We need to get all the licenses of the dependencies of our services. While it's easy to get them from the report plugin (or mojohaus' license-maven-plugin) our lawyers want us to actually go to the source of each dependency and grab the license file. Do you know how we can achieve this?
As an alternative - how can I get the scm connection URL of an artifact? I can use this information to automate such process myself.
To get things right you would need first to collect all the binary and source Jars for every Jar you depend on. This may be a good start: http://maven.apache.org/components/plugins/maven-dependency-plugin/ (I am no maven expert). It seems to be able to fetch sources too. You probably want to run something like this, but I am not sure where the sources go:
mvn dependency:sources
See also: https://stackoverflow.com/a/11361413/302521
Once you have these fetched you can install ScanCode (https://github.com/nexB/scancode-toolkit ) then run extractcode
for the directory that contains your jars to unpack them all, followed by scancode --format html-app <you jar dir> my-jars.html
to get a detailed report of the licenses and copyrights: open my-jars.html in your browser.
Disclosures: I am one of the ScanCode authors and incidentally I am working on getting in ScanCode exactly what you asked for: resolving the Maven dep tree, fetching all Jars and sources, and finally collect POM metadata and run a scan on binaries + sources. May you are interested to chip in?
About the scm connection, it is not consistently there in POMs so I would not recommend that route. It is even less frequent that source Jars.
I developed a website, https://www.licensediscovery.io, that will help Java developers to find licenses for the artifacts that they and their software are depending on.
Licensediscovery.io enables users to search for Java artifacts by using any of the following syntaxes: Maven, Gradle, SBT, Ivy, Leiningen, Grape, Buildr or plain. Licensediscovery.io will collect, parse and present all identifiable Java artifacts and present them and their licenses in either a table, bar chart, donut chart or a network graph.
LicenseDiscovery.io was just recently released and is still in an early stage. However, it just might solve your problem.
Feedback would also be very much appreciated.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With