Making sure your project license is compatible with the licenses of its dependencies is never an easy task, but this is required for legal purposes. To automate this process and avoid mistakes, you can use the License audit feature currently supported by the following Qodana linters:
Depending on the linter, you can explore the JPS, Maven, Gradle, npm, yarn, pip and Composer projects. License audit reads information about project dependencies from the IntelliJ IDEA project model and package manager configuration files.
How it works
For example, a project is licensed under the Apache-2.0 license and uses three dependencies licensed under the MIT, GPL-2.0-only, and Apache-2.0 licenses. This table explains which dependency licenses are compatible with the project license.
Compatible with the project license
After Qodana has finished analyzing your project, the results become available in the report.
Running License audit
After you enable License audit, you can also configure it to:
Enable License audit
To enable License audit, add these lines to the
qodana.yaml file in your project root:
For some reasons, you may need to ignore a specific dependency in your project, which can be specified in
Allow or prohibit dependency licenses
You can override the license matrix and specify the list of dependency licenses that are allowed or prohibited for a specific project license.
In this snippet, the
keys key accepts application licenses, and the
prohibited keys accept the lists of allowed and prohibited dependency licenses respectively. As a result, the
AGPL-3.0-only becomes compatible with the
AFL-2.0 project license, while the
Apache-1.0 dependency license becomes incompatible.
Override a dependency license
You can override a dependency license identifier. This can be useful when a dependency is dual-licensed, and you want to omit some license, or when the license name cannot be detected from the dependency sources correctly.
Using this sample, Qodana will detect only the
GPL-2.0-with-classpath-exception licenses for
jaxb-runtime version 2.3.1.
Create custom dependencies
If you want to include the dependency that should be mentioned in the report but is impossible to detect from the project sources, you can use the
customDependencies key to specify it:
To overview license audit results, in the inspection report click thetab.
License audit inspection results are grouped into the list of dependencies required by the project.
If applicable, you can expand a dependency to overview its dependency tree.
Using, you can switch between all project dependencies and dependencies that are incompatible with the project license.
Using, you can overview the rules of license compatibility.
You can download the list of dependencies in various formats using this button.