How to component whitelist non Java dependencies

Since last week VersionEye supports component whitelists. In the last blog post I described how to whitelist Java/Maven dependencies. The structure for that is like this:

GROUP_ID : ARTIFACT_ID : VERSION

Now the question was coming up how to put non Java/Maven dependencies on the component whitelist?

That is possible as well! For non Java/Maven dependencies simply use this pattern:

LANGUAGE : PROD_KEY : VERSION

For example:

Ruby:rails:4.2.4

to whitelist version 4.2.4 of Ruby on Rails. If you want to whitelist ALL versions of Ruby on Rails use this expression:

Ruby:rails

Let me know if you have more questions. Either here in the comments or on Twitter.

Improved Componente Whitelist

Since last week VersionEye is offering a component whitelist for software dependencies. The component whitelist is an extension for the license whitelist. Dependencies which usually would violate a license whitelist can be whitelisted through a component whitelist.

After using the component whitelist for a couple days the question was coming up wich dependencies are whitelisted through the license whitelist and which through the component whitelist. In the current version the dependencies who are whitelisted through the component whitelist are marked with a thumbs up icon. Like in this example.

component_whitelist

In the screenshot above the 2 dependencies “junit” and “mail” usually would be marked red, because their licences is not on the selected license whitelist. But they are “green” anyway because they are on the component whitelist.

Contact me if you have more suggestions for improvements, either here in the comments or on Twitter.

Component Whitelist

At VersionEye you can setup a license whitelist and assign it to your projects. Simply put open source licenses on the license whitelist you want to allow in your projects/company. VersionEye will check all your dependencies against the license whitelist and notify you if there is a license violation. This feature is used frequently at VersionEye.

Today I want to introduce the component whitelist. It is an extension to the license whitelist. Software packages who are on the component whitelist are marked “green” in the license tab, even if they violate the license whitelist. There are a couple of use cases for the component whitelist.

Assume you are using an open source package which is licensed under the MIT license. With the next release the maintainer is changing the license from MIT to GPL-3.0. That means the newest version of the software library would probably violate your license whitelist. But maybe you buy a commercial license for the library, so that you are allowed to use it in closed source software. In that case you could set that artefact on the component whitelist.

Here is an example. Assume you have a project with some dependencies which violate your license whitelist. Just like here:

component_whitelist_3

Now we will turn the 2 red dependencies green by putting them on a component whitelist. Simply click on the button “Manage Component Whitelists”. You will be redirected to this view.

component_whitelist_1

The component whitelist works similar to the license whitelist. You can have as many component whitelists as you want. Create a new component whitelist by typing in a name and clicking on the button “Create New Whitelist”.

By clicking on the name of the component whitelist you come to a view where you can edit the elements on the list.

component_whitelist_2

An element on the component whitelist has in general this structure:

GROUP_ID : ARTIFACT_ID : VERSION

For example:

org.apache.httpcomponents:httpmime:4.5

The expression above would whitelist version 4.5 of httpmime. And it would whitelist only version 4.5. Version 4.4 or 4.6 are not whitelisted!

Now let’s say we want to whitelist all version of junit. That would look like this:

junit:junit

Or whitelist everything in the group “org.apache”.

org.apache

And don’t forget to whitelist mail.

javax.mail:

All right. Now go back to the project and select the new component whitelist and click the save button. Now we will get this view:

component_whitelist_4

Now everything is green. There are 2 dependencies which violate the license whitelist, but because they are on the component whitelist they are marked green anyway.

This feature is very new. Please test it with caution and give feedback. Either here in the comments or on Twitter.