Hi,
Thanks for the suggestion. I tried the following commands:
`mvn license:add-third-party -Dlicense.useMissingFile`
The command outputs all the 3rd party licenses for the module. I did a
further investigation with the following commands:
find . -name THIRD-PARTY.txt | xargs grep GPL | grep -v Apache | grep
-v MIT | grep -v CDDL
./dubbo-registry/dubbo-registry-nacos/target/generated-sources/license/THIRD-PARTY.txt:
(GNU Lesser General Public License (LGPL), Version 2.1) Jackson
(org.codehaus.jackson:jackson-core-lgpl:1.9.6 -
http://jackson.codehaus.org)
./dubbo-registry/dubbo-registry-nacos/target/generated-sources/license/THIRD-PARTY.txt:
(GNU Lesser General Public License (LGPL), Version 2.1) Data
Mapper for Jackson (org.codehaus.jackson:jackson-mapper-lgpl:1.9.6 -
http://jackson.codehaus.org)
I think the dependency issue could be found for:
<dependency>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-mapper-lgpl</artifactId>
</dependency>
But for optional dependencies, there is no output.
<dependency>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-annotations</artifactId>
<optional>true</optional>
</dependency>
I checked for the documentation [1], there is an option
"<includeOptional>" to include the optional dependency, and the
default value is true. But I don't know why it is not included.
[1] https://www.mojohaus.org/license-maven-plugin/add-third-party-mojo.html
On Mon, Apr 1, 2019 at 7:26 PM YunKun Huang <[email protected]> wrote:
>
> Sorry, I copy wrong one for second one
>
> Second one should be `mvn license:add-third-party -Dlicense.useMissingFile`
>
> On 2019/04/01 11:22:03, YunKun Huang <[email protected]> wrote:
> > I guess those two plugin can help:
> >
> > 1. mvn project-info-reports:dependencies
> > it will generate a html file in target/site folder, and list all
> > dependencies license
> >
> > 2.mvn project-info-reports:licenses
> > it will generate a license report (plain text) in src/license and allow you
> > to fill license info if some library can't receive license info by default.
> >
> > I suggest we use second one to generate license info with travis ci and
> > throw exception when some license is not allow by project
> >
> > Regards,
> > Yunkun
> >
> > On 2019/04/01 10:14:57, Huxing Zhang <[email protected]> wrote:
> > > Hi,
> > >
> > > When I am looking at this issue[1], I realized that Dubbo may have the
> > > same issue.
> > > From Dubbo 2.7.1 and 2.6.6 onwards the Nacos support has been added,
> > > where the following dependency has been added:
> > >
> > > <dependency>
> > > <groupId>com.alibaba.nacos</groupId>
> > > <artifactId>nacos-client</artifactId>
> > > <version>${nacos.version}</version>
> > > <optional>true</optional>
> > > </dependency>
> > >
> > > which depend on the following dependencies:
> > >
> > > <dependency>
> > > <groupId>org.codehaus.jackson</groupId>
> > > <artifactId>jackson-mapper-lgpl</artifactId>
> > > </dependency>
> > >
> > > <dependency>
> > > <groupId>com.github.spotbugs</groupId>
> > > <artifactId>spotbugs-annotations</artifactId>
> > > <optional>true</optional>
> > > </dependency>
> > >
> > > which is LGPL v2.1 licensed.
> > >
> > > This means nacos-client should not be Apache Licensed as claimed, and
> > > Dubbo could not depend on nacos-client.
> > >
> > > I have contacted the Nacos team they are addressing this issue.
> > >
> > > My question is how to avoid this kind of issue?
> > > Should we check every newly added dependency for license compatibility?
> > > Is there any tools which can do automatic scanning?
> > >
> > > [1] https://github.com/apache/incubator-skywalking/pull/2422
> > >
> > > --
> > > Best Regards!
> > > Huxing
> > >
> >
--
Best Regards!
Huxing
