Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Getting dependencies licenses

Tags:

maven

licensing

maven-scm

We need to get all the licenses of the dependencies of our services. While it's easy to get them from the report plugin (or mojohaus' license-maven-plugin) our lawyers want us to actually go to the source of each dependency and grab the license file. Do you know how we can achieve this?

As an alternative - how can I get the scm connection URL of an artifact? I can use this information to automate such process myself.

like image 573
David Rabinowitz Avatar asked Jun 23 '15 08:06

David Rabinowitz

2 Answers

To get things right you would need first to collect all the binary and source Jars for every Jar you depend on. This may be a good start: http://maven.apache.org/components/plugins/maven-dependency-plugin/ (I am no maven expert). It seems to be able to fetch sources too. You probably want to run something like this, but I am not sure where the sources go:

mvn dependency:sources

See also: https://stackoverflow.com/a/11361413/302521

Once you have these fetched you can install ScanCode (https://github.com/nexB/scancode-toolkit ) then run extractcode for the directory that contains your jars to unpack them all, followed by scancode --format html-app <you jar dir> my-jars.html to get a detailed report of the licenses and copyrights: open my-jars.html in your browser.

Disclosures: I am one of the ScanCode authors and incidentally I am working on getting in ScanCode exactly what you asked for: resolving the Maven dep tree, fetching all Jars and sources, and finally collect POM metadata and run a scan on binaries + sources. May you are interested to chip in?

About the scm connection, it is not consistently there in POMs so I would not recommend that route. It is even less frequent that source Jars.

like image 28
Philippe Ombredanne Avatar answered Sep 21 '22 06:09

Philippe Ombredanne

I developed a website, https://www.licensediscovery.io, that will help Java developers to find licenses for the artifacts that they and their software are depending on.

Licensediscovery.io enables users to search for Java artifacts by using any of the following syntaxes: Maven, Gradle, SBT, Ivy, Leiningen, Grape, Buildr or plain. Licensediscovery.io will collect, parse and present all identifiable Java artifacts and present them and their licenses in either a table, bar chart, donut chart or a network graph.

LicenseDiscovery.io was just recently released and is still in an early stage. However, it just might solve your problem.

Feedback would also be very much appreciated.

like image 56
Karl Dahlgren Avatar answered Sep 22 '22 06:09

Karl Dahlgren
Sign in to Comment

Related questions

MAVEN Invalid SDK: Platform/API level 16 not available
How to configure aspectj to get post-compile weaving (with maven)?
How to fail when maven profile does not exist?
Automatic update of generated css files via m2e
How to avoid checking parent project in maven-site-plugin?
How to release a Maven submodule without releasing the parent POM?
Added Gson to the pom.xml but is not found
Nested property in Maven profile for plugin configuration
Maven doesn't run selenium test
how to set Jenkins env variable with python script
Maven dependency not getting corresponding POM file downloaded
finding maven version & set MAVEN_HOME in ubuntu
Running groovy tests with Maven
Maven Aspectj plugin calls the JPA model generator again
In maven, how can I refer to a parent pom that does not exist at that location on the file system?
Maven can't find dependencies [dependencyResolutionException]
How a maven dependecy can be defined without version tag?
how to make a executable jar pick the properties file during time time using maven
Debugging in maven with mvnDebug command
org.apache.catalina.LifecycleException: A child container failed during start

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!