[sonar-dev] Plugin to analyse dependency licence ?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[sonar-dev] Plugin to analyse dependency licence ?

GARDAIS Ionel
HI list,

Is there a plugin for Sonar to analyse and detect dependency licence ?
More than just an indicator, it could a blocker for Quality gate/Quality profil to forbid certain types of licences in a project.

@G. Ann : I’m doing my best to get a t-shirt :)

Regards,
Ionel

--
Beicip-Franlab SA - 232 av. napoléon Bonaparte - BP 2132-92502 Rueil-Malmaison Cedex
Capital: EUR 6 000 000 - TVA FR 54 679 804 047- RCS Nanterre 679 804 047
This message and any attachments (the message) are confidential and intended solely for the addressees.
Any unauthorised use, dissemination or reproduction is strictly prohibited.
The sender does not accept liability for any errors or omissions in the contents of this message arising as a result of e-mail transmission.
Reply | Threaded
Open this post in threaded view
|

Re: [sonar-dev] Plugin to analyse dependency licence ?

Steve Springett
Ionel,

OWASP Dependency-Check uses evidence-based analysis to determine what a library is, who made it, the version, etc. It’s primary purpose is to determine if the identified library has known vulnerabilities (CVE’s in the NVD). I’m working on a Sonar plugin for Dependency-Check and it will be available in the coming weeks.

One of the pieces of evidence it collects is the license. This is normally the name of the license or the URL to the license file. 

The project currently doesn't focus on licenses so there’s no real matching of license names or URL’s to an internal set of available licenses. If you’d like to get involved, this may be an area of interest.

Additionally, have you looked into some of the Black Duck solutions? They do some interesting things with open source license compliance.

—Steve





On April 25, 2015 at 5:07:06 AM, GARDAIS Ionel ([hidden email]) wrote:

HI list,

Is there a plugin for Sonar to analyse and detect dependency licence ?
More than just an indicator, it could a blocker for Quality gate/Quality profil to forbid certain types of licences in a project.

@G. Ann : I’m doing my best to get a t-shirt :)

Regards,
Ionel

--
Beicip-Franlab SA - 232 av. napoléon Bonaparte - BP 2132-92502 Rueil-Malmaison Cedex
Capital: EUR 6 000 000 - TVA FR 54 679 804 047- RCS Nanterre 679 804 047
This message and any attachments (the message) are confidential and intended solely for the addressees.
Any unauthorised use, dissemination or reproduction is strictly prohibited.
The sender does not accept liability for any errors or omissions in the contents of this message arising as a result of e-mail transmission.
Reply | Threaded
Open this post in threaded view
|

Re: [sonar-dev] Plugin to analyse dependency licence ?

G. Ann Campbell
In reply to this post by GARDAIS Ionel
Sorry Ionel, you'll have to try again.

In fact dependency analysis is an area that we'd like to move away from.



---
G. Ann CAMPBELL | SonarSource
Product Owner

On Sat, Apr 25, 2015 at 12:06 PM, GARDAIS Ionel <[hidden email]> wrote:
HI list,

Is there a plugin for Sonar to analyse and detect dependency licence ?
More than just an indicator, it could a blocker for Quality gate/Quality profil to forbid certain types of licences in a project.

@G. Ann : I’m doing my best to get a t-shirt :)

Regards,
Ionel

--
Beicip-Franlab SA - 232 av. napoléon Bonaparte - BP 2132-92502 Rueil-Malmaison Cedex
Capital: EUR 6 000 000 - TVA FR 54 679 804 047- RCS Nanterre 679 804 047
This message and any attachments (the message) are confidential and intended solely for the addressees.
Any unauthorised use, dissemination or reproduction is strictly prohibited.
The sender does not accept liability for any errors or omissions in the contents of this message arising as a result of e-mail transmission.

Reply | Threaded
Open this post in threaded view
|

Re: [sonar-dev] Plugin to analyse dependency licence ?

Ionel GARDAIS
Oh, OK :)

I'll try again.

Ionel


On 04/28/2015 11:29 AM, G. Ann Campbell wrote:
Sorry Ionel, you'll have to try again.

In fact dependency analysis is an area that we'd like to move away from.



---
G. Ann CAMPBELL | SonarSource
Product Owner

On Sat, Apr 25, 2015 at 12:06 PM, GARDAIS Ionel <[hidden email]> wrote:
HI list,

Is there a plugin for Sonar to analyse and detect dependency licence ?
More than just an indicator, it could a blocker for Quality gate/Quality profil to forbid certain types of licences in a project.

@G. Ann : I’m doing my best to get a t-shirt :)

Regards,
Ionel

--
Beicip-Franlab SA - 232 av. napoléon Bonaparte - BP 2132-92502 Rueil-Malmaison Cedex
Capital: EUR 6 000 000 - TVA FR 54 679 804 047- RCS Nanterre 679 804 047
This message and any attachments (the message) are confidential and intended solely for the addressees.
Any unauthorised use, dissemination or reproduction is strictly prohibited.
The sender does not accept liability for any errors or omissions in the contents of this message arising as a result of e-mail transmission.


-- 
Ionel GARDAIS
Tech'Advantage CIO - IT Team manager

--
Beicip-Franlab SA - 232 av. napoléon Bonaparte - BP 2132-92502 Rueil-Malmaison Cedex
Capital: EUR 6 000 000 - TVA FR 54 679 804 047- RCS Nanterre 679 804 047
This message and any attachments (the message) are confidential and intended solely for the addressees.
Any unauthorised use, dissemination or reproduction is strictly prohibited.
The sender does not accept liability for any errors or omissions in the contents of this message arising as a result of e-mail transmission.



---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

ionel_gardais.vcf (223 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [sonar-dev] Plugin to analyse dependency licence ?

Michel Pawlak
In reply to this post by GARDAIS Ionel
Hi Ionel, IMHO opinon you should do this kind of checks at the level of your enterprise repository. As we are using Nexus, we thinking about using Sonatype's CML for this purpose. (http://www.sonatype.com/clm/clm-feature-tour) You should have a look at it, it's a great tool.

Kind regards,

Michel
Reply | Threaded
Open this post in threaded view
|

Re: [sonar-dev] Plugin to analyse dependency licence ?

Olivier Demeijer
In reply to this post by G. Ann Campbell
Hi Ann,

I take the opportunity that I discover today that you now sign  as "Product Owner" and that you announce another "Move away" to ask you where is Sonar actually and precisely going to.

I'm a long time Sonar user (wrote my first sonar-plugin on version 1.4 ...), but I'm a little bit disappointed by the direction one taken  in the last few months. I might be wrong, but this is my perception, that your are moving out of everything that is not strictly related your SSLR toolkit. It all started for me one year ago when all of a sudden, it was decided that Sonar won't run the test itself in a Maven build.
Since then, more and more "historical features" are disappearing and/or dropped, whilst in the same time, its seems harder and harder for people to add homebrewed plugins (latest news on the impossibility to add dedicated page due to you moving to pure js UI is not, imho, a good one). 
I have ready on multiple occasions "Sonar is not the right place to centralize all you the information related to the quality of a piece of software". I'm afraid to said that, but at least for me, and i'm sure i'm not the alone in this case, this centralization capability WAS what sold me to Sonar : back in 2008, Sonar wonderfully integrated reports generated by PMD, Findbugs, Checkstyle, surefire, Jacoco ancestor, ..., adding a few features (like package design for an example). All those information in one place, with  the possibility to play we the time Machine  to see the quality evolving. Priceless (so we bought a few plugins we don't really need to pay it back).

Then SSLR development started. I agree that this is certainly something that make your live easier, ... but for me, as final user, I barely see the difference between SSLR results and those bring by the PMD/Checkstyle/Findbugs combo. Then came the UI redesign, that, still imho, makes things less readable (top of my head : have you ever try to read the message returned by a failing test if it's longer that a few words, with the new "very small popup message display" ???).

That's "a lot of complains", sorry for that, but I guess it had to tell you :  last week, I was surprised to ask myself "Isn't there a more adequate solution than Sonar to make sure that the quality of our code is maintain to high standard ?". 
Not sure this is the right place, but I guess it is the right time.
Regards,
Olivier Demeijer