Proj0503: Package license is unknown

Using a NuGet package implies that you and/or your company explicitly agree with the legally binding conditions of the license and the copyright of the owner of the package.

If a third-party package license comes with a custom license (other than one specified by the SPDX), this rule ensures that the license must have been approved.

To approve a license, a <ThirdPartyLicense> node has to be added with a matching include and a hash of the license file. That hash is communicated for licenses which lack such a registration.

Non-compliant

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <TargetFramework>net8.0</TargetFramework>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="SonarAnalyzer.CSharp" Version="10.6.0.109712" />
  </ItemGroup>

</Project>

Compliant

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <TargetFramework>net8.0</TargetFramework>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="SonarAnalyzer.CSharp" Version="10.6.0.109712" />
  </ItemGroup>

  <ItemGroup Label="Approved licenses">
    <ThirdPartyLicense Include="SonarAnalyzer.CSharp" Hash="ZOAgZmx18wSWq5KpOpWd2bB9123" />
  </ItemGroup>

</Project>

This rule can detect used licenses in NuGet spec files, but can not be considered legal advice, nor is this documentation.