feat: allowed licenses can also contain URL and name (besides ID)

src/main/java/io/github/remisbaima/cyclonedx/LicenseChecker.java

@@ -4,7 +4,10 @@
 import java.io.File;
 import java.io.IOException;
 import java.net.URL;
+import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -34,8 +37,8 @@ public class LicenseChecker {
 
   private static final int TIMEOUT_MILLIS = 10000; // 10sec
 
-  protected Map<String, String> checkBom(Bom bom, Set<String> allowedLicenses) {
-    Map<String, String> nonCompliantDependencies = new HashMap<>();
+  protected Map<String, License> checkBom(Bom bom, Set<String> allowedLicenses) {
+    Map<String, License> nonCompliantDependencies = new HashMap<>();
     for (Component component : bom.getComponents()) {
       String dependencyId = getDependencyId(component);
       LicenseChoice licenseChoice = component.getLicenseChoice();
@@ -46,9 +49,14 @@ protected Map<String, String> checkBom(Bom bom, Set<String> allowedLicenses) {
 
       List<License> licenses = licenseChoice.getLicenses();
       for (License license : licenses) {
-        String licenseId = license.getId();
-        if (!allowedLicenses.contains(StringUtils.lowerCase(licenseId))) {
-          nonCompliantDependencies.put(dependencyId, licenseId);
+        String id = StringUtils.lowerCase(license.getId());
+        String url = StringUtils.lowerCase(license.getUrl());
+        String name = StringUtils.lowerCase(license.getName());
+        Set<String> itemsToCheck = new HashSet<>(Arrays.asList(id, url, name));
+
+        // check if license ID, URL and name are NOT present in allowedLicenses
+        if (Collections.disjoint(allowedLicenses, itemsToCheck)) {
+          nonCompliantDependencies.put(dependencyId, license);
         }
       }
     }

src/test/resources/basic-project/pom.xml

@@ -61,7 +61,7 @@
           </execution>
         </executions>
         <configuration>
-          <allowedLicenses>Apache-2.0,MIT</allowedLicenses>
+          <allowedLicenses>Apache-2.0,https://opensource.org/licenses/MIT</allowedLicenses>
           <allowedLicensesJson/>
           <allowedLicensesJsonPath/>
           <ignoredDependencies>org.codehaus.woodstox:stax2-api:4.2.1</ignoredDependencies>

src/test/resources/complex-project/licenses.json

@@ -1,18 +1,22 @@
 [
 	{
 		"License_SPDX": "Apache-2.0",
+		"License_Name": "Apache License 2.0",
 		"License_Conflicts": "No"
 	},
 	{
 		"License_SPDX": "BSD-4-Clause",
+		"License_Name": "BSD 4-Clause \"Original\" or \"Old\" License",
 		"License_Conflicts": "No"
 	},
 	{
 		"License_SPDX": "GPL-1.0-only",
+		"License_Name": "GNU General Public License v1.0 only",
 		"License_Conflicts": "Yes"
 	},
 	{
 		"License_SPDX": "GPL-2.0",
+		"License_Name": "GNU General Public License v2.0 only",
 		"License_Conflicts": "Yes"
 	}
 ]

src/test/resources/complex-project/pom.xml

@@ -61,7 +61,7 @@
           </execution>
         </executions>
         <configuration>
-          <allowedLicenses>MIT</allowedLicenses>
+          <allowedLicenses>MIT,https://www.apache.org/licenses/LICENSE-1.1</allowedLicenses>
           <allowedLicensesJson>${project.basedir}/licenses.json</allowedLicensesJson>
           <allowedLicensesJsonPath>$[?(@.License_Conflicts=='No')].License_SPDX</allowedLicensesJsonPath>
           <ignoredDependencies>org.codehaus.woodstox:stax2-api:4.2.1</ignoredDependencies>