Finding out the licenses of JAR libraries
https://stackoverflow.com/questions/3500388
-
29-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I use Maven to build my web app projects, when I add some dependent library to the pom file, it again adds some more dependent jars to the project recursively. Is there a way to find out or restrict that only jars having a certain type of license - say Apache License, BSD etc should be included. Or is there a way to find out that a jar file is under GPL/ASL etc without going to the website for each jar in the application?
Solution
The Maven "Project Info Reports" plugin produces a Dependencies report that includes the Licenses for the dependencies. Here's an example.
Obviously, this depends on the dependent POMs declaring their dependencies properly, and it requires that you build your site documentation "online".
OTHER TIPS
During the acquisition of a company I was working for, the acquiring company used the following software / consultancy to do what you're describing.
http://www.blackducksoftware.com/transact
Although I'm guessing you were probably looking for a free alternative. There may be other methods, but the fact this company makes money doing this suggests an alternative is probably less thorough/accurate.
I also find this website (https://www.versioneye.com) provides license info. For instance, https://www.versioneye.com/java/tomcat:jasper-runtime/5.5.23 says License: Apache License 2.0
October 19, 2017
I’m shutting down VersionEye by end of this year!
I started the project round about 6 years ago and so far it was a journey with many ups and downs. The typical StartUp rollercoaster thing. I raised Money from a big VC in Berlin and almost went bankrupt after that. Raised Money again from small Angel Investors to prevent bankruptcy. Won one of the biggest Software companies in the world as customer and established a stable income for the company.
A free alternative for a license scanner is the "scancode-toolkit". It is able to scan your codebase for copyright information, license texts etc.
But like @Stephen C mentioned in his answer, it won't be always able to detect the license for a dependency.
