adds automated license checking to our pipeline

[ChrisBAshton]

Resolves N/A

Overall change: Adds apache2-license-checker to our pipeline to ensure we don't introduce dependencies that are incompatible with Apachev2.

Code changes:

• Adds apache2-license-checker as a dependency
• Adds a license-exceptions.json file which lists the dependencies the tool could not automatically check, and a reason why we think the dependencies are OK
• Adds a call to apache2-license-checker in the pre-push step so we can't push incompatible branches.

Test notes

The apache2-license-checker should prevent us pushing if we add an Apache2-noncompliant dependency.

First of all git checkout -b testing-the-license-branch. Then try removing, for example, this from license-exceptions.json:

    "abab@*": {
      "reason": "Licensed under W3C 3-clause BSD license; https://github.com/jsdom/abab/blob/master/LICENSE.md"
    },

git commit -am "removed license exception - this commit should be fine".

Now git push origin testing-the-license-branch and the license checker script should run and fail ("abab is not compliant with Apache2" or similar message).

If you git push origin testing-the-license-branch --no-verify, it will force push (the --no-verify skips the verification step). You should then see it fail in Jenkins.

---

• I have assigned myself to this PR and the corresponding issues
• Tests added for new features
• Test engineer approval
• I have followed the merging checklist and this is ready to merge.

[bcmn]

This looks really good -- is it worth running on Jenkins/Travis as well, to avoid any sneaky --no-verifys which could undermine it?

[dr3]

I agree with ben, we should pop this as a pipeline step :)

[ChrisBAshton]

@bbc/apache2-license-checker is currently a private package, despite the repo itself being open source: https://github.com/bbc/apache2-license-checker

Have raised bbc/apache2-license-checker#11.

[dr3]

Im generally not a fan of running npx programatically, but LGTM :)

[pjlee11]

LGTM 👍

[jamesbrumpton]

👍