Add dependency licenses check (#3221)

* Add dependency licenses check

Add dependency licenses check (#3221)
* Add dependency licenses check
37acc3dc · kezhenxu94 · wu-sheng · eff9faa8 · 37acc3dc · 37acc3dc
11 changed file
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -63,6 +63,13 @@ pipeline {
                                sh './mvnw javadoc:javadoc -Dmaven.test.skip=true'
                            }
                        }
+
+                        stage('Check Dependencies Licenses') {
+                            steps {
+                                sh 'tar -zxf dist/apache-skywalking-apm-bin.tar.gz -C dist'
+                                sh 'tools/dependencies/check-LICENSE.sh'
+                            }
+                        }
                    }

                    post {

--- a/apm-dist/release-docs/LICENSE
+++ b/apm-dist/release-docs/LICENSE
@@ -271,7 +271,7 @@ The text of each license is the standard Apache 2.0 license.
    Apache: commons-io 2.4: https://github.com/apache/commons-io, Apache 2.0
    Apache: commons-compress 1.18: https://github.com/apache/commons-compress, Apache 2.0
    Apache: tomcat 8.5.27: https://github.com/apache/tomcat/tree/trunk, Apache 2.0
-    Apache: freemaker 2.3.28: https://github.com/apache/freemarker, Apache 2.0
+    Apache: freemarker 2.3.28: https://github.com/apache/freemarker, Apache 2.0
    netty 5.5.0: https://github.com/netty/netty/blob/4.1/LICENSE.txt, Apache 2.0
    annotations 13.0: http://www.jetbrains.org, Apache 2.0
    compiler 0.9.3: https://github.com/spullara/mustache.java, Apache 2.0

--- a/apm-dist/release-docs/NOTICE
+++ b/apm-dist/release-docs/NOTICE
--- a/docs/en/guides/README.md
+++ b/docs/en/guides/README.md
@@ -116,6 +116,21 @@ static resources and send GraphQL query requests to backend.
 - [Legacy UI repository](https://github.com/apache/skywalking-ui) is still there, but not included
 in SkyWalking release, after 6.0.0-GA.

+### OAP backend dependency management
+> This section is only applicable to the dependencies of the backend module
+
+Being one of the Top Level Projects of The Apache Software Foundation (ASF),
+SkyWalking is supposed to follow the [ASF 3RD PARTY LICENSE POLICY](https://apache.org/legal/resolved.html),
+so if you're adding new dependencies to the project, you're responsible to check the newly-added dependencies
+won't break the policy, and add their LICENSE's and NOTICES's to the project.
+
+We have a [simple script](../../../tools/dependencies/check-LICENSE.sh) to help you make sure that you didn't
+miss any newly-added dependency:
+- Build a distribution package and unzip/untar it to folder `dist`.
+- Run the script in the root directory, it will print out all newly-added dependencies.
+- Check the LICENSE's and NOTICE's of those dependencies, if they can be included in an ASF project, add them in the `apm-dist/release-docs/{LICENSE,NOTICE}` file.
+- Add those dependencies' names to the `tools/dependencies/known-oap-backend-dependencies.txt` file (**alphabetical order**), the next run of `check-LICENSE.sh` should pass. 
+
 ## For release
 [Apache Release Guide](How-to-release.md) introduces to the committer team about doing official Apache version release, to avoid 
 breaking any Apache rule. Apache license allows everyone to redistribute if you keep our licenses and NOTICE

--- a/oap-server/oal-grammar/pom.xml
+++ b/oap-server/oal-grammar/pom.xml
@@ -30,7 +30,7 @@
    <dependencies>
        <dependency>
            <groupId>org.antlr</groupId>
-            <artifactId>antlr4</artifactId>
+            <artifactId>antlr4-runtime</artifactId>
        </dependency>
    </dependencies>

@@ -39,7 +39,7 @@
            <plugin>
                <groupId>org.antlr</groupId>
                <artifactId>antlr4-maven-plugin</artifactId>
-                <version>4.7.1</version>
+                <version>${antlr.version}</version>
                <executions>
                    <execution>
                        <id>antlr</id>

--- a/oap-server/oal-rt/pom.xml
+++ b/oap-server/oal-rt/pom.xml
@@ -40,7 +40,7 @@
        </dependency>
        <dependency>
            <groupId>org.antlr</groupId>
-            <artifactId>antlr4</artifactId>
+            <artifactId>antlr4-runtime</artifactId>
        </dependency>
        <dependency>
            <groupId>org.freemarker</groupId>

--- a/oap-server/pom.xml
+++ b/oap-server/pom.xml
@@ -481,7 +481,7 @@

            <dependency>
                <groupId>org.antlr</groupId>
-                <artifactId>antlr4</artifactId>
+                <artifactId>antlr4-runtime</artifactId>
                <version>${antlr.version}</version>
            </dependency>
            <dependency>

--- a/oap-server/server-starter/src/main/resources/official_analysis.oal
+++ b/oap-server/server-starter/src/main/resources/official_analysis.oal
@@ -113,4 +113,4 @@ envoy_parent_connections_used = from(EnvoyInstanceMetric.value).filter(metricNam
 // disable(endpoint_relation_server_side);
 // disable(top_n_database_statement);
 // disable(zipkin_span);
-// disable(jaeger_span);
\ No newline at end of file
+// disable(jaeger_span);
--- a/pom.xml
+++ b/pom.xml
@@ -422,6 +422,7 @@

                        <!-- Maven Wrapper generated files -->
                        <exclude>.mvn/wrapper/maven-wrapper.properties</exclude>
+                        <exclude>tools/dependencies/known-oap-backend-dependencies.txt</exclude>
                    </excludes>
                </configuration>
                <executions>

--- a/tools/dependencies/check-LICENSE.sh
+++ b/tools/dependencies/check-LICENSE.sh
+#!/usr/bin/env bash
+
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# List all modules(jars) that belong to the SkyWalking itself, these will be ignored
+# when checking the dependency licenses
+./mvnw -Pbackend -Dexec.executable='echo' -Dexec.args='${project.artifactId}-${project.version}.jar' exec:exec -q > self-modules.txt
+
+ls dist/apache-skywalking-apm-bin/oap-libs > all-dependencies.txt
+
+# Exclude all self modules(jars) to generate all third-party dependencies
+grep -vf self-modules.txt all-dependencies.txt > third-party-dependencies.txt
+
+# Compare the third-party dependencies with known dependencies, expect that
+# all third-party dependencies are KNOWN and the exit code of the command is 0,
+# otherwise we should add its license to LICENSE file and add the dependency to known-oap-backend-dependencies.txt.
+# Unify the `sort` behaviour: here we'll sort them again in case that the behaviour of `sort` command in target OS is different from what we
+# used to sort the file `known-oap-backend-dependencies.txt`,
+# i.e. "sort the two file using the same command (and default arguments)"
+diff -w -B -U0 <(cat tools/dependencies/known-oap-backend-dependencies.txt | sort) <(cat third-party-dependencies.txt | sort)
--- a/tools/dependencies/known-oap-backend-dependencies.txt
+++ b/tools/dependencies/known-oap-backend-dependencies.txt
+aggs-matrix-stats-client-6.3.2.jar
+animal-sniffer-annotations-1.17.jar
+annotations-13.0.jar
+antlr4-runtime-4.7.1.jar
+aopalliance-1.0.jar
+apollo-client-1.4.0.jar
+apollo-core-1.4.0.jar
+bcpkix-jdk15on-1.59.jar
+bcprov-ext-jdk15on-1.59.jar
+bcprov-jdk15on-1.59.jar
+builder-annotations-0.9.2.jar
+caffeine-2.6.2.jar
+client-java-4.0.0.jar
+client-java-api-4.0.0.jar
+client-java-proto-4.0.0.jar
+commons-codec-1.11.jar
+commons-compress-1.18.jar
+commons-dbcp-1.4.jar
+commons-io-2.6.jar
+commons-lang3-3.7.jar
+commons-pool-1.5.4.jar
+commons-text-1.4.jar
+consul-client-1.2.6.jar
+converter-jackson-2.3.0.jar
+curator-client-4.0.1.jar
+curator-framework-4.0.1.jar
+curator-recipes-4.0.1.jar
+curator-x-discovery-4.0.1.jar
+elasticsearch-6.3.2.jar
+elasticsearch-cli-6.3.2.jar
+elasticsearch-core-6.3.2.jar
+elasticsearch-rest-client-6.3.2.jar
+elasticsearch-rest-high-level-client-6.3.2.jar
+elasticsearch-secure-sm-6.3.2.jar
+elasticsearch-x-content-6.3.2.jar
+error_prone_annotations-2.2.0.jar
+etcd4j-2.17.0.jar
+fastjson-1.2.47.jar
+freemarker-2.3.28.jar
+graphql-java-8.0.jar
+graphql-java-tools-5.2.3.jar
+groovy-2.4.5-indy.jar
+grpc-context-1.15.1.jar
+grpc-core-1.15.1.jar
+grpc-netty-1.15.1.jar
+grpc-protobuf-1.15.1.jar
+grpc-protobuf-lite-1.15.1.jar
+grpc-stub-1.15.1.jar
+gson-2.8.1.jar
+guava-20.0.jar
+guice-4.1.0.jar
+h2-1.4.196.jar
+HdrHistogram-2.1.9.jar
+HikariCP-3.1.0.jar
+hppc-0.7.1.jar
+httpasyncclient-4.1.2.jar
+httpclient-4.5.2.jar
+httpcore-4.4.5.jar
+httpcore-nio-4.4.5.jar
+jackson-annotations-2.9.5.jar
+jackson-core-2.9.5.jar
+jackson-core-asl-1.9.13.jar
+jackson-databind-2.9.5.jar
+jackson-dataformat-cbor-2.8.10.jar
+jackson-dataformat-smile-2.8.10.jar
+jackson-dataformat-yaml-2.8.10.jar
+jackson-datatype-guava-2.9.5.jar
+jackson-datatype-jdk8-2.9.5.jar
+jackson-mapper-asl-1.9.13.jar
+jackson-module-afterburner-2.9.5.jar
+jackson-module-kotlin-2.8.8.jar
+java-dataloader-2.0.2.jar
+javassist-3.25.0-GA.jar
+javax.inject-1.jar
+javax.servlet-api-3.1.0.jar
+jcl-over-slf4j-1.7.25.jar
+jetty-http-9.4.2.v20170220.jar
+jetty-io-9.4.2.v20170220.jar
+jetty-security-9.4.2.v20170220.jar
+jetty-server-9.4.2.v20170220.jar
+jetty-servlet-9.4.2.v20170220.jar
+jetty-util-9.4.2.v20170220.jar
+jline-0.9.94.jar
+jna-4.5.1.jar
+joda-convert-1.2.jar
+joda-time-2.9.9.jar
+jopt-simple-4.6.jar
+json-flattener-0.6.0.jar
+jsr305-1.3.9.jar
+kotlin-reflect-1.1.1.jar
+kotlin-stdlib-1.1.60.jar
+log4j-1.2.16.jar
+log4j-api-2.9.0.jar
+log4j-core-2.9.0.jar
+log4j-over-slf4j-1.7.25.jar
+log4j-slf4j-impl-2.9.0.jar
+logging-interceptor-2.7.5.jar
+lucene-analyzers-common-7.3.1.jar
+lucene-backward-codecs-7.3.1.jar
+lucene-core-7.3.1.jar
+lucene-grouping-7.3.1.jar
+lucene-highlighter-7.3.1.jar
+lucene-join-7.3.1.jar
+lucene-memory-7.3.1.jar
+lucene-misc-7.3.1.jar
+lucene-queries-7.3.1.jar
+lucene-queryparser-7.3.1.jar
+lucene-sandbox-7.3.1.jar
+lucene-spatial-7.3.1.jar
+lucene-spatial-extras-7.3.1.jar
+lucene-spatial3d-7.3.1.jar
+lucene-suggest-7.3.1.jar
+minimal-json-0.9.5.jar
+nacos-api-1.0.0.jar
+nacos-client-1.0.0.jar
+nacos-common-1.0.0.jar
+netty-3.10.5.Final.jar
+netty-buffer-4.1.27.Final.jar
+netty-codec-4.1.27.Final.jar
+netty-codec-dns-4.1.27.Final.jar
+netty-codec-http-4.1.27.Final.jar
+netty-codec-http2-4.1.27.Final.jar
+netty-codec-socks-4.1.27.Final.jar
+netty-common-4.1.27.Final.jar
+netty-handler-4.1.27.Final.jar
+netty-handler-proxy-4.1.27.Final.jar
+netty-resolver-4.1.27.Final.jar
+netty-resolver-dns-4.1.27.Final.jar
+netty-tcnative-boringssl-static-2.0.7.Final.jar
+netty-transport-4.1.27.Final.jar
+okhttp-2.7.5.jar
+okhttp-3.9.0.jar
+okhttp-ws-2.7.5.jar
+okio-1.13.0.jar
+opencensus-api-0.12.3.jar
+opencensus-contrib-grpc-metrics-0.12.3.jar
+parent-join-client-6.3.2.jar
+proto-google-common-protos-1.0.0.jar
+protobuf-java-3.4.0.jar
+rank-eval-client-6.3.2.jar
+reactive-streams-1.0.2.jar
+reflectasm-1.11.7.jar
+resourcecify-annotations-0.9.2.jar
+retrofit-2.3.0.jar
+sharding-jdbc-core-2.0.3.jar
+simpleclient-0.6.0.jar
+simpleclient_common-0.6.0.jar
+simpleclient_hotspot-0.6.0.jar
+simpleclient_httpserver-0.6.0.jar
+slf4j-api-1.7.25.jar
+snakeyaml-1.18.jar
+sundr-codegen-0.9.2.jar
+sundr-core-0.9.2.jar
+swagger-annotations-1.5.12.jar
+t-digest-3.2.jar
+zipkin-2.9.1.jar
+zookeeper-3.4.10.jar