At VersionEye you can setup a license whitelist and assign it to your projects. Simply put open source licenses on the license whitelist you want to allow in your projects/company. VersionEye will check all your dependencies against the license whitelist and notify you if there is a license violation. This feature is used frequently at VersionEye.
Today I want to introduce the component whitelist. It is an extension to the license whitelist. Software packages who are on the component whitelist are marked “green” in the license tab, even if they violate the license whitelist. There are a couple of use cases for the component whitelist.
Assume you are using an open source package which is licensed under the MIT license. With the next release the maintainer is changing the license from MIT to GPL-3.0. That means the newest version of the software library would probably violate your license whitelist. But maybe you buy a commercial license for the library, so that you are allowed to use it in closed source software. In that case you could set that artefact on the component whitelist.
Here is an example. Assume you have a project with some dependencies which violate your license whitelist. Just like here:
Now we will turn the 2 red dependencies green by putting them on a component whitelist. Simply click on the button “Manage Component Whitelists”. You will be redirected to this view.
The component whitelist works similar to the license whitelist. You can have as many component whitelists as you want. Create a new component whitelist by typing in a name and clicking on the button “Create New Whitelist”.
By clicking on the name of the component whitelist you come to a view where you can edit the elements on the list.
An element on the component whitelist has in general this structure:
GROUP_ID : ARTIFACT_ID : VERSION
For example:
org.apache.httpcomponents:httpmime:4.5
The expression above would whitelist version 4.5 of httpmime. And it would whitelist only version 4.5. Version 4.4 or 4.6 are not whitelisted!
Now let’s say we want to whitelist all version of junit. That would look like this:
junit:junit
Or whitelist everything in the group “org.apache”.
org.apache
And don’t forget to whitelist mail.
javax.mail:
All right. Now go back to the project and select the new component whitelist and click the save button. Now we will get this view:
Now everything is green. There are 2 dependencies which violate the license whitelist, but because they are on the component whitelist they are marked green anyway.
This feature is very new. Please test it with caution and give feedback. Either here in the comments or on Twitter.
Open Source License Compliance & Security 
3 thoughts on “Component Whitelist”