Fork me on GitHub

Third-party

The license-maven-plugin provides some goals to help deal with dependencies that do not provide license metadata in their pom.xml files. These are referred to as 'third party' items. The overall goal is to allow you keep track of your dependencies' licenses, through build warnings, errors, output files, or site plugin report content.

The simplest thing you can do is to get a report of third-party items. Use the third-party-report report-set for that.

If you have dependencies that lack licenses, you can create your own metadata to document their licenses. These are called missing files. missing file is a Java properties file that maps from a specification for Maven coordinates to a license description. For example:

org.codehaus.mojo.license.test--test-add-third-party-global-db-misc-dep--1=The Apache Software License, Version 2.0

Note that this plugin assumes that all the artifacts from a single build have the same license. After all, they share a POM. So these properties call out group, artifact, and version, but not classifier or type.

The plugin can read a missing files from several locations:

  • A file in the local build, specified by missingFile.
  • One or more additional artifacts associated with your dependencies. If you enable this feature, via the useRepositoryMissingFiles parameter, the plugin will look for additional artifacts with a classifier of third-party and a type of properties that correspond to your dependencies, and add their contents to the missing data.
  • One or more dependencies of type license.properties that you declare in your build as dependencies. This allows you to create a shared repository of license information.

There are two goals in the plugin that assist in creating missing files and producing simple, plain-text, reports.

add-third-party goal

This goal build the THIRD-PARTY.txt file and add it in the build.

For dependencies with no license, we consolidate the generated file by filling another file (the missing file) for dependencies with no license information available. This missing file can also be attached to build (so deployed into remote repositories) to help filling other missing files for projects using this dependency.

Note: This mojo has not effect on a pom project.

For full detail see detail page.

aggregate-add-third-party goal

This goal build the THIRD-PARTY.txt file on a multi-module project from the dependencies of all his modules.

Note: This mojo has only effect on a pom project.

For full detail see detail page.

Change the format of the third-party file

Since version 1.1, it is possible to give a freemarker template (fill the fileTemplate property of the mojo) to says how to generate the file.

Have a look on existing templates : https://github.com/mojohaus/license-maven-plugin/tree/master/src/main/resources/org/codehaus/mojo/license

Change artifacts order

Since version 1.6, you can let artifacts order by the groupId:artifactId:version, or choose to sort them by their name (set for that property sortArtifactByName to true)

  <sortArtifactByName>true</sortArtifactByName>

How to consolidate the THIRD-PARTY file

It is possible to improve the THIRD-PARTY file :

- Fill back missing license for dependencies.

- Merge licenses (same license but named differently in dependencies poms).

Add missing licenses

While using configuration's property useMissingfile on third-party goals, it will create (or read for aggregate) a file located from property missingFile (by default src/license/THIRD-PARTY.properties).

In this file, we find dependencies with no license, you just have to fill correct licenses. You can add multipe licenses by using | as separator char.

Once the file filled, just relaunch the goal to integrate your modifications in the generated THIRD-PARTY file.

Example

Given a pom with these dependencies :

  <dependencies>

    <dependency>
      <groupId>commons-logging</groupId>
      <artifactId>commons-logging</artifactId>
      <version>1.1.1</version>
    </dependency>

    <dependency>
      <groupId>commons-primitives</groupId>
      <artifactId>commons-primitives</artifactId>
      <version>1.0</version>
    </dependency>

  </dependencies>

Here is a THIRD-PARTY file with unnamed licenses launched by

mvn license:add-third-party -Dlicense.useMissingFile

List of 2 third-party dependencies.

 (The Apache Software License, Version 2.0) Commons Logging (commons-logging:commons-logging:1.1.1 - http://commons.apache.org/logging)
 (Unknown license) Unnamed - commons-primitives:commons-primitives:jar:1.0 (commons-primitives:commons-primitives:1.0 - no url defined)

And the generated THIRD-PARTY.properties file :

# Generated by org.codehaus.mojo.license.AddThirdPartyMojo
#-------------------------------------------------------------------------------
# Already used licenses in project :
# - The Apache Software License, Version 2.0
#-------------------------------------------------------------------------------
# Please fill the missing licenses for dependencies :
#
#
#Fri Jun 25 10:56:39 CEST 2010
commons-primitives--commons-primitives--1.0=

Fills the file :

# Generated by org.codehaus.mojo.license.AddThirdPartyMojo
#-------------------------------------------------------------------------------
# Already used licenses in project :
# - The Apache Software License, Version 2.0
#-------------------------------------------------------------------------------
# Please fill the missing licenses for dependencies :
#
#
#Fri Jun 25 10:56:39 CEST 2010
commons-primitives--commons-primitives--1.0=The Apache Software License, Version 2.0

Finally, relaunch the goal to obtain new generated THIRD-PARTY.txt file :

List of 2 third-party dependencies.

 (The Apache Software License, Version 2.0) Commons Logging (commons-logging:commons-logging:1.1.1 - http://commons.apache.org/logging)
 (The Apache Software License, Version 2.0) Unnamed - commons-primitives:commons-primitives:jar:1.0 (commons-primitives:commons-primitives:1.0 - no url defined)

Merge licenses.

To merge licenses added in THIRD-PARTY file, you have to add a licenseMerges to the plugin this configuration :

Each entry of licenseMerges describe a merge, the first license is the one to keep.

Example

Given a pom with these dependencies :

  <dependencies>

    <!-- use license 'The Apache Software License, Version 2.0' -->
    <dependency>
      <groupId>commons-logging</groupId>
      <artifactId>commons-logging</artifactId>
      <version>1.1.1</version>
    </dependency>

    <!-- use license 'Apache License, Version 2.0' -->
    <dependency>
      <groupId>com.jhlabs</groupId>
      <artifactId>filters</artifactId>
      <version>2.0.235</version>
    </dependency>

    <!-- use license 'Apache Public License 2.0' -->
    <dependency>
      <groupId>org.sonatype.plexus</groupId>
      <artifactId>plexus-cipher</artifactId>
      <version>1.4</version>
    </dependency>

  </dependencies>

While executing add-third-party goal, we obtain the following THIRD-PARTY file :

List of 2 third-party dependencies.

 (Apache License, Version 2.0) JHLabs Image Processing Filters (com.jhlabs:filters:2.0.235 - http://www.jhlabs.com/ip/index.html)
 (The Apache Software License, Version 2.0) Commons Logging (commons-logging:commons-logging:1.1.1 - http://commons.apache.org/logging)
 (Apache Public License 2.0) Plexus Cipher: encryption/decryption Component (org.sonatype.plexus:plexus-cipher:1.4 - http://spice.sonatype.org/plexus-cipher)

Now, adds this configuration in your pom

    <pluginManagement>
      <plugins>
        <plugin>
          <groupId>org.codehaus.mojo</groupId>
          <artifactId>license-maven-plugin</artifactId>
          <version>1.14</version>
          <executions>
            <execution>
              <id>default-cli</id>
              <configuration>
                <licenseMerges>
                  <licenseMerge>The Apache Software License, Version 2.0|Apache License, Version 2.0|Apache Public License 2.0</licenseMerge>
                </licenseMerges>
              </configuration>
            </execution>
          </executions>
        </plugin>
        ...
      </plugins>
    </pluginManagement>

and relaunch the goal, we now obtain the following THIRD-PARTY file :

List of 2 third-party dependencies.

 (The Apache Software License, Version 2.0) Commons Logging (commons-logging:commons-logging:1.1.1 - http://commons.apache.org/logging)
 (The Apache Software License, Version 2.0) JHLabs Image Processing Filters (com.jhlabs:filters:2.0.235 - http://www.jhlabs.com/ip/index.html)
 (The Apache Software License, Version 2.0) Plexus Cipher: encryption/decryption Component (org.sonatype.plexus:plexus-cipher:1.4 - http://spice.sonatype.org/plexus-cipher)

Note: From version 1.4, you can have split a license merge into some entries (before a destination license should be unique), you can now write:

    <pluginManagement>
      <plugins>
        <plugin>
          <groupId>org.codehaus.mojo</groupId>
          <artifactId>license-maven-plugin</artifactId>
          <version>1.14</version>
          <executions>
            <execution>
              <id>default-cli</id>
              <configuration>
                <licenseMerges>
                  <licenseMerge>The Apache Software License, Version 2.0|Apache License, Version 2.0</licenseMerge>
                  <licenseMerge>The Apache Software License, Version 2.0|Apache Public License 2.0</licenseMerge>
                </licenseMerges>
              </configuration>
            </execution>
          </executions>
        </plugin>
        ...
      </plugins>
    </pluginManagement>

Note': From version 1.4 extra space before and after a license are ignored so you can have also this configuration:

    <pluginManagement>
      <plugins>
        <plugin>
          <groupId>org.codehaus.mojo</groupId>
          <artifactId>license-maven-plugin</artifactId>
          <version>1.14</version>
          <executions>
            <execution>
              <id>default-cli</id>
              <configuration>
                <licenseMerges>
                  <licenseMerge>  The Apache Software License, Version 2.0  |

                  Apache License, Version 2.0  </licenseMerge>
                  <licenseMerge>

                  The Apache Software License, Version 2.0  |

                  Apache Public License 2.0

                  </licenseMerge>
                </licenseMerges>
              </configuration>
            </execution>
          </executions>
        </plugin>
        ...
      </plugins>
    </pluginManagement>

Override identified licenses (Since 1.12)

Sometimes, identified licenses are wrong, using the overrideFile permits to fix them.

For each dependency you want to fix, just add in this properties file a line

org.jboss.xnio--xnio-api--3.3.6.Final=The Apache Software License, Version 2.0

The default location of the override file is src/main/license/override-THIRD-PARTY.properties.

Attach missing files to build

When your licenses missing file is filled for a project, then this file will be attached to the build with a classifier third-parties and type properties.

If another project use this artifact, then it will load if required the missing third party file from repository (local or remote) and begin to fill the new missing licenses file.

Include / Exclude some licenses

Since version 1.1, you can have more control on licenses used in your project.

Use the includedLicenses (whitelist of licenses) or/and excludedLicenses (blacklist of licenses).

These parameters contains licenses separated by |: ------------------------------------------------------------------------------- configuration ... includedLicensesThe Apache Software License, Version 2.0|BSD License/includedLicenses excludedLicensesBad license 1|Bad license 2/excludedLicenses ... /configuration -------------------------------------------------------------------------------

Since version 1.4, you can also use a list format: ------------------------------------------------------------------------------- configuration ... includedLicenses includedLicenseThe Apache Software License, Version 2.0/includedLicense includedLicenseBSD License/includedLicense /includedLicenses excludedLicenses excludedLicenseBad license 1/excludedLicense excludedLicenseBad license 2/excludedLicense /excludedLicenses ... /configuration -------------------------------------------------------------------------------

Note that any extra space at the start or end of a license will be removed.

If parameter failIfWarning is set to true, then build will fail if one license is not in whiltelist or is in blacklist.

Filter the dependencies

  • Include or exclude scopes

    You can include all dependencies or exclude them for one or many given scopes.

  • Include ArtifactIds or GroupIds

    You can include artifacts from their artifactIds or groupIds.

  • Exclude ArtifactIds or GroupIds

    You can exclude artifacts from their artifactIds or groupIds.

  • Include - Exclude : priority

    Note that the exclude filter prevails on include filter. So, if we include an artifact but exclude its groupId, it will not be referred in THIRD-PARTY file.

exclude scopes

Using configuration's property excludedScopes, will remove from the THIRD-PARTY file all the dependencies coming from the given scopes.

Example

Given a pom with these dependencies :

  <dependencies>

    <dependency>
      <groupId>commons-logging</groupId>
      <artifactId>commons-logging</artifactId>
      <version>1.1.1</version>
      <scope>test</scope>
    </dependency>

    <dependency>
      <groupId>com.jhlabs</groupId>
      <artifactId>filters</artifactId>
      <version>2.0.235</version>
    </dependency>

    <dependency>
      <groupId>com.jhlabs</groupId>
      <artifactId>javaproj</artifactId>
      <version>1.0</version>
    </dependency>

  </dependencies>

While executing mvn license:add-third-party -Dlicense.excludedScopes=test, we obtain the following THIRD-PARTY file :

List of 2 third-party dependencies.

 (Apache License, Version 2.0) JHLabs Image Processing Filters (com.jhlabs:filters:2.0.235 - http://www.jhlabs.com/ip/index.html)
 (The Apache Software License, Version 2.0) JHlabs Java Projection Library (com.jhlabs:javaproj:1.0 - http://www.jhlabs.com/java/maps/proj/index.html)

include scopes

Using configuration's property includedScopes, will only put in the THIRD-PARTY file all the dependencies coming from the given scopes.

Example

Given a pom with these dependencies :

  <dependencies>

    <dependency>
      <groupId>commons-logging</groupId>
      <artifactId>commons-logging</artifactId>
      <version>1.1.1</version>
      <scope>test</scope>
    </dependency>

    <dependency>
      <groupId>com.jhlabs</groupId>
      <artifactId>filters</artifactId>
      <version>2.0.235</version>
    </dependency>

    <dependency>
      <groupId>com.jhlabs</groupId>
      <artifactId>javaproj</artifactId>
      <version>1.0</version>
    </dependency>

  </dependencies>

While executing mvn license:add-third-party -Dlicense.includedScopes=test, we obtain the following THIRD-PARTY file :

List of 1 third-party dependency.

 (The Apache Software License, Version 2.0) Commons Logging (commons-logging:commons-logging:1.1.1 - http://commons.apache.org/logging)

exclude groupIds

Using configuration's property excludedGroups, will remove from the THIRD-PARTY file all the dependencies coming from the given groupIds.

Example

Given a pom with these dependencies :

  <dependencies>

    <dependency>
      <groupId>commons-logging</groupId>
      <artifactId>commons-logging</artifactId>
      <version>1.1.1</version>
    </dependency>

    <dependency>
      <groupId>com.jhlabs</groupId>
      <artifactId>filters</artifactId>
      <version>2.0.235</version>
    </dependency>

    <dependency>
      <groupId>com.jhlabs</groupId>
      <artifactId>javaproj</artifactId>
      <version>1.0</version>
    </dependency>

  </dependencies>

While executing mvn license:add-third-party -Dlicense.excludedGroups=com\.jhla.*, we obtain the following THIRD-PARTY file :

List of 1 third-party dependency.

 (The Apache Software License, Version 2.0) Commons Logging (commons-logging:commons-logging:1.1.1 - http://commons.apache.org/logging)

exclude artifactIds

Using configuration's property excludedArtifacts, will remove from the THIRD-PARTY file all the dependencies coming from the given artifactIds.

Example

Given a pom with these dependencies :

  <dependencies>

    <dependency>
      <groupId>commons-logging</groupId>
      <artifactId>commons-logging</artifactId>
      <version>1.1.1</version>
    </dependency>

    <dependency>
      <groupId>com.jhlabs</groupId>
      <artifactId>filters</artifactId>
      <version>2.0.235</version>
    </dependency>

    <dependency>
      <groupId>com.jhlabs</groupId>
      <artifactId>javaproj</artifactId>
      <version>1.0</version>
    </dependency>

  </dependencies>

While executing mvn license:add-third-party -Dlicense.excludedArtifacts=javaproj, we obtain the following THIRD-PARTY file :

List of 2 third-party dependencies.

  (Apache License, Version 2.0) JHLabs Image Processing Filters (com.jhlabs:filters:2.0.235 - http://www.jhlabs.com/ip/index.html)
  (The Apache Software License, Version 2.0) Commons Logging (commons-logging:commons-logging:1.1.1 - http://commons.apache.org/logging)

include groupIds

Using configuration's property includedGroups, will only put in the THIRD-PARTY file all the dependencies coming from the given groupIds.

Example

Given a pom with these dependencies :

  <dependencies>

    <dependency>
      <groupId>commons-logging</groupId>
      <artifactId>commons-logging</artifactId>
      <version>1.1.1</version>
    </dependency>

    <dependency>
      <groupId>com.jhlabs</groupId>
      <artifactId>filters</artifactId>
      <version>2.0.235</version>
    </dependency>

    <dependency>
      <groupId>com.jhlabs</groupId>
      <artifactId>javaproj</artifactId>
      <version>1.0</version>
    </dependency>

  </dependencies>

While executing mvn license:add-third-party -Dlicense.includedGroups=com\.jhlabs, we obtain the following THIRD-PARTY file :

List of 2 third-party dependencies.

  (Apache License, Version 2.0) JHLabs Image Processing Filters (com.jhlabs:filters:2.0.235 - http://www.jhlabs.com/ip/index.html)
  (The Apache Software License, Version 2.0) JHlabs Java Projection Library (com.jhlabs:javaproj:1.0 - http://www.jhlabs.com/java/maps/proj/index.html)

include artifactIds

Using configuration's property includedArtifacts, will only put in the THIRD-PARTY file all the dependencies coming from the given artifactIds.

Example

Given a pom with these dependencies :

  <dependencies>

    <dependency>
      <groupId>commons-logging</groupId>
      <artifactId>commons-logging</artifactId>
      <version>1.1.1</version>
    </dependency>

    <dependency>
      <groupId>com.jhlabs</groupId>
      <artifactId>filters</artifactId>
      <version>2.0.235</version>
    </dependency>

    <dependency>
      <groupId>com.jhlabs</groupId>
      <artifactId>javaproj</artifactId>
      <version>1.0</version>
    </dependency>

  </dependencies>

While executing mvn license:add-third-party -Dlicense.includedArtifacts=filters, we obtain the following THIRD-PARTY file :

List of 1 third-party dependency.

  (Apache License, Version 2.0) JHLabs Image Processing Filters (com.jhlabs:filters:2.0.235 - http://www.jhlabs.com/ip/index.html)