Compliance with third party dependency license distribution requirements is properly enforced

[mark-vieira]

Most Elasticsearch third-party dependencies are distributed under relatively permissive licenses such as Apache 2.0, MIT or other BSD-like licenses. There are some more restrictive licenses however which requirements that distributors of the software also provide a means of redistributing the original dependency source code. We do this already for the JDK which is bundled in Elasticsearch distributions but there may be other instances. Additionally, we want to ensure that for any dependencies added to Elasticsearch, that we are in proper compliance.

• Surface to users of Elasticsearch any additional distribution requirements mandated by the license of any third-party dependencies. This might be additional notices, source distributions, etc.
• Ensure that any dependencies added to the Elasticsearch distribution are either distributed under a known permissive license that incurs no addition distribution requirements, or, for more restrictively licensed dependencies, that we verify the distribution requirements have been met.

[elasticmachine]

Pinging @elastic/es-core-infra (:Core/Infra/Build)

[rjernst]

We should be able to use apache rat for this, as we do for license headers. See the LicenseHeadersTask. We could use this to inspect the LICENSE files for each dependency, and ensure all are in compliance with the allowed license types. For those that require redistribution, I think these are a special case, like it was for the jdk, where we should disallow those types and make them exceptions if we must do so.