Finding out the licenses of JAR libraries
Asked Answered
I

4

11

I use Maven to build my web app projects, when I add some dependent library to the pom file, it again adds some more dependent jars to the project recursively. Is there a way to find out or restrict that only jars having a certain type of license - say Apache License, BSD etc should be included. Or is there a way to find out that a jar file is under GPL/ASL etc without going to the website for each jar in the application?

Irreversible answered 17/8, 2010 at 7:52 Comment(0)
U
13

The Maven "Project Info Reports" plugin produces a Dependencies report that includes the Licenses for the dependencies. Here's an example.

Obviously, this depends on the dependent POMs declaring their dependencies properly, and it requires that you build your site documentation "online".

Uttica answered 17/8, 2010 at 9:40 Comment(1)
Thanks Stephen, this is what I exactly wanted. Though some of the libraries are under unknown, but I can live with it :)Irreversible
B
6

During the acquisition of a company I was working for, the acquiring company used the following software / consultancy to do what you're describing.

http://www.blackducksoftware.com/transact

Although I'm guessing you were probably looking for a free alternative. There may be other methods, but the fact this company makes money doing this suggests an alternative is probably less thorough/accurate.

Bunder answered 17/8, 2010 at 8:10 Comment(2)
Yes, a free alternative will be great!Irreversible
A free alternative would be "scancode-toolkit". You can find it on Github: github.com/nexB/scancode-toolkitFecund
I
3

I also find this website (https://www.versioneye.com) provides license info. For instance, https://www.versioneye.com/java/tomcat:jasper-runtime/5.5.23 says License: Apache License 2.0

October 19, 2017

I’m shutting down VersionEye by end of this year!

I started the project round about 6 years ago and so far it was a journey with many ups and downs. The typical StartUp rollercoaster thing. I raised Money from a big VC in Berlin and almost went bankrupt after that. Raised Money again from small Angel Investors to prevent bankruptcy. Won one of the biggest Software companies in the world as customer and established a stable income for the company.

Interpellate answered 2/12, 2014 at 23:24 Comment(1)
unfortunately versioneye is going to shut down their service in early 2018, but their API was greatDodecahedron
F
1

A free alternative for a license scanner is the "scancode-toolkit". It is able to scan your codebase for copyright information, license texts etc.

But like @Stephen C mentioned in his answer, it won't be always able to detect the license for a dependency.

https://github.com/nexB/scancode-toolkit

Fecund answered 5/2, 2019 at 12:18 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.