Component Whitelist

At VersionEye you can setup a license whitelist and assign it to your projects. Simply put open source licenses on the license whitelist you want to allow in your projects/company. VersionEye will check all your dependencies against the license whitelist and notify you if there is a license violation. This feature is used frequently at VersionEye.

Today I want to introduce the component whitelist. It is an extension to the license whitelist. Software packages who are on the component whitelist are marked “green” in the license tab, even if they violate the license whitelist. There are a couple of use cases for the component whitelist.

Assume you are using an open source package which is licensed under the MIT license. With the next release the maintainer is changing the license from MIT to GPL-3.0. That means the newest version of the software library would probably violate your license whitelist. But maybe you buy a commercial license for the library, so that you are allowed to use it in closed source software. In that case you could set that artefact on the component whitelist.

Here is an example. Assume you have a project with some dependencies which violate your license whitelist. Just like here:

component_whitelist_3

Now we will turn the 2 red dependencies green by putting them on a component whitelist. Simply click on the button “Manage Component Whitelists”. You will be redirected to this view.

component_whitelist_1

The component whitelist works similar to the license whitelist. You can have as many component whitelists as you want. Create a new component whitelist by typing in a name and clicking on the button “Create New Whitelist”.

By clicking on the name of the component whitelist you come to a view where you can edit the elements on the list.

component_whitelist_2

An element on the component whitelist has in general this structure:

GROUP_ID : ARTIFACT_ID : VERSION

For example:

org.apache.httpcomponents:httpmime:4.5

The expression above would whitelist version 4.5 of httpmime. And it would whitelist only version 4.5. Version 4.4 or 4.6 are not whitelisted!

Now let’s say we want to whitelist all version of junit. That would look like this:

junit:junit

Or whitelist everything in the group “org.apache”.

org.apache

And don’t forget to whitelist mail.

javax.mail:

All right. Now go back to the project and select the new component whitelist and click the save button. Now we will get this view:

component_whitelist_4

Now everything is green. There are 2 dependencies which violate the license whitelist, but because they are on the component whitelist they are marked green anyway.

This feature is very new. Please test it with caution and give feedback. Either here in the comments or on Twitter.

3 thoughts on “Component Whitelist

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s