Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/chonton/license-maven-plugin

Maven plugin to check dependencies' licenses for compliance
https://github.com/chonton/license-maven-plugin

compliance dependencies license maven-plugin

Last synced: 3 days ago
JSON representation

Maven plugin to check dependencies' licenses for compliance

Host: GitHub
URL: https://github.com/chonton/license-maven-plugin
Owner: chonton
License: apache-2.0
Created: 2017-08-08T05:21:40.000Z (about 7 years ago)
Default Branch: main
Last Pushed: 2024-09-18T09:19:56.000Z (16 days ago)
Last Synced: 2024-09-18T22:07:38.025Z (15 days ago)
Topics: compliance, dependencies, license, maven-plugin
Language: Java
Homepage:
Size: 101 KB
Stars: 5
Watchers: 3
Forks: 2
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# license-maven-plugin

Check if maven dependencies meet license compliance requirements.

# Rationale
Many organizations require checking open source dependencies' licenses to ensure that the dependency
use does not add legal risks to product development. This due diligence helps prevent impairing the
organization's intellectual property.

# For more information
The [Open Source Initiative (OSI)](https://opensource.org/) reviews and categorizes open source
licences. Additionally, OSI publishes a [FAQ](https://opensource.org/faq) on what is open source
and how it is licensed.

# Plugin
Plugin reports available at [plugin info](https://chonton.github.io/license-maven-plugin/plugin-info.html).

There is a single goal: [compliance](https://chonton.github.io/license-maven-plugin/compliance-mojo.html),
which binds by default to the *validate* phase. This goal checks all dependencies in the build and
active profile sections for compliance with acceptable licenses.

## Matching
For each project dependency, the goal checks if any of the dependency licenses match any of the
acceptable licenses. A match is successful if either the dependency license URL matches the
acceptable license URL regular expression, or the dependency license name matches the acceptable
license name regular expression. (The maven pom definition for [licenses](https://maven.apache.org/pom.html#Licenses)
recommends using the [spdx identifier](https://spdx.org/licenses/) as license name.)
Matches are case-insensitive and ignore leading and trailing whitespace. The lack of a license in
a dependency will cause a match failure.

## Excluding Dependencies
The compliance check can be excluded for dependencies matching specified
`groupId:artifactId:type:classifier` glob patterns. This can be used to turn off compliance check for
organizational internal dependencies that may not have an attached license.

## Configuration
| Parameter | Property | Default | Description |
|--------------------------------------|-----------------------------------|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| skipCompliance | ${compliance.skip} | false | Skip the license check |
| acceptableLicenses | | | The set of license regular expressions to match against dependency licenses. If any license is specified, the default acceptableLicenseResources will not be used. |
| acceptableLicenseResources | ${compliance.licenses} | osi-permissive | The comma separated names of xml resources from which to read licenses. Built in resources are 'osi-widely-used' and 'osi-permissive'. Default is used only if no acceptableLicenses are specified. |
| acceptableLicenseResourcesFilesPaths | ${compliance.licenses.filesPaths} | /tmp/licenses.xml | The comma separated file paths of xml resources from which to read licenses |
| artifact | ${compliance.artifact} | false | Check that main artifact has acceptable license |
| excludes | ${compliance.excludes} | | The list of dependencies to exclude from checking compliance. These will be in the form of *groupId:artifactId[[:type]:classifier]*. Wildcard characters '*' and '?' can be used to do glob-like pattern matching. |
| scopes | ${compliance.scopes} | compile, runtime, provided, test | The comma separated list of scopes to check |

# Examples

## Typical Use

Command line :
mvn org.honton.chas:license-maven-plugin:0.0.5:compliance "-Dcompliance.excludes=org.test:*,com.test:*" "-Dcompliance.licenses.filesPaths=/tmp/licences-custom.xml"

```xml

org.honton.chas
license-maven-plugin
0.0.5

org.honton.chas
license-maven-plugin

compliance

```

## List licenses in pom
Specify that only Apache license is compliant:
```xml

(Apache License, Version 2\.0)|(Apache-2\.0)
https?://www\.apache\.org/licenses/LICENSE-2\.0

```

## Use both explicit acceptableLicenses and acceptableLicenseResources
```xml

(GPL2\s+w/\s+CPE)
https?://glassfish\.java\.net/public/CDDL\+GPL_1_1\.html

osi-permissive

```
## Exclude Dependencies
Exclude checking specific artifact or artifacts from a group
```xml

org.eclipse.microprofile.config:microprofile-config-api

org.honton.chas:*

```

## Scope
Only check non-test scopes
```xml

compile,runtime,provided

```

## Artifact
Check that main artifact's pom has an acceptable license defined in [licenses section](https://maven.apache.org/pom.html#Licenses)
```xml

true

```