Automatically get License Information of all dependent open source artifacts in a commercial project

Question

In our company there are many JEE backend applications which are deployed to jfrog artifactory. Each of this projects contains some dependency to other maven repository sources, which in turn have a lot of other dependencies. So when I use one of the dependencies, like

<project>
  ...
  <dependencies>
    <dependency>
      <groupId>sample.ProjectA</groupId>
      <artifactId>Project-A</artifactId>
      <version>1.0</version>
      <scope>provided</scope>          
    </dependency>
  </dependencies>
</project>

Sample.ProjectA.Project-A could have some commercial dependencies. I see that maven uses the licenses field to put license info

  <licenses>
    <license>
      <name>Apache License, Version 2.0</name>
      <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
      <distribution>repo</distribution>
    </license>
  </licenses>

I also found a way to get the maven licenses with the reports info plugin maven-project-info-reports-plugin

Now it would be great, to tell maven to warn if there are any commercial licenses. Is there a possibility to do that?

Answer 1

There are a couple of Maven plugins that verify the licenses used by a project's dependencies:

• "ayoy-license-verifier-maven-plugin" (reference)
• "khmarbaise/Maven-License-Verifier-Plugin" (reference)

However, there are problems with this approach:

• Some Maven artifacts do not declare a license in their POM files.
• These plugins rely on the <license> in a dependency's POM using well known names or URLs for the licenses. Unfortunately, these are not standardized (as illustrated in the example "licenses.xml" files). It is up to you to figure out a way to deal with this.
• These plugins do not attempt to classify licenses as "commercial" or "non-commercial". You have to work that out for yourself.