Adopt license eye to check dependencies' license (#9220)

.github/workflows/skywalking.yaml

@@ -52,30 +52,62 @@ jobs:
         with:
           submodules: true
       - name: Check code style
-        run: ./mvnw clean checkstyle:check
+        run: ./mvnw -B -q clean checkstyle:check
+
+  dependency-license:
+    if: |
+      always() &&
+      ((github.event_name == 'schedule' && github.repository == 'apache/skywalking') || needs.changes.outputs.pom == 'true')
+    name: Dependency licenses
+    needs: [ changes ]
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          submodules: true
+      - uses: actions/setup-java@v3
+        with:
+          distribution: 'temurin'
+          java-version: '8'
+          cache: 'maven'
+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: '1.16'
+      - name: Check Dependencies Licenses
+        run: |
+          go install github.com/apache/skywalking-eyes/cmd/license-eye@47febf5
+          license-eye dependency resolve --summary ./dist-material/release-docs/LICENSE.tpl || exit 1
+          if [ ! -z "$(git diff -U0 ./dist-material/release-docs/LICENSE)" ]; then
+            echo "LICENSE file is not updated correctly"
+            git diff -U0 ./dist-material/release-docs/LICENSE
+            exit 1
+          fi
 
   sanity-check:
-    if: (github.event_name == 'schedule' && github.repository == 'apache/skywalking') || (github.event_name != 'schedule')
+    if: always() && (github.event_name == 'schedule' && github.repository == 'apache/skywalking') || (github.event_name != 'schedule')
     name: Sanity check results
-    needs: [ license-header, code-style ]
+    needs: [ license-header, code-style, dependency-license ]
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
       - name: Check results
         run: |
-          [[ ${{ needs.license-header.result }} == 'success' ]] || exit -1;
-          [[ ${{ needs.code-style.result }} == 'success' ]] || exit -1;
+          [[ ${{ needs.license-header.result }} == 'success' ]] || exit 1;
+          [[ ${{ needs.code-style.result }} == 'success' ]] || exit 1;
+          [[ ${{ needs.dependency-license.result }} == 'success' ]] || [[ ${{ needs.dependency-license.result }} == 'skipped' ]] || exit 1;
 
   changes:
     # Check if anything related to Actual code / CI(functional testing) is changed
     # set outputs for other jobs to access for if conditions
     runs-on: ubuntu-latest
-    needs: [ sanity-check ]
     # To prevent error when there's no base branch
     if: github.event_name != 'schedule'
     timeout-minutes: 10
     outputs:
       oap: ${{ steps.filter.outputs.oap }}
+      pom: ${{ steps.filter.outputs.pom }}
     steps:
       - uses: actions/checkout@v3  # required for push event
       - name: Check for file changes
@@ -102,6 +134,8 @@ jobs:
               dist-material/release-docs/**,\
               component-libraries.yml\
               }"
+            pom:
+              - "**/pom.xml"
           list-files: json  # logs matched files
 
   dist-tar:
@@ -171,30 +205,6 @@ jobs:
           name: docker-images-${{ matrix.java-version }}
           path: docker-images-skywalking-*.tar
 
-  dependency-license:
-    if: |
-      always() &&
-      ((github.event_name == 'schedule' && github.repository == 'apache/skywalking') || needs.changes.outputs.oap == 'true')
-    name: Dependency licenses
-    needs: [ dist-tar, changes ]
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          submodules: true
-      - uses: actions/setup-java@v3
-        with:
-          distribution: 'temurin'
-          java-version: '8'
-          cache: 'maven'
-      - uses: actions/download-artifact@v3
-        with:
-          name: dist
-          path: dist
-      - name: Check Dependencies Licenses
-        run: tools/dependencies/check-LICENSE.sh
-
   unit-test:
     if: |
       always() &&

.licenserc.yaml

@@ -66,3 +66,54 @@ header:
     - 'oap-server/server-starter/src/main/resources/version.properties'
 
   comment: on-failure
+
+dependency:
+  files:
+    - pom.xml
+    - skywalking-ui/package.json
+  excludes:
+    - name: org.openjdk.jmh:jmh-core # We don't distribute the dependencies, they are just for the build process
+    - name: org.apache.skywalking:* # Exclude self dependencies
+  licenses:
+    - name: org.slf4j:slf4j-api
+      version: 1.7.30,1.7.32
+      license: Apache-2.0
+    - name: com.squareup.okhttp3:okhttp
+      version: 3.14.9,3.12.2
+      license: Apache-2.0
+    - name: com.google.guava:listenablefuture
+      version: 9999.0-empty-to-avoid-conflict-with-guava
+      license: Apache-2.0
+    - name: io.swagger:swagger-annotations
+      version: 1.6.5
+      license: Apache-2.0
+    - name: com.squareup.okio:okio
+      version: 1.15.0,1.17.2
+      license: Apache-2.0
+    - name: com.squareup.retrofit2:retrofit
+      version: 2.3.0,2.5.0
+      license: Apache-2.0
+    - name: com.squareup.retrofit2:converter-jackson
+      version: 2.3.0,2.5.0
+      license: Apache-2.0
+    - name: com.fasterxml.jackson.module:jackson-module-kotlin
+      version: 2.13.1
+      license: Apache-2.0
+    - name: com.fasterxml.jackson.datatype:jackson-datatype-jsr310
+      version: 2.13.2
+      license: Apache-2.0
+    - name: com.graphql-java:graphql-java-extended-scalars
+      version: 17.0
+      license: MIT
+    - name: com.github.luben:zstd-jni
+      version: 1.4.3-1
+      license: BSD-2-Clause
+    - name: com.h2database:h2
+      version: 2.1.212
+      license: MPL-2.0
+    - name: org.antlr:antlr4-runtime
+      version: 4.9.2
+      license: BSD-3-Clause
+    - name: com.google.flatbuffers:flatbuffers-java
+      version: 1.12.0
+      license: Apache-2.0

dist-material/release-docs/LICENSE.tpl

+{{ .LicenseContent }}
+
+=======================================================================
+Apache SkyWalking Subcomponents:
+
+The Apache SkyWalking project contains subcomponents with separate copyright
+notices and license terms. Your use of the source code for the these
+subcomponents is subject to the terms and conditions of the following
+licenses.
+========================================================================
+
+{{ range .Groups }}
+========================================================================
+{{ .LicenseID }} licenses
+========================================================================
+The following components are provided under the {{ .LicenseID }} License. See project link for details.
+{{- if eq .LicenseID "Apache-2.0" }}
+The text of each license is the standard Apache 2.0 license.
+{{- else }}
+The text of each license is also included in licenses/LICENSE-[project].txt.
+{{ end }}
+
+    {{- range .Deps }}
+      {{- $groupArtifact := regexSplit ":" .Name -1 }}
+      {{- if eq (len $groupArtifact) 2 }}
+        {{- $group := index $groupArtifact 0 }}
+        {{- $artifact := index $groupArtifact 1 }}
+    https://mvnrepository.com/artifact/{{ $group }}/{{ $artifact }}/{{ .Version }} {{ .LicenseID }}
+      {{- else }}
+    https://npmjs.com/package/{{ .Name }}/v/{{ .Version }} {{ .Version }} {{ .LicenseID }}
+      {{- end }}
+    {{- end }}
+{{ end }}

dist-material/release-docs/licenses/LICENSE-jopt-simple.txt

-The MIT License
-
- Copyright (c) 2004-2016 Paul R. Holser, Jr.
-
- Permission is hereby granted, free of charge, to any person obtaining
- a copy of this software and associated documentation files (the
- "Software"), to deal in the Software without restriction, including
- without limitation the rights to use, copy, modify, merge, publish,
- distribute, sublicense, and/or sell copies of the Software, and to
- permit persons to whom the Software is furnished to do so, subject to
- the following conditions:
-
- The above copyright notice and this permission notice shall be
- included in all copies or substantial portions of the Software.
-
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
- EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
- MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
- NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
- LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
- OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
- WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
\ No newline at end of file

docs/en/guides/README.md

@@ -119,11 +119,13 @@ You would most likely have to add a new source and scope. To learn how to do thi
 
 As one of the Top Level Projects of The Apache Software Foundation (ASF), SkyWalking must follow the [ASF 3RD PARTY LICENSE POLICY](https://apache.org/legal/resolved.html). So if you're adding new dependencies to the project, you should make sure that the new dependencies would not break the policy, and add their LICENSE and NOTICE to the project.
 
-We have a [simple script](../../../tools/dependencies/check-LICENSE.sh) to help you make sure that you haven't missed out any new dependencies:
-- Build a distribution package and unzip/untar it to folder `dist`.
-- Run the script in the root directory. It will print out all new dependencies.
-- Check the LICENSE and NOTICE of those dependencies to make sure that they can be included in an ASF project. Add them to the `apm-dist/release-docs/{LICENSE,NOTICE}` file.
-- Add the names of these dependencies to the `tools/dependencies/known-oap-backend-dependencies.txt` file (**in alphabetical order**). `check-LICENSE.sh` should pass in the next run.
+We use [license-eye](https://github.com/apache/skywalking-eyes) to help you make sure that you haven't missed out any new dependencies:
+- Install `license-eye` according to [the doc](https://github.com/apache/skywalking-eyes#usage).
+- Run `license-eye dependency resolve --summary ./dist-material/release-docs/LICENSE.tpl` in the root directory of this project.
+- Check the modified lines in `./dist-material/release-docs/LICENSE` (via command `git diff -U0 ./dist-material/release-docs/LICENSE`) and
+  check whether the new dependencies' licenses are compatible with Apache 2.0.
+- Add the new dependencies' notice files (if any) to `./dist-material/release-docs/NOTICE` if they are Apache 2.0 license. Copy their license files to `./dist-material/release-docs/licenses` if they are not standard Apache 2.0 license.
+- Copy the new dependencies' license file to `./dist-material/release-docs/licenses` if they are not standard Apache 2.0 license.
 
 ## Profile
 The performance profile is an enhancement feature in the APM system. We use thread dump to estimate the method execution time, rather than adding multiple local spans. In this way, the cost would be significantly reduced compared to using distributed tracing to locate the slow method. This feature is suitable in the production environment. The following documents are key to understanding the essential parts of this feature.

tools/dependencies/check-LICENSE.sh

-#!/usr/bin/env bash
-
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements.  See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License.  You may obtain a copy of the License at
-#
-#    http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-set -ex
-
-tar -zxf dist/apache-skywalking-apm-bin.tar.gz -C dist
-
-# List all modules(jars) that belong to the SkyWalking itself, these will be ignored
-# when checking the dependency licenses
-./mvnw --batch-mode -Pbackend -Dexec.executable='echo' -Dexec.args='${project.artifactId}-${project.version}.jar' exec:exec -q > self-modules.txt
-
-ls dist/apache-skywalking-apm-bin/oap-libs > all-dependencies.txt
-
-# Exclude all self modules(jars) to generate all third-party dependencies
-grep -vf self-modules.txt all-dependencies.txt > third-party-dependencies.txt
-
-# Compare the third-party dependencies with known dependencies, expect that
-# all third-party dependencies are KNOWN and the exit code of the command is 0,
-# otherwise we should add its license to LICENSE file and add the dependency to known-oap-backend-dependencies.txt.
-# Unify the `sort` behaviour: here we'll sort them again in case that the behaviour of `sort` command in target OS is different from what we
-# used to sort the file `known-oap-backend-dependencies.txt`,
-# i.e. "sort the two file using the same command (and default arguments)"
-diff -w -B -U0 <(cat tools/dependencies/known-oap-backend-dependencies.txt | sort) <(cat third-party-dependencies.txt | sort)

tools/dependencies/known-oap-backend-dependencies.txt

-HdrHistogram-2.1.12.jar
-HikariCP-3.1.0.jar
-LatencyUtils-2.0.3.jar
-animal-sniffer-annotations-1.19.jar
-annotations-13.0.jar
-antlr4-runtime-4.9.2.jar
-aopalliance-1.0.jar
-apollo-client-1.8.0.jar
-apollo-core-1.8.0.jar
-armeria-1.16.0.jar
-armeria-graphql-1.16.0.jar
-armeria-graphql-protocol-1.16.0.jar
-armeria-protobuf-1.16.0.jar
-audience-annotations-0.5.0.jar
-banyandb-java-client-0.1.0.jar
-bcpkix-jdk15on-1.70.jar
-bcprov-ext-jdk15on-1.70.jar
-bcprov-jdk15on-1.70.jar
-bcutil-jdk15on-1.70.jar
-brotli4j-1.7.1.jar
-checker-qual-3.12.0.jar
-classmate-1.5.1.jar
-client-java-15.0.1.jar
-client-java-api-15.0.1.jar
-client-java-proto-15.0.1.jar
-commons-beanutils-1.9.4.jar
-commons-codec-1.11.jar
-commons-collections4-4.4.jar
-commons-compress-1.21.jar
-commons-io-2.7.jar
-commons-lang3-3.12.0.jar
-commons-logging-1.2.jar
-commons-text-1.4.jar
-consul-client-1.4.2.jar
-converter-jackson-2.5.0.jar
-curator-client-4.3.0.jar
-curator-framework-4.3.0.jar
-curator-recipes-4.3.0.jar
-curator-x-discovery-4.3.0.jar
-error_prone_annotations-2.11.0.jar
-failsafe-2.3.4.jar
-failureaccess-1.0.1.jar
-flatbuffers-java-1.12.0.jar
-freemarker-2.3.31.jar
-graphql-java-17.3.jar
-graphql-java-extended-scalars-17.0.jar
-graphql-java-tools-12.0.2.jar
-groovy-3.0.8.jar
-grpc-api-1.46.0.jar
-grpc-context-1.46.0.jar
-grpc-core-1.46.0.jar
-grpc-grpclb-1.46.0.jar
-grpc-netty-1.46.0.jar
-grpc-protobuf-1.46.0.jar
-grpc-protobuf-lite-1.46.0.jar
-grpc-stub-1.46.0.jar
-gson-2.9.0.jar
-gson-fire-1.8.5.jar
-guava-31.1-jre.jar
-guice-4.1.0.jar
-h2-2.1.212.jar
-httpasyncclient-4.1.3.jar
-httpclient-4.5.13.jar
-httpcore-4.4.13.jar
-httpcore-nio-4.4.13.jar
-j2objc-annotations-1.3.jar
-jackson-annotations-2.13.2.jar
-jackson-core-2.13.2.jar
-jackson-databind-2.13.2.2.jar
-jackson-datatype-guava-2.9.10.jar
-jackson-datatype-jdk8-2.9.10.jar
-jackson-module-afterburner-2.12.2.jar
-jackson-module-kotlin-2.13.1.jar
-java-dataloader-3.1.0.jar
-javassist-3.25.0-GA.jar
-javax.inject-1.jar
-jcl-over-slf4j-1.7.30.jar
-jetcd-common-0.5.3.jar
-jetcd-core-0.5.3.jar
-jetcd-resolver-0.5.3.jar
-joda-time-2.10.5.jar
-jose4j-0.7.11.jar
-jsr305-3.0.2.jar
-kafka-clients-2.4.1.jar
-kotlin-reflect-1.5.0.jar
-kotlin-stdlib-1.5.0.jar
-kotlin-stdlib-common-1.5.0.jar
-kotlin-stdlib-jdk7-1.5.0.jar
-kotlin-stdlib-jdk8-1.5.0.jar
-kotlinx-coroutines-core-1.5.0-native-mt.jar
-kotlinx-coroutines-core-jvm-1.5.0-native-mt.jar
-kotlinx-coroutines-jdk8-1.5.0-native-mt.jar
-kotlinx-coroutines-reactive-1.5.0-native-mt.jar
-listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
-log4j-api-2.17.1.jar
-log4j-core-2.17.1.jar
-log4j-over-slf4j-1.7.30.jar
-log4j-slf4j-impl-2.17.1.jar
-logging-interceptor-4.9.2.jar
-lz4-java-1.6.0.jar
-micrometer-core-1.8.5.jar
-mvel2-2.4.8.Final.jar
-nacos-api-1.4.2.jar
-nacos-client-1.4.2.jar
-nacos-common-1.4.2.jar
-netty-buffer-4.1.77.Final.jar
-netty-codec-4.1.77.Final.jar
-netty-codec-dns-4.1.77.Final.jar
-netty-codec-haproxy-4.1.77.Final.jar
-netty-codec-http-4.1.77.Final.jar
-netty-codec-http2-4.1.77.Final.jar
-netty-codec-socks-4.1.77.Final.jar
-netty-common-4.1.77.Final.jar
-netty-handler-4.1.77.Final.jar
-netty-handler-proxy-4.1.77.Final.jar
-netty-resolver-4.1.77.Final.jar
-netty-resolver-dns-4.1.77.Final.jar
-netty-resolver-dns-native-macos-4.1.77.Final-osx-x86_64.jar
-netty-resolver-dns-native-macos-4.1.77.Final-osx-aarch_64.jar
-netty-resolver-dns-classes-macos-4.1.77.Final.jar
-netty-transport-classes-epoll-4.1.77.Final.jar
-netty-transport-4.1.77.Final.jar
-netty-transport-native-epoll-4.1.77.Final.jar
-netty-transport-native-epoll-4.1.77.Final-linux-x86_64.jar
-netty-transport-native-unix-common-4.1.77.Final.jar
-netty-transport-native-unix-common-4.1.77.Final-linux-x86_64.jar
-netty-tcnative-boringssl-static-2.0.52.Final-linux-aarch_64.jar
-netty-tcnative-boringssl-static-2.0.52.Final-linux-x86_64.jar
-netty-tcnative-boringssl-static-2.0.52.Final-osx-aarch_64.jar
-netty-tcnative-boringssl-static-2.0.52.Final-osx-x86_64.jar
-netty-tcnative-boringssl-static-2.0.52.Final-windows-x86_64.jar
-netty-tcnative-boringssl-static-2.0.52.Final.jar
-netty-tcnative-classes-2.0.52.Final.jar
-okhttp-3.14.9.jar
-okio-1.17.2.jar
-perfmark-api-0.25.0.jar
-postgresql-42.3.3.jar
-proto-google-common-protos-2.0.1.jar
-protobuf-java-3.19.4.jar
-protobuf-java-util-3.19.4.jar
-reactive-streams-1.0.2.jar
-retrofit-2.5.0.jar
-simpleclient-0.6.0.jar
-simpleclient_common-0.6.0.jar
-simpleclient_hotspot-0.6.0.jar
-simpleclient_httpserver-0.15.0.jar
-slf4j-api-1.7.30.jar
-snakeyaml-1.28.jar
-snappy-java-1.1.7.3.jar
-swagger-annotations-1.6.5.jar
-vavr-0.10.3.jar
-vavr-match-0.10.3.jar
-zipkin-2.23.16.jar
-zookeeper-3.5.7.jar
-zookeeper-jute-3.5.7.jar
-zstd-jni-1.4.3-1.jar