LicenseScan Maven plugin audits the dependencies and the transitive dependencies for the Runtime and Compile scopes, and allow to fail the build if a license is detected belonging to the configured blacklist.
The plugin is exclusively composed of the audit
goal. The goal can be linked at any stage of the Maven lifecycle with the appropriate <executions/>
configuration.
The following configuration parameters are offered:
printLicenses
: prints the scanned licenses during the build (defaultfalse
)blacklistedLicenses
: list of licenses that will make the build fail if detectedfailBuildOnBlacklisted
: ifblacklistedLicenses
are configured and at least a violation is found, makes the build fail (defaultfalse
)processPlugins
: forces full lifecycle binding injection during the build: N.B. ensure this is set tofalse
forbundle
packages (defaultfalse
)resolveDependencies
: resolves artefact dependencies during the build (defaultfalse
)overruleOnNotBlacklisted
: causes the existence of a single permitted license for an artefact to override the existence of blacklisted licenses for the same artefact (e.g. logback) (defaulttrue
)
Parameter list blacklistedLicenses
is tricky to configure as some Maven artifacts use different names (e.g. Apache 2.0, Apache Apache License, Version 2.0, Apache Version 2.0, etc...) for the same license.
For this reason the plugin supports Regex expressions. You can define a regex for a license by prefixing the string with "regex:" like this:
<license>regex:Apache.*</license>
. Literal string names and regex strings are also case insensitive to make them a little easier.
Plugin configuration example in a project:
<plugin>
<groupId>com.github.carlomorelli</groupId>
<artifactId>licensescan-maven-plugin</artifactId>
<version>2.1</version>
<configuration>
<printLicenses>true</printLicenses>
<blacklistedLicenses>
<license>GNU General Public License, v2.0</license>
<license>GNU General Public License, v3.0</license>
<license>.*Affero.*</license>
</blacklistedLicenses>
<failBuildOnBlacklisted>true</failBuildOnBlacklisted>
<processPlugins>false</processPlugins>
<resolveDependencies>false</resolveDependencies>
<overruleOnNotBlacklisted>true</overruleOnNotBlacklisted>
</configuration>
<executions>
<execution>
<phase>compile</phase> <!-- use your preferred goal, for me it makes sense to do the check at compile time -->
<goals>
<goal>audit</goal>
</goals>
</execution>
</executions>
</plugin>
The plugin is released through Jitpack, thus the following block needs also to be enabled in your pom.xml
:
<pluginRepositories>
<pluginRepository>
<id>jitpack.io</id>
<url>https://jitpack.io</url>
</pluginRepository>
</pluginRepositories>
If the <executions/>
block is configured, the plugin will run during your selected lifecycle. Otherwise, you can launch the execution independently with:
mvn licensescan:audit
Let me know if you find this plugin useful!
--Carlo