Skip to content

Maven plugin for analysing the licenses in dependencies and transitive dependencies, asserting compatibility and potentially fail the build if blacklisted licenses appear

License

Notifications You must be signed in to change notification settings

adwk67/licensescan-maven-plugin

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

49 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

LicenseScan Maven Plugin

Build Status

Coverage Status

LicenseScan Maven plugin audits the dependencies and the transitive dependencies for the Runtime and Compile scopes, and allow to fail the build if a license is detected belonging to the configured blacklist.

The plugin is exclusively composed of the audit goal. The goal can be linked at any stage of the Maven lifecycle with the appropriate <executions/> configuration.

The following configuration parameters are offered:

  • printLicenses: prints the scanned licenses during the build (default false)
  • blacklistedLicenses: list of licenses that will make the build fail if detected
  • failBuildOnBlacklisted: if blacklistedLicenses are configured and at least a violation is found, makes the build fail (default false)
  • processPlugins: forces full lifecycle binding injection during the build: N.B. ensure this is set to false for bundle packages (default false)
  • resolveDependencies: resolves artefact dependencies during the build (default false)
  • overruleOnNotBlacklisted: causes the existence of a single permitted license for an artefact to override the existence of blacklisted licenses for the same artefact (e.g. logback) (default true)

Parameter list blacklistedLicenses is tricky to configure as some Maven artifacts use different names (e.g. Apache 2.0, Apache Apache License, Version 2.0, Apache Version 2.0, etc...) for the same license. For this reason the plugin supports Regex expressions. You can define a regex for a license by prefixing the string with "regex:" like this: <license>regex:Apache.*</license>. Literal string names and regex strings are also case insensitive to make them a little easier.

Plugin configuration example in a project:

 <plugin>
    <groupId>com.github.carlomorelli</groupId>
    <artifactId>licensescan-maven-plugin</artifactId>
    <version>2.1</version>
    <configuration>
      <printLicenses>true</printLicenses>
      <blacklistedLicenses>
        <license>GNU General Public License, v2.0</license>
        <license>GNU General Public License, v3.0</license>
        <license>.*Affero.*</license>
      </blacklistedLicenses>
      <failBuildOnBlacklisted>true</failBuildOnBlacklisted>
      <processPlugins>false</processPlugins>
      <resolveDependencies>false</resolveDependencies>
      <overruleOnNotBlacklisted>true</overruleOnNotBlacklisted>
    </configuration>
    <executions>
      <execution>
        <phase>compile</phase> <!-- use your preferred goal, for me it makes sense to do the check at compile time -->
        <goals>
          <goal>audit</goal>
        </goals>
      </execution>
    </executions>
  </plugin>

The plugin is released through Jitpack, thus the following block needs also to be enabled in your pom.xml:

  <pluginRepositories>
    <pluginRepository>
      <id>jitpack.io</id>
      <url>https://jitpack.io</url>
    </pluginRepository>
  </pluginRepositories>

If the <executions/> block is configured, the plugin will run during your selected lifecycle. Otherwise, you can launch the execution independently with:

mvn licensescan:audit

Let me know if you find this plugin useful!

--Carlo

About

Maven plugin for analysing the licenses in dependencies and transitive dependencies, asserting compatibility and potentially fail the build if blacklisted licenses appear

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Java 100.0%