Documentation for Proj0503 and Proj0504 (#102)

Corniel · LauraXiulan · web-flow · commit 4a55d8d46f21 · 2025-02-27T10:46:27.000+01:00
Co-authored-by: Laura Kramer &lt;laurakramer91@gmail.com&gt;
diff --git a/README.md b/README.md
@@ -136,6 +136,8 @@ reported a the [GibHub repository](https://github.com/dotnet-project-file-analyz
 * [**Proj0500** Only include packages with an explicitly defined license](rules/Proj0500.md)
 * [**Proj0501** Package only contains a deprecated license URL](rules/Proj0501.md)
 * [**Proj0502** Only include packages compliant with project license](rules/Proj0502.md)
+* [**Proj0503** Package license is unknown](rules/Proj0503.md)
+* [**Proj0504** Package license has changed](rules/Proj0504.md)
 
 ### .NET Project File Analyzers SDK
 * [**Proj0700** Avoid defining &lt;Compile&gt; items in SDK project](rules/Proj0700.md)
diff --git a/rules/Proj0503.md b/rules/Proj0503.md
@@ -0,0 +1,54 @@
+---
+parent: Licensing
+ancestor: Rules
+---
+
+# Proj0503: Package license is unknown
+Using a [NuGet](https://www.nuget.org) package implies that you
+and/or your company explicitly agree with the legally binding conditions of the
+license and the copyright of the owner of the package.
+
+If a third-party package license comes with a custom license (other than one
+specified by the [SPDX](https://spdx.dev)), this rule ensures that the license
+must have been approved.
+
+To approve a license, a `<ThirdPartyLicense>` node has to be added with a
+matching include and a hash of the license file. That hash is communicated for
+licenses which lack such a registration.
+
+## Non-compliant
+``` xml
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>net8.0</TargetFramework>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="SonarAnalyzer.CSharp" Version="10.6.0.109712" />
+  </ItemGroup>
+
+</Project>
+```
+
+## Compliant
+``` xml
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>net8.0</TargetFramework>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="SonarAnalyzer.CSharp" Version="10.6.0.109712" />
+  </ItemGroup>
+
+  <ItemGroup Label="Approved licenses">
+    <ThirdPartyLicense Include="SonarAnalyzer.CSharp" Hash="ZOAgZmx18wSWq5KpOpWd2bB9123" />
+  </ItemGroup>
+
+</Project>
+```
+
+This rule can detect used licenses in NuGet spec files, but can not be
+considered legal advice, nor is this documentation.
diff --git a/rules/Proj0504.md b/rules/Proj0504.md
@@ -0,0 +1,52 @@
+---
+parent: Licensing
+ancestor: Rules
+---
+
+# Proj0504: Package license has changed
+Using a [NuGet](https://www.nuget.org) package implies that you
+and/or your company explicitly agree with the legally binding conditions of the
+license and the copyright of the owner of the package.
+
+If a third-party package license comes with a custom license (other than one
+specified by the [SPDX](https://spdx.dev)), this rule ensures that the license
+did not change unnoticed. It does so by communicating that the hash of the
+license is different from the license approved one.
+
+## Non-compliant
+``` xml
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>net8.0</TargetFramework>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="SonarAnalyzer.CSharp" Version="10.6.0.109712" />
+  </ItemGroup>
+  
+  <ItemGroup Label="Approved licenses">
+    <ThirdPartyLicense Include="SonarAnalyzer.CSharp" Hash="ADifferentHash" />
+  </ItemGroup>
+
+</Project>
+```
+
+## Compliant
+``` xml
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>net8.0</TargetFramework>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="SonarAnalyzer.CSharp" Version="10.6.0.109712" />
+  </ItemGroup>
+
+  <ItemGroup Label="Approved licenses">
+    <ThirdPartyLicense Include="SonarAnalyzer.CSharp" Hash="ZOAgZmx18wSWq5KpOpWd2bB9123" />
+  </ItemGroup>
+
+</Project>
+```
