Maven-plugin to verify licences

2017-10-27 John Allberg java maven licence

In almost all projects where we develop software for our customers we use some kind of open source components. It’s therefore extemely importent to check the licenses of those components.

That’s why I’ve build and published a
Maven-plugin that verifies that all dependencies in the maven project are accepted.

To be able to run the plugin you need a list of licenses that you accept (and those you do not accept). That’s defined in an XML file which by default is located under src/licenses/licences.xml.

Below you can see an exampel where the Apache license is approved but GPL are forbidden.

<?xml version="1.0"?>
<licenses>
    <valid>
        <license>
            <name>The Apache Software License, Version 2.0</name>
            <names>
                <name>The Apache Software License, Version 2.0</name>
            </names>
            <urls>
                <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
            </urls>
        </license>
    </valid>
    <forbidden>
        <license>
            <name>GNU General Public License version 2</name>
            <names>
                <name>GNU General Public License version 2</name>
            </names>
            <urls>
                <url>https://opensource.org/licenses/gpl-2.0.php</url>
            </urls>
        </license>
    </forbidden>
</licenses>

When invoked, the plugin will verify that all licenses is present in the list and approved:

$ mvn se.ayoy.maven-plugins:ayoy-license-verifier-maven-plugin:verify
[INFO] Scanning for projects...
[INFO] 
[INFO] ------------------------------------------------------------------------
[INFO] Building se.ayoy.maven-plugins:ayoy-license-verifier-maven-plugin 1.0.1
[INFO] ------------------------------------------------------------------------
[INFO] 
[INFO] --- ayoy-license-verifier-maven-plugin:1.0.1:verify (default-cli) @ ayoy-license-verifier-maven-plugin ---
[INFO] Parsing dependencies.
[INFO] Found 5 artifacts. Now validating their licenses with the list.
[INFO] All licenses verified.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 0.521 s
[INFO] Finished at: 2017-10-27T09:44:37+02:00
[INFO] Final Memory: 9M/245M
[INFO] ------------------------------------------------------------------------

If it finds a license that doesn’t exist in the list or that is not approved, it will abort the build.:

$ mvn se.ayoy.maven-plugins:ayoy-license-verifier-maven-plugin:verify
[INFO] Scanning for projects...
[INFO] 
[INFO] ------------------------------------------------------------------------
[INFO] Building se.ayoy.maven-plugins:ayoy-license-verifier-maven-plugin 1.0.2-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO] 
[INFO] --- ayoy-license-verifier-maven-plugin:1.0.1:verify (default-cli) @ ayoy-license-verifier-maven-plugin ---
[INFO] Parsing dependencies.
[INFO] Found 5 artifacts. Now validating their licenses with the list.
[WARNING] UNKNOWN   artifact junit:junit:jar:4.12:test with licenses: org.apache.maven.model.License@66ea1466
[WARNING]           license:  name: "Eclipse Public License 1.0", names: ["Eclipse Public License 1.0"], urls: ["http://www.eclipse.org/legal/epl-v10.html"]
[WARNING] FORBIDDEN artifact org.mockito:mockito-all:jar:1.9.5:test with licenses: org.apache.maven.model.License@1601e47
[WARNING]           license:  name: "The MIT License", names: ["The MIT License"], urls: ["http://code.google.com/p/mockito/wiki/License"]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 0.398 s
[INFO] Finished at: 2017-10-27T09:47:50+02:00
[INFO] Final Memory: 10M/309M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal se.ayoy.maven-plugins:ayoy-license-verifier-maven-plugin:1.0.1:verify (default-cli) on project ayoy-license-verifier-maven-plugin: One or more artifacts has licenses which is unclassified. -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

For the projects I’m working in, I’ve choosen to run the plugin each time I compile by adding it to the pom.xml file.

<plugin>
    <groupId>se.ayoy.maven-plugins</groupId>
    <artifactId>ayoy-license-verifier-maven-plugin</artifactId>
    <version>1.0.1</version>
    <executions>
        <execution>
            <phase>compile</phase>
            <goals>
                <goal>verify</goal>
            </goals>
        </execution>
    </executions>
    <configuration>
        <licenseFile>${project.parent.basedir}/licenses/licenses.xml</licenseFile>
        <failOnForbidden>true</failOnForbidden>
        <failOnMissing>true</failOnMissing>
        <failOnUnknown>true</failOnUnknown>
    </configuration>
</plugin>

Comments and proposals for improvements are welcome!

Nästa inlägg ("Så kan du minska bedrägerier med BankID") >>
<< Tidigare inlägg ("Symantec inte längre betrodda av Google")

John Allberg

John har arbetat med elektronisk identifiering och e-legitimationer sedan 2000. Först på Posten eSäkerhet mellan 2000 och 2004, sedan på Telia mellan 2004 och 2008. Från 2009 är han konsult inom området och 2010 grundade han Ayoy tillsammans med Oscar Jacobsson.

Maven-plugin to verify licences

John Allberg

Tags