I’d like Sonar to scan project dependencies and flag potential license issues.
In practice scan npm packages, nuget packages, etc and compare their licenses against a list of whitelisted licenses.
This is similar to the ‘Support Dependency Checks’ feature, Support Dependency Checks for Known Vulnerabilities.
It looks a bit the same, but is actually quite different.
I can imagine checking for Vulnerabilities is a lot harder compared to checking the used licenses vs a whitelisted list.
While trying out SonarCloud I was looking for this feature, but couldn’t find it, probably because it doesn’t exist yet. It would be great if the license check can be added before a vulnerability check.
Something which would work for us would be the possibility to invoke some kind of API/Webhook with all of the (project) data so we will be able to check this out ourselves. But an OOB solution would be more awesome of course.
It would be great to hear if this feature can be picked up earlier or not and even if this will be implemented.
I found an active community license check plugin for SonarQube Server . The plugin home is https://github.com/porscheinformatik/sonarqube-licensecheck. It seems to match the functionality being requested, something I have been looking for too.
I have installed it on my SonarQube Server (7.8) and doing the beginning steps of configuration.
–Mark
2 Likes
Hi Mark,
thanks for the tip. We use commecrcial tools like Nexus IQ or Artifactory Xray, but he plugin looks promising, will surely test it.
At a first glance i’m missing some filter for open and closed licenses.
Not everyone has a juristic background and in corporate environment you shouldn’t use a license that obliges to open source your code.
Gilbert
There were some Updates at this plugin.
is there still movement on the topic? I would love to get this for Sonarcloud. I would be willing to pay for this too.
1 Like