Features News

License Audit with Qodana

Qodana specializes in build quality management, delivering the static analysis smarts of IntelliJ Platform to project-level checks. In May, we extended the platform with a second linter,  Clone Finder, which detects code duplicates. Today, we are happy to announce the EAP for License Audit to detect incompatible third-party licenses on which your code relies, making the compliance verification process easier for your project and company.

Qodana License Audit is still very much in the early stages, but making it available earlier helps us to catch problems earlier. This makes preparing for public releases a breeze. Qodana License Audit lists dependency licenses in an analyzed repository and it will warn you about any problems with their compatibility with the project licenses. Whenever a new library is added to your project, or an existing one unexpectedly changes its license, Qodana License Audit will alert you to this so you don’t miss any important license adjustments.

Qodana License Audit in action

Problems section in the report

The results of Qodana License Audit checks will be reported as a list of problems with the following information:

  • License tags (A)
  • Dependency name (B)
  • License SPDx identifier (C)
  • Type of problem (D)
  • Advice (E)

Third-party licenses list section

In addition to the list of problems, Qodana License Audit provides a list of third-party licenses, which you can download and share with your users or legal department, or use as a part of your build chain for further integration.

Configuration

You can use License Audit to provide you with a list of allowed and prohibited licenses. The default configuration we ship License Audit with is based on the rules we use in JetBrains, but you can change it based on your project needs. Typically, such requirements come from the desired project license you want to have for your project – for open-source projects, those options will be completely different than for closed-source commercial projects. License Audit will notify you if there is no license defined in your project so you can catch it early.

See our documentation on how to adjust the license rules to your needs.

By default, License Audit makes the following checks:

  • No project licenses
  • Unrecognized project license
  • Unrecognized dependency license
  • No dependency licenses
  • Prohibited dependency license
  • Uncategorized dependency license

You can switch any of them off via the user interface or directly in the qodana.yaml.

See the corresponding section in our documentation.

See it in action!

We’ve created a playground that allows you to see Qodana in action for Gradle, NPM, PHP composer, and Python pip projects. To open the playground, use the following link https://qodana.teamcity.com, select the Login as guest option, and check License Audit Examples project to explore the UI integrated into JetBrains TeamCity.

Try it now

License Audit is packed into a ready-to-use Docker image. 

Detailed instructions on how to start using Qodana linters are available in our documentation.

You can run it:

  • By manually invoking it in your projects
  • By integrating it into your CI gateway
  • Using GitHub actions
  • On JetBrains TeamCity, both standalone and Cloud

JetBrains Qodana License Audit is now available in an Early Access Program (EAP). During the EAP, users will have full access to the Qodana IntelliJ Docker image, the Qodana TeamCity plugin, and the Qodana IntelliJ GitHub application free of charge. While we try to keep EAP releases stable, they have not undergone the same degree of testing as full public release builds. This means that there may still be flaws and also that the UI and configurations can change frequently.

Feedback

We would be grateful for any feedback you have, and all ideas are welcome! Contact us at qodana-support@jetbrains.com or via our issue tracker.

image description