Component Governance is a Microsoft internal DevOps tool which scans code to find all dependencies, and issues reports if dependencies have legal or security issues.
There are many reported issues concerning the license of bound
Maven packages, which hilariously wrong, e.g.
com.google.mlkit:barcode-scanning 17.3.0 is detected as having a license of
APSL-1.0, and com.android.billingclient:billing 7.1.1 is detected as having
a license of GPL-2.0. (Just, hilariously wrong.)
Unfortunately, the way to fix the Component Governance alerts is to fix the underlying data source to mention appropriate license info: ClearlyDefined.io. This in turn requires submitting a PR to clearlydefined/curated-data.
util/export-clearlydefined will add or update the YAML files to contain
licensed: declared: OTHER for specific Maven packages declared within
cgmanifest.json: Maven packages with group ids
starting with:
com.androidcom.google
To use export-clearlydefined:
-
Checkout the clearlydefined/curated-data repo.
Note: This repo must be checked out on a case-sensitive filesystem. (Windows need not apply! macOS will require creating a new Disk Image with the "APFS (Case-sensitive)" file system.)
-
Use
dotnet run --project util/export-clearlydefinedto update (1).-mshould be the path to thecgmanifest.jsonto process, and-oshould be the path to (1):dotnet run --project util/export-clearlydefined -- -m cgmanifest.json -o path/to/(1)