Hi Jim,
Although it does not directly address your needs for license auditing, there is a plugin to produce SPDX documents containing detailed licensing information as part of a Maven goal. Many of the scanning tools such as FOSSOlogy are generating (or planning to generate) SPDX documents (the version of FOSSOlogy to generate SPDX is currently in beta). There are also a few commercial tools which generate SPDX. By using the plugin, you could use a scanning tool which supports SPDX and the plugin to capture and maintain the licensing information. SPDX currently maintains license information down to the source file level and maintains information on relationships to dependencies. We are planning to support licensing information down to the code snippet level in release 2.1 of the spec. The plugin is in an "alpha" state and could use a bit more user testing before being broadly deployed. The project is hosted on github at https://github.com/goneall/spdx-maven-plugin. Information on SPDX can be found at http://spdx.org/ and a list of tools that support SPDX can be found at http://spdx.org/tools Please let me know if you would like more information or have any feedback on this approach. Thanks, Gary O'Neall From: Jim Klo [mailto:[email protected]] Sent: Monday, September 28, 2015 9:13 AM To: Maven Users List Subject: License Auditing Hi, Looking for some guidance on doing some source license auditing. My needs are two fold. I need to track down all the licenses of all our dependencies, which there seems to be an abundance of plugins. But I also need to audit the licenses of our committed source, as many come from open and non-open projects, I need to track the individual files as well. I’ve started by using Apache RAT [1], which seems to be okay for auditing the source, but given that we have a significant number of modules, configuration of RAT is somewhat a pain (I have a bunch of custom license definitions and matchers) which seem to have to be added to every POM file (doesn’t like going into the parent POM likely because of the way we are using Tycho). Can anyone recommend a plugin that might be better for my use case? I’d like to be able to have a single config file (or artifact) that contains the license declarations, and then be able to reference that from all my modules. The Codehaus License Maven Plugin [2] seems close to what I want, but I can’t seem to figure out how to get it to show me files that are missing license headers or even show me a per file license summary. If anyone can point me to some examples or tutorials that explain this that would be much appreciated. [1] http://creadur.apache.org/rat/apache-rat-plugin/examples/custom-license.html <http://creadur.apache.org/rat/apache-rat-plugin/examples/custom-license.html> [2] http://www.mojohaus.org/license-maven-plugin/examples/example-thirdparty.html <http://www.mojohaus.org/license-maven-plugin/examples/example-thirdparty.html> Thanks, JK Jim Klo Senior Software Engineer Center for Software Engineering SRI International t. @nsomnac <html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hi,<div class=""><br class=""></div><div class="">Looking for some guidance on doing some source license auditing. My needs are two fold. I need to track down all the licenses of all our dependencies, which there seems to be an abundance of plugins. But I also need to audit the licenses of our committed source, as many come from open and non-open projects, I need to track the individual files as well.</div><div class=""><br class=""></div><div class="">I’ve started by using Apache RAT [1], which seems to be okay for auditing the source, but given that we have a significant number of modules, configuration of RAT is somewhat a pain (I have a bunch of custom license definitions and matchers) which seem to have to be added to every POM file (doesn’t like going into the parent POM likely because of the way we are using Tycho).</div><div class=""><br class=""></div><div class="">Can anyone recommend a plugin that might be better for my use case? I’d like to be able to have a single config file (or artifact) that contains the license declarations, and then be able to reference that from all my modules. The Codehaus License Maven Plugin [2] seems close to what I want, but I can’t seem to figure out how to get it to show me files that are missing license headers or even show me a per file license summary. If anyone can point me to some examples or tutorials that explain this that would be much appreciated.</div><div class=""><br class=""></div><div class="">[1] <a href="http://creadur.apache.org/rat/apache-rat-plugin/examples/custom-license.html"; class="">http://creadur.apache.org/rat/apache-rat-plugin/examples/custom-license.html</a></div><div class=""><div class="">[2] <a href="http://www.mojohaus.org/license-maven-plugin/examples/example-thirdparty.html"; class="">http://www.mojohaus.org/license-maven-plugin/examples/example-thirdparty.html</a></div></div><div class=""><br class=""></div><div class="">Thanks,</div><div class=""><br class=""></div><div class="">JK</div><div class=""><br class=""></div><div class=""><div class=""> <div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><div style="orphans: 2; text-align: -webkit-auto; widows: 2; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><span class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px;"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><span class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px;"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><span class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px;"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><b class=""><div style="margin: 0px; font-weight: normal; font-size: 12px;" class=""><b class=""><div style="margin: 0px; font-weight: normal;" class=""><b class=""><div style="margin: 0px; font-weight: normal;" class=""><b class="">Jim Klo</b></div><div style="margin: 0px; font-weight: normal; font-size: 10px; color: rgb(66, 66, 66);" class="">Senior Software Engineer</div><div style="margin: 0px; font-weight: normal; font-size: 10px; color: rgb(66, 66, 66);" class="">Center for Software Engineering</div><div style="margin: 0px; font-weight: normal; font-size: 10px; color: rgb(66, 66, 66);" class="">SRI International</div></b></div></b></div></b></div></span></div></span></div></span></div><b style="orphans: 2; text-align: -webkit-auto; widows: 2;" class=""><div style="margin: 0px; font-weight: normal; font-size: 12px;" class=""><b class=""><div style="margin: 0px; font-weight: normal;" class=""><b class=""><div style="margin: 0px; font-weight: normal; font-size: 10px; color: rgb(66, 66, 66);" class="">t.<span class="Apple-tab-span" style="white-space: pre;"> </span>@nsomnac</div></b></div></b></div></b></div></div></div></div> </div> <br class=""></div></body></html>
