In almost all projects where we develop software for our customers we use some kind of open source components. It’s therefore extemely importent to check the licenses of those components.
That’s why I’ve build and published a
Maven-plugin that verifies that all dependencies in the maven project are accepted.
To be able to run the plugin you need a list of licenses that you accept (and those you do not accept). That’s defined in an XML file which by default is located under src/licenses/licences.xml.
Below you can see an exampel where the Apache license is approved but GPL are forbidden.
<?xml version="1.0"?>
<licenses>
<valid>
<license>
<name>The Apache Software License, Version 2.0</name>
<names>
<name>The Apache Software License, Version 2.0</name>
</names>
<urls>
<url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
</urls>
</license>
</valid>
<forbidden>
<license>
<name>GNU General Public License version 2</name>
<names>
<name>GNU General Public License version 2</name>
</names>
<urls>
<url>https://opensource.org/licenses/gpl-2.0.php</url>
</urls>
</license>
</forbidden>
</licenses>
When invoked, the plugin will verify that all licenses is present in the list and approved:
$ mvn se.ayoy.maven-plugins:ayoy-license-verifier-maven-plugin:verify
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building se.ayoy.maven-plugins:ayoy-license-verifier-maven-plugin 1.0.1
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- ayoy-license-verifier-maven-plugin:1.0.1:verify (default-cli) @ ayoy-license-verifier-maven-plugin ---
[INFO] Parsing dependencies.
[INFO] Found 5 artifacts. Now validating their licenses with the list.
[INFO] All licenses verified.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 0.521 s
[INFO] Finished at: 2017-10-27T09:44:37+02:00
[INFO] Final Memory: 9M/245M
[INFO] ------------------------------------------------------------------------
If it finds a license that doesn’t exist in the list or that is not approved, it will abort the build.:
$ mvn se.ayoy.maven-plugins:ayoy-license-verifier-maven-plugin:verify
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building se.ayoy.maven-plugins:ayoy-license-verifier-maven-plugin 1.0.2-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- ayoy-license-verifier-maven-plugin:1.0.1:verify (default-cli) @ ayoy-license-verifier-maven-plugin ---
[INFO] Parsing dependencies.
[INFO] Found 5 artifacts. Now validating their licenses with the list.
[WARNING] UNKNOWN artifact junit:junit:jar:4.12:test with licenses: org.apache.maven.model.License@66ea1466
[WARNING] license: name: "Eclipse Public License 1.0", names: ["Eclipse Public License 1.0"], urls: ["http://www.eclipse.org/legal/epl-v10.html"]
[WARNING] FORBIDDEN artifact org.mockito:mockito-all:jar:1.9.5:test with licenses: org.apache.maven.model.License@1601e47
[WARNING] license: name: "The MIT License", names: ["The MIT License"], urls: ["http://code.google.com/p/mockito/wiki/License"]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 0.398 s
[INFO] Finished at: 2017-10-27T09:47:50+02:00
[INFO] Final Memory: 10M/309M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal se.ayoy.maven-plugins:ayoy-license-verifier-maven-plugin:1.0.1:verify (default-cli) on project ayoy-license-verifier-maven-plugin: One or more artifacts has licenses which is unclassified. -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
For the projects I’m working in, I’ve choosen to run the plugin each time I compile by adding it to the pom.xml file.
<plugin>
<groupId>se.ayoy.maven-plugins</groupId>
<artifactId>ayoy-license-verifier-maven-plugin</artifactId>
<version>1.0.1</version>
<executions>
<execution>
<phase>compile</phase>
<goals>
<goal>verify</goal>
</goals>
</execution>
</executions>
<configuration>
<licenseFile>${project.parent.basedir}/licenses/licenses.xml</licenseFile>
<failOnForbidden>true</failOnForbidden>
<failOnMissing>true</failOnMissing>
<failOnUnknown>true</failOnUnknown>
</configuration>
</plugin>
Comments and proposals for improvements are welcome!