github.jk1.license.render.ReportRenderer
+import java.io.IOException
+import java.nio.file.Files
+import java.nio.file.StandardCopyOption
+import java.security.MessageDigest
+import org.sonarsource.cloudnative.gradle.AnalyzerLicensingPackagingRenderer
+
+plugins {
+    id("com.github.jk1.dependency-license-report")
+}
+
+/**
+ * This plugin is used for generating license files for third-party dependencies into the resources folder.
+ * It provides a validation task to ensure that the license files in the resource folder are up-to-date.
+ * It provides a task to regenerate the license files into the resources folder.
+ * This tasks expects the license of the analyzer to be present one level above the (project-)plugin directory.
+ */
+var buildLicenseReportDirectory = project.layout.buildDirectory.dir("reports/dependency-license")
+var buildLicenseOutputToCopyDir = buildLicenseReportDirectory.get().dir("licenses")
+var resourceLicenseDir = project.layout.projectDirectory.dir("src/main/resources/licenses")
+var resourceThirdPartyDir = resourceLicenseDir.dir("THIRD_PARTY_LICENSES")
+
+licenseReport {
+    renderers = arrayOf<ReportRenderer>(AnalyzerLicensingPackagingRenderer(buildLicenseReportDirectory.get().asFile.toPath()))
+}
+
+tasks.named("check") {
+    dependsOn("validateLicenseFiles")
+}
+
+tasks.register("validateLicenseFiles") {
+    description = "Validate that generated license files match the committed ones"
+    group = "validation"
+    // generateLicenseReport is the task exposed by `com.github.jk1.dependency-license-report`
+    dependsOn("generateLicenseReport")
+
+    doLast {
+        if (!areDirectoriesEqual(buildLicenseOutputToCopyDir.asFile, resourceThirdPartyDir.asFile)) {
+            val message = """
+                [FAILURE] License file validation failed!
+                Generated license files differ from committed files at $resourceThirdPartyDir.
+                To update the committed license files, run './gradlew generateLicenseResources' and commit the changes.
+                
+                Note: This will completely regenerate all license files under $resourceThirdPartyDir and remove any stale ones.
+                """
+            throw GradleException(message)
+        } else {
+            logger.lifecycle("License file validation succeeded: Generated license files match the committed ones.")
+        }
+    }
+}
+
+/**
+ * An empty build service to serve as a synchronization point.
+ * Because `com.github.jk1.dependency-license-report` is not able to run in parallel with Gradle 9.0,
+ * we force tasks to never run in parallel by configuring this service.
+ */
+abstract class NoParallelService : BuildService<BuildServiceParameters.None>
+
+// generateLicenseReport is the task exposed by `com.github.jk1.dependency-license-report`
+tasks.named("generateLicenseReport") {
+    usesService(
+        gradle.sharedServices.registerIfAbsent("noParallelProvider", NoParallelService::class) {
+            // generateLicenseReport requires single threaded run with Gradle 9.0
+            maxParallelUsages = 1
+        }
+    )
+
+    // I'm currently unsure how I could properly cache this, or if this isn't already handled?
+    outputs.upToDateWhen {
+        // To be on a safe side, always rerun the generator
+        false
+    }
+
+    doFirst {
+        // Clean up previous output to avoid stale files
+        buildLicenseReportDirectory.get().asFile.deleteRecursively()
+        Files.createDirectories(buildLicenseOutputToCopyDir.asFile.toPath())
+    }
+}
+
+// Requires LICENSE.txt to be present one level above the (project-)plugin directory
+tasks.register("generateLicenseResources") {
+    description = "Copies generated license files to the resources directory"
+    dependsOn("generateLicenseReport")
+
+    doLast {
+        val sonarLicenseFile = project.layout.projectDirectory.asFile.parentFile.resolve("LICENSE.txt")
+        Files.copy(
+            sonarLicenseFile.toPath(),
+            resourceLicenseDir.file("LICENSE.txt").asFile.toPath(),
+            StandardCopyOption.REPLACE_EXISTING
+        )
+        copyDirectory(buildLicenseReportDirectory.get().dir("licenses").asFile, resourceThirdPartyDir.asFile)
+    }
+}
+
+/**
+ * Compares two directories recursively to check for equality.
+ * * Two directories are considered equal if they have the exact same
+ * directory structure and all corresponding files have identical content.
+ *
+ * @param dir1 The first directory.
+ * @param dir2 The second directory.
+ * @return `true` if the directories are equal, `false` otherwise.
+ */
+fun areDirectoriesEqual(
+    dir1: File,
+    dir2: File,
+): Boolean {
+    if (!dir1.isDirectory || !dir2.isDirectory) {
+        logger.warn("One or both paths are not directories.")
+        return false
+    }
+    logger.lifecycle("Comparing directories: ${dir1.name} and ${dir2.name}")
+
+    try {
+        // 1. Walk both directory trees and map files by their relative path
+        val files1 = dir1.walk()
+            .filter { it.isFile }
+            .associateBy { it.relativeTo(dir1) }
+
+        val files2 = dir2.walk()
+            .filter { it.isFile }
+            .associateBy { it.relativeTo(dir2) }
+
+        // 2. Compare the directory structure (based on file paths)
+        if (files1.keys != files2.keys) {
+            logger.warn("Directory structures do not match.")
+            logger.warn("Files only in ${dir1.name}: ${files1.keys - files2.keys}")
+            logger.warn("Files only in ${dir2.name}: ${files2.keys - files1.keys}")
+            return false
+        }
+
+        // 3. Compare the content of each matching file
+        for (relativePath in files1.keys) {
+            val file1 = files1[relativePath]!!
+            val file2 = files2[relativePath]!!
+
+            // Quick check: compare file sizes first
+            if (file1.length() != file2.length()) {
+                logger.warn("File size mismatch: $relativePath")
+                return false
+            }
+
+            // Full check: compare byte content
+            val checksum1 = getFileChecksum(file1)
+            val checksum2 = getFileChecksum(file2)
+            if (checksum1 != checksum2) {
+                logger.warn("File content mismatch: $relativePath")
+                return false
+            }
+        }
+
+        // If all checks pass, the directories are equal
+        return true
+    } catch (e: IOException) {
+        logger.error("An error occurred during comparison: ${e.message}")
+        return false
+    }
+}
+
+fun getFileChecksum(file: File): String {
+    val md = MessageDigest.getInstance("SHA-256")
+    val digestBytes = md.digest(file.readBytes())
+
+    // 4. Convert the byte array to a hexadecimal string
+    // "%02x" formats each byte as two lowercase hex digits
+    return digestBytes.joinToString("") { "%02x".format(it) }
+}
+
+fun copyDirectory(
+    sourceDir: File,
+    destinationDir: File,
+) {
+    val errors = mutableListOf<String>()
+
+    destinationDir.deleteRecursively()
+    sourceDir.copyRecursively(
+        target = destinationDir,
+        overwrite = true,
+        onError = { file, exception ->
+            logger.warn("Failed to copy $file: ${exception.message}")
+            errors.add(file.name)
+            OnErrorAction.SKIP // Skip this file and continue
+        }
+    )
+
+    if (errors.isEmpty()) {
+        logger.lifecycle("Directory ${sourceDir.name} copied successfully to ${destinationDir.name}")
+    } else {
+        throw GradleException("Failed to copy ${errors.size} files.")
+    }
+}

gradle-modules/src/main/kotlin/org/sonarsource/cloudnative/gradle/AnalyzerLicensingPackagingRenderer.kt

@@ -0,0 +1,169 @@
+/*
+ * SonarSource Cloud Native Gradle Modules
+ * Copyright (C) 2024-2025 SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource Sàrl.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonarsource.cloudnative.gradle
+
+import com.github.jk1.license.LicenseFileDetails
+import com.github.jk1.license.ModuleData
+import com.github.jk1.license.ProjectData
+import com.github.jk1.license.render.ReportRenderer
+import java.io.IOException
+import java.net.URISyntaxException
+import java.nio.file.Files
+import java.nio.file.Path
+import java.nio.file.StandardCopyOption
+import java.nio.file.StandardOpenOption
+import java.util.ArrayList
+
+class AnalyzerLicensingPackagingRenderer(
+    private val buildOutputDir: Path,
+) : ReportRenderer {
+    private var apacheLicenseFileName: String = "Apache-2.0.txt"
+    private lateinit var generatedLicenseResourcesDirectory: Path
+    private val licenseTitleToResourceFile: Map<String, String> = buildMap {
+        put("Apache License, Version 2.0", apacheLicenseFileName)
+        put("Apache License Version 2.0", apacheLicenseFileName)
+        put("Apache 2", apacheLicenseFileName)
+        put("Apache-2.0", apacheLicenseFileName)
+        put("The Apache Software License, Version 2.0", apacheLicenseFileName)
+        put("BSD-3-Clause", "BSD-3.txt")
+        put("GNU LGPL 3", "GNU-LGPL-3.txt")
+        put("Go License", "Go.txt")
+    }
+    private val dependenciesWithUnusableLicenseFileInside: Set<String> = setOf(
+        "com.fasterxml.jackson.dataformat.jackson-dataformat-smile",
+        "com.fasterxml.jackson.dataformat.jackson-dataformat-yaml"
+    )
+    private val exceptions: ArrayList<String> = ArrayList()
+
+    // Generate license files for all dependencies in the licenses folder
+    override fun render(data: ProjectData) {
+        generatedLicenseResourcesDirectory = buildOutputDir.resolve("licenses")
+        try {
+            generateDependencyFiles(data)
+        } catch (e: Exception) {
+            throw RuntimeException(e)
+        }
+        if (exceptions.isNotEmpty()) {
+            val exceptionLog = exceptions.joinToString(separator = "\n")
+            throw RuntimeException("Exceptions occurred during license file generation:\n$exceptionLog")
+        }
+    }
+
+    @Throws(IOException::class, URISyntaxException::class)
+    private fun generateDependencyFiles(data: ProjectData) {
+        for (dependency in data.allDependencies) {
+            generateDependencyFile(dependency)
+        }
+    }
+
+    /**
+     * Generate a license file for a given dependency.
+     * First we try to copy the license file included in the dependency itself in `copyIncludedLicenseFromDependency`
+     * If there is no License file, or the dependency contains an unusable license file,
+     * we try to derive the license from the pom in `findLicenseIdentifierInPomAndCopyFromResources`.
+     * In this method we're looking for the identifier of the license, and we copy the corresponding license file from our resources.
+     * The mapping (license identifier to resource file) is derived from the map `licenseTitleToResourceFile`.
+     */
+    @Throws(IOException::class, URISyntaxException::class)
+    private fun generateDependencyFile(data: ModuleData) {
+        val copyIncludedLicenseFile = copyIncludedLicenseFromDependency(data)
+        if (copyIncludedLicenseFile.success) {
+            return
+        }
+
+        val copyFromResources = findLicenseIdentifierInPomAndCopyFromResources(data)
+        if (copyFromResources.success) {
+            return
+        }
+
+        exceptions.add("${data.group}.${data.name}: ${copyIncludedLicenseFile.message}")
+        exceptions.add("${data.group}.${data.name}: ${copyFromResources.message}")
+    }
+
+    @Throws(IOException::class)
+    private fun copyIncludedLicenseFromDependency(data: ModuleData): Status {
+        if (dependenciesWithUnusableLicenseFileInside.contains("${data.group}.${data.name}")) {
+            return Status.failure("Excluded copying license from dependency as it's not the right one.")
+        }
+
+        val licenseFileDetails = data.licenseFiles.stream().flatMap { licenseFile -> licenseFile.fileDetails.stream() }
+            .filter { file: LicenseFileDetails -> file.file.contains("LICENSE") }
+            .findFirst()
+
+        if (licenseFileDetails.isEmpty) {
+            return Status.failure("No license file data found.")
+        }
+
+        copyLicenseFile(data, buildOutputDir.resolve(licenseFileDetails.get().file))
+        return Status.success
+    }
+
+    @Throws(IOException::class, URISyntaxException::class)
+    private fun findLicenseIdentifierInPomAndCopyFromResources(data: ModuleData): Status {
+        val pomLicense = data.poms.stream().flatMap { pomData -> pomData.licenses.stream() }
+            .findFirst()
+
+        if (pomLicense.isEmpty) {
+            return Status.failure("No license found in pom data.")
+        }
+
+        copyLicenseFromResources(data, pomLicense.get().name)
+        return Status.success
+    }
+
+    @Throws(IOException::class)
+    private fun copyLicenseFile(
+        data: ModuleData,
+        fileToCopy: Path,
+    ): Status {
+        // Modify to use LF line endings
+        val normalizedFile = Files.readAllLines(fileToCopy).joinToString("\n")
+        Files.write(
+            generateLicensePath(data),
+            normalizedFile.toByteArray(),
+            StandardOpenOption.CREATE,
+            StandardOpenOption.TRUNCATE_EXISTING
+        )
+        return Status.success
+    }
+
+    @Throws(IOException::class)
+    private fun copyLicenseFromResources(
+        data: ModuleData,
+        licenseName: String,
+    ): Status {
+        val licenseResourceFileName = licenseTitleToResourceFile[licenseName]
+        val resourceAsStream = AnalyzerLicensingPackagingRenderer::class.java.getResourceAsStream("/licenses/$licenseResourceFileName")
+            ?: throw IOException("Resource not found for license: $licenseName")
+        Files.copy(resourceAsStream, generateLicensePath(data), StandardCopyOption.REPLACE_EXISTING)
+        return Status.success
+    }
+
+    private fun generateLicensePath(data: ModuleData): Path =
+        generatedLicenseResourcesDirectory.resolve("${data.group}.${data.name}-LICENSE.txt")
+
+    private data class Status(
+        val success: Boolean,
+        val message: String?,
+    ) {
+        companion object {
+            var success: Status = Status(true, null)
+
+            fun failure(message: String?): Status = Status(false, message)
+        }
+    }
+}