Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Getting dependencies licenses

We need to get all the licenses of the dependencies of our services. While it's easy to get them from the report plugin (or mojohaus' license-maven-plugin) our lawyers want us to actually go to the source of each dependency and grab the license file. Do you know how we can achieve this?

As an alternative - how can I get the scm connection URL of an artifact? I can use this information to automate such process myself.

like image 573
David Rabinowitz Avatar asked Jun 23 '15 08:06

David Rabinowitz


2 Answers

To get things right you would need first to collect all the binary and source Jars for every Jar you depend on. This may be a good start: http://maven.apache.org/components/plugins/maven-dependency-plugin/ (I am no maven expert). It seems to be able to fetch sources too. You probably want to run something like this, but I am not sure where the sources go:

mvn dependency:sources

See also: https://stackoverflow.com/a/11361413/302521

Once you have these fetched you can install ScanCode (https://github.com/nexB/scancode-toolkit ) then run extractcode for the directory that contains your jars to unpack them all, followed by scancode --format html-app <you jar dir> my-jars.html to get a detailed report of the licenses and copyrights: open my-jars.html in your browser.

Disclosures: I am one of the ScanCode authors and incidentally I am working on getting in ScanCode exactly what you asked for: resolving the Maven dep tree, fetching all Jars and sources, and finally collect POM metadata and run a scan on binaries + sources. May you are interested to chip in?

About the scm connection, it is not consistently there in POMs so I would not recommend that route. It is even less frequent that source Jars.

like image 28
Philippe Ombredanne Avatar answered Sep 21 '22 06:09

Philippe Ombredanne


I developed a website, https://www.licensediscovery.io, that will help Java developers to find licenses for the artifacts that they and their software are depending on.

Licensediscovery.io enables users to search for Java artifacts by using any of the following syntaxes: Maven, Gradle, SBT, Ivy, Leiningen, Grape, Buildr or plain. Licensediscovery.io will collect, parse and present all identifiable Java artifacts and present them and their licenses in either a table, bar chart, donut chart or a network graph.

LicenseDiscovery.io was just recently released and is still in an early stage. However, it just might solve your problem.

Feedback would also be very much appreciated.

like image 56
Karl Dahlgren Avatar answered Sep 22 '22 06:09

Karl Dahlgren