Documentation for Proj0500 and Proj0501

Corniel · Corniel · commit ea69916dc574 · 2025-02-18T11:29:33.000+01:00
diff --git a/README.md b/README.md
@@ -119,6 +119,10 @@ reported a the [GibHub repository](https://github.com/dotnet-project-file-analyz
 * [**Proj0452** Test projects require Microsoft.NET.Test.Sdk](rules/Proj0452.md)
 * [**Proj0453** Using Microsoft.NET.Test.Sdk implies a test project](rules/Proj0453.md)
 
+### Licensing
+* [**Proj0500** Only include packages with an explicitly defined license](rules/Proj0500.md)
+* [**Proj0501** Only include packages with a compliant license](rules/Proj0501.md)
+
 ### .NET Project File Analyzers SDK
 * [**Proj0700** Avoid defining &lt;Compile&gt; items in SDK project](rules/Proj0700.md)
 
diff --git a/navigation/general_project_rules.md b/navigation/general_project_rules.md
@@ -2,5 +2,5 @@
 title: General
 parent: MSBuild
 ancestor: Rules
-nav_order: 9
+nav_order: 10
 ---
diff --git a/navigation/licensing.md b/navigation/licensing.md
@@ -0,0 +1,5 @@
+---
+title: MSBuild
+parent: Rules
+nav_order: 4
+---
diff --git a/rules/Proj0500.md b/rules/Proj0500.md
@@ -0,0 +1,24 @@
+---
+parent: Licening
+ancestor: Rules
+---
+
+# Proj0500: Only include packages with an explicitly defined license
+Using a [NuGet](https://www.nuget.org) (third-party) package implies that you
+and/or your company explicitly agree with the legally binding conditions of the
+license and the copyright of the onwer of the package.
+
+As Microsoft states it itself:
+> If a package does not specify the licensing terms, contact the package owner
+> directly using the Contact owners link on the [NuGet.org](https://www.nuget.org)
+> package page. Microsoft does not license any intellectual property to you
+> from third party package providers and is not responsible for information
+> provided by third parties.
+
+When you use packages that are only (privatly) shared without your company
+those packages should also come with an explicitly defined license. You might
+need to contact your legal department to define a proper license.
+ 
+## See
+* [NuGet.org frequently-asked questions](https://learn.microsoft.com/nuget/nuget-org/nuget-org-faq#license-terms)
+* [How to Avoid Costly Lawsuits from Unexpected NuGet License Agreements](https://blog.inedo.com/nuget/how-to-avoid-costly-lawsuits-from-unexpected-nuget-license-agreements/)
diff --git a/rules/Proj0501.md b/rules/Proj0501.md
@@ -0,0 +1,41 @@
+---
+parent: Licening
+ancestor: Rules
+---
+
+# Proj0501: Only include packages with a compliant license
+Using a [NuGet](https://www.nuget.org) (third-party) package implies that you
+and/or your company explicitly agree with the legally binding conditions of the
+license and the copyright of the onwer of the package.
+
+By default, MIT and Apache-2.0 are allowed.
+
+## Configure
+You can specify which license (expressions) are allowed, using `<AllowedLicenses>`.
+
+``` xml
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <AllowedLicenses>MIT,MPL-1.1,Apache-2.0</AllowedLicenses>
+  </PropertyGroup>
+  
+</Project>
+```
+
+For packages that do not come with a generic license (expression) such as MIT,
+it is possible to specify that these packages are allowed, using the 
+`<AllowedThirdPartyPackages>`. Wildcard characters are allowed.
+
+``` xml
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+	<AllowedThirdPartyPackages>
+		SonarAnalyzer.Csharp,
+		MyCompany.*
+	/AllowedThirdPartyPackages>
+  </PropertyGroup>
+  
+</Project>
+```
