Closed alaindesilets closed 4 years ago
Hi, The blog post is pretty old :) you should check out the instructions in official Readme instead.
Try launching 'mvn licensescan:audit' after mvn install. It should work that way, as you didn't link the plugin in the 'install' stage in the pom.
Also, the latest release version is 2.1, seems you are using a very old one.
/Carlo
Thx for the reply Carlo. I modified the pom according to the official Readme instructions and now works... sort of. See the attached pom.xml.txt file.
The reason I say "sort of" is that the build only shows a warning eventhough I set failBuildOnBlacklisted to true.
Please update to version 2.1 of the plugin?
Please update to version 2.1 of the plugin?
That's what I am using. See the content of the pom below
------- pom.xml ------------- <?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<groupId>org.example</groupId>
<artifactId>SpikeLicenseBlacklisting</artifactId>
<version>1.0-SNAPSHOT</version>
<pluginRepositories>
<pluginRepository>
<id>jitpack.io</id>
<url>https://jitpack.io</url>
</pluginRepository>
</pluginRepositories>
<build>
<plugins>
<plugin>
<groupId>com.github.carlomorelli</groupId>
<artifactId>licensescan-maven-plugin</artifactId>
<version>2.1</version>
<configuration>
<printLicenses>true</printLicenses>
<blacklistedLicenses>
<license>GNU General Public License, v2.0</license>
<license>GNU General Public License, v3.0</license>
<license>.*Affero.*</license>
</blacklistedLicenses>
<failBuildOnBlacklisted>true</failBuildOnBlacklisted>
</configuration>
<executions>
<execution>
<phase>compile</phase> <!-- use your preferred goal, for me it makes sense to do the check at compile time -->
<goals>
<goal>audit</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
<dependencies>
<!-- This dependency is GPLed and should therefore be blacklisted -->
<dependency>
<groupId>edu.stanford.nlp</groupId>
<artifactId>stanford-corenlp</artifactId>
<version>3.9.2</version>
</dependency>
</dependencies>
I'm trying to guess here, but the only reason you don't see a build failure is because your configured blacklist Licenses list is not catching correctly the GPL license statement. In the Readme it's explained that configuring the license list is tricky and error prone - - the plugin matches exact strings fetched from a package Metadata. To alleviate this you could try with the supported regex as well. Please 1) dump here a complete output of 'mvn licensescan:audit' to let me better understand - - you mention you see 'warnings'? 2) run 'mvn site' on your own and verify what is the exact license naming in the maven Metadata of that package. Even a slight difference (e. G. Capital letter instead of normal) would not make the build fail
I tried using some regexps but it doesn't seem to work either. Attached, please find:
You can define a regex for a license by prefixing the string with "regex:" like this:
regex:Apache.* .
Try adding the prefix 'regex:' in the license filters, since you switched to regexes.
Also notice that from your attached outputs, the exact filter to use is ''GNU General Public License Version 3". Previously you were only catching the version 2.0 or something. See the problem?
Try adding the prefix 'regex:' in the license filters, since you switched to regexes.
It worked, thx!
You should probably change the sample pom.xml provided in the official README as it contains the following line:
<license>.*Affero.*</license>
which suggests that you do not need to put the regex: prefix to specify a license regexp
Attached is a simple pom file (with .txt extension because this issue tracker does not support attachment of .xml files it seems). The pom follows the instructions on this page:
https://carlomorelli.github.io/2018/04/01/Audit-licenses-in-your-Java-dependencies.html
and includes a GPL package (stanford corenlp). Yet, if I do mvn-install, the command does not complain about the GPLed dependency (see attached fooinstall.txt file).
Is this a bug?
Thx.
fooinstall.txt
pom.xml.txt