License scanning to enforce Apache 2.0

[RemakingEden]

I have been looking at the pipelines over the last couple weeks and noticed we have a lack of license scanning and I'm wondering if this is something that needs solidifying.

@mocsharp pointed out the way it is done on Informatics gateway using a file which has the new packages added and their appropriate licenses https://github.com/Project-MONAI/monai-deploy-informatics-gateway/blob/4645974140e30ef857d96155ea96ae36f81f0555/docs/compliance/open-source-licenses.md. The technique works but it seems to rely on the developer not forgetting and/or the code reviewer double checking all new packages. I could see how packages could sneak through using this system.

Annoyingly without paying for Snyk there is not a very easy way to do this on dotnet. The best alternative I have found is using a tool ive used on other projects License Finder. This will check for any licenses that are not in a prewritten allow list and fail like the below image. Failing the pipeline should stop the PR being merged.

The decisions file is commited alongside the code and looks like the below image.

You can see this has blame and the reason why it has been accepted and the version if we want to be strict.

My proposed system is that we use this step to ensure that the licenses are always checked as part of every PR and there is no way a package can slip through. We would have to add this to our contributing documentation and ensure everyone knew how to add to the allowlist.

I'm aware this one has a lot of work up front approving all current packages but should be very maintainable from there. I'd love to hear peoples thoughts and if there are any better systems people have used?

[dbericat]

@evberrypi @wyli @mocsharp check this out coming from Joss from Answer. Related to our PR and release discussion this morning. It may be helpful. Thanks!

[mocsharp]

This would be really useful if integrated with our CI pipeline; it prevents last-minute findings if any licenses aren't permitted.
I'm fine with the upfront work.