Open lefevre00 opened 1 month ago
License lost for javax.servlet:javax.servlet-api:3.1.0 too.
Since the actual licence resolution is happening in the core library I believe it's a bug there. In this plugin we are just using that implementation.
Packages that you mentioned are using quite custom license: https://repo.maven.apache.org/maven2/javax/servlet/javax.servlet-api/3.1.0/javax.servlet-api-3.1.0.pom
<licenses>
<license>
<name>CDDL + GPLv2 with classpath exception</name>
<url>https://github.com/javaee/javax.annotation/blob/master/LICENSE</url>
<distribution>repo</distribution>
<comments>A business-friendly OSS license</comments>
</license>
</licenses>
Which is not present in the license list.
Raised core library issue for this: https://github.com/CycloneDX/cyclonedx-core-java/issues/471
Hello,
When using v1.8, license was present for my legacy dependency (implementation("javax.annotation:javax.annotation-api:1.3.2")). It was not the case any more in 1.9, no license field present in my BOM for component with
"bom-ref" : "pkg:maven/javax.annotation/javax.annotation-api@1.3.2?type=jar"
This may come from transition from javax to jakarta group for new versions. But old versions style exists.
Very easy to reproduce in a dummy project, with build.gradle.kts like this: