We need to get all the licenses of the dependencies of our services. While it's easy to get them from the report plugin (or mojohaus' license-maven-plugin) our lawyers want us to actually go to the source of each dependency and grab the license file. Do you know how we can achieve this?
As an alternative - how can I get the scm connection URL of an artifact? I can use this information to automate such process myself.
On
I created a fork of the mojohaus maven license plugin. Discussed here: https://github.com/mojohaus/license-maven-plugin/issues/357. Not intensively tested, most likely has some small bugs left, but for my purposes it's working. But be warned! Pro argument: This solution is super fast compared to ScanCode, which scans bruteforce even binary files and also needs all archives to be extracted before scanning.
The plugin writes all it can fetch into the target\generated-resources\licenses.xml, including the licenses and notices text files.
Just clone it from https://github.com/JD-CSTx/license-maven-plugin.
To build and install it quickly just for testing use mvn install -DskipITs=true -DskipTests=true.
The goal is license:aggregate-download-licenses, version 2.1.0-SNAPSHOT and option is extendedInfo.
It can also write into an excel file with the option writeExcelFile, beware: Excel cells are cut off because of the 32,767 chars limit.
Config for your projects pom.xml:
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>license-maven-plugin</artifactId>
<version>2.1.0-SNAPSHOT</version>
<configuration>
<includeTransitiveDependencies>true</includeTransitiveDependencies>
<verbose>true</verbose>
<!-- New -->
<extendedInfo>true</extendedInfo>
<!-- New -->
<writeExcelFile>true</writeExcelFile>
...
I would love some feedback on this.
On
To get things right you would need first to collect all the binary and source Jars for every Jar you depend on. This may be a good start: http://maven.apache.org/components/plugins/maven-dependency-plugin/ (I am no maven expert). It seems to be able to fetch sources too. You probably want to run something like this, but I am not sure where the sources go:
mvn dependency:sources
See also: https://stackoverflow.com/a/11361413/302521
Once you have these fetched you can install ScanCode (https://github.com/nexB/scancode-toolkit ) then run extractcode for the directory that contains your jars to unpack them all, followed by scancode --format html-app <you jar dir> my-jars.html to get a detailed report of the licenses and copyrights: open my-jars.html in your browser.
Disclosures: I am one of the ScanCode authors and incidentally I am working on getting in ScanCode exactly what you asked for: resolving the Maven dep tree, fetching all Jars and sources, and finally collect POM metadata and run a scan on binaries + sources. May you are interested to chip in?
About the scm connection, it is not consistently there in POMs so I would not recommend that route. It is even less frequent that source Jars.
I developed a website, https://www.licensediscovery.io, that will help Java developers to find licenses for the artifacts that they and their software are depending on.
Licensediscovery.io enables users to search for Java artifacts by using any of the following syntaxes: Maven, Gradle, SBT, Ivy, Leiningen, Grape, Buildr or plain. Licensediscovery.io will collect, parse and present all identifiable Java artifacts and present them and their licenses in either a table, bar chart, donut chart or a network graph.
LicenseDiscovery.io was just recently released and is still in an early stage. However, it just might solve your problem.
Feedback would also be very much appreciated.