When I add a dependency to my maven projects, I like to add some comments to indicate what it is, and what license it's released under, for example:
<!-- XML parser -->
<!-- Apache License, Version 2.0 -->
<dependency>
<groupId>xerces</groupId>
<artifactId>xercesImpl</artifactId>
<version>2.9.1</version>
<scope>compile</scope>
</dependency>
My main concern is being able to check (manually, for now) that the licenses are all compatible with one another. The pom.xml documentation states:
Note that a project should list only licenses that may apply directly to this project, and not list licenses that apply to this project's dependencies.
Is there a better way to capture this metadata? Maybe a way to "override" the <licenses>
information from a dependency's POM if it's missing?
First of all you can't overwrite the licenses part of a pom, cause it's not inherited. Secondly you can automatically check the licenses of your dependencies using the Maven-Licenses-Verifier-Plugin (available via Maven Central) which will handle such a situation for you and furthermore you can generate a report about that (Example).