Proj0504: Package license has changed

Using a NuGet package implies that you and/or your company explicitly agree with the legally binding conditions of the license and the copyright of the owner of the package.

If a third-party package license comes with a custom license (other than one specified by the SPDX), this rule ensures that the license did not change unnoticed. It does so by communicating that the hash of the license is different from the license approved one.

Non-compliant

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <TargetFramework>net8.0</TargetFramework>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="SonarAnalyzer.CSharp" Version="10.6.0.109712" />
  </ItemGroup>
  
  <ItemGroup Label="Approved licenses">
    <ThirdPartyLicense Include="SonarAnalyzer.CSharp" Hash="ADifferentHash" />
  </ItemGroup>

</Project>

Compliant

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <TargetFramework>net8.0</TargetFramework>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="SonarAnalyzer.CSharp" Version="10.6.0.109712" />
  </ItemGroup>

  <ItemGroup Label="Approved licenses">
    <ThirdPartyLicense Include="SonarAnalyzer.CSharp" Hash="ZOAgZmx18wSWq5KpOpWd2bB9123" />
  </ItemGroup>

</Project>