search

carlomorelli / licensescan-maven-plugin

Maven plugin for analysing the licenses in dependencies and transitive dependencies, asserting compatibility and potentially fail the build if forbidden licenses appear
MIT License
36 stars 8 forks source link

Improve documentation #19

Closed alaindesilets closed 4 years ago

alaindesilets commented 4 years ago

Attached is a simple pom file (with .txt extension because this issue tracker does not support attachment of .xml files it seems). The pom follows the instructions on this page:

https://carlomorelli.github.io/2018/04/01/Audit-licenses-in-your-Java-dependencies.html

and includes a GPL package (stanford corenlp). Yet, if I do mvn-install, the command does not complain about the GPLed dependency (see attached fooinstall.txt file).

Is this a bug?

Thx.

fooinstall.txt

pom.xml.txt

carlomorelli commented 4 years ago

Hi, The blog post is pretty old :) you should check out the instructions in official Readme instead.

Try launching 'mvn licensescan:audit' after mvn install. It should work that way, as you didn't link the plugin in the 'install' stage in the pom.

Also, the latest release version is 2.1, seems you are using a very old one.

/Carlo

alaindesilets commented 4 years ago

Thx for the reply Carlo. I modified the pom according to the official Readme instructions and now works... sort of. See the attached pom.xml.txt file.

The reason I say "sort of" is that the build only shows a warning eventhough I set failBuildOnBlacklisted to true.

pom.xml.txt

carlomorelli commented 4 years ago

Please update to version 2.1 of the plugin?

alaindesilets commented 4 years ago

Please update to version 2.1 of the plugin?

That's what I am using. See the content of the pom below

------- pom.xml ------------- <?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

4.0.0 
<groupId>org.example</groupId>
<artifactId>SpikeLicenseBlacklisting</artifactId>
<version>1.0-SNAPSHOT</version>

<pluginRepositories>
    <pluginRepository>
        <id>jitpack.io</id>
        <url>https://jitpack.io</url>
    </pluginRepository>
</pluginRepositories>

<build>
    <plugins>
        <plugin>
            <groupId>com.github.carlomorelli</groupId>
            <artifactId>licensescan-maven-plugin</artifactId>
            <version>2.1</version>
            <configuration>
                <printLicenses>true</printLicenses>
                <blacklistedLicenses>
                    <license>GNU General Public License, v2.0</license>
                    <license>GNU General Public License, v3.0</license>
                    <license>.*Affero.*</license>
                </blacklistedLicenses>
                <failBuildOnBlacklisted>true</failBuildOnBlacklisted>
            </configuration>
            <executions>
                <execution>
                    <phase>compile</phase> <!-- use your preferred goal, for me it makes sense to do the check at compile time -->
                    <goals>
                        <goal>audit</goal>
                    </goals>
                </execution>
            </executions>
        </plugin>
    </plugins>
</build>

<dependencies>

    <!-- This dependency is GPLed and should therefore be blacklisted -->
    <dependency>
        <groupId>edu.stanford.nlp</groupId>
        <artifactId>stanford-corenlp</artifactId>
        <version>3.9.2</version>
    </dependency>

</dependencies>

carlomorelli commented 4 years ago

I'm trying to guess here, but the only reason you don't see a build failure is because your configured blacklist Licenses list is not catching correctly the GPL license statement. In the Readme it's explained that configuring the license list is tricky and error prone - - the plugin matches exact strings fetched from a package Metadata. To alleviate this you could try with the supported regex as well. Please 1) dump here a complete output of 'mvn licensescan:audit' to let me better understand - - you mention you see 'warnings'? 2) run 'mvn site' on your own and verify what is the exact license naming in the maven Metadata of that package. Even a slight difference (e. G. Capital letter instead of normal) would not make the build fail

alaindesilets commented 4 years ago

I tried using some regexps but it doesn't seem to work either. Attached, please find:

foo-install.txt foo-licenseaudit.txt pom.xml.txt

carlomorelli commented 4 years ago

You can define a regex for a license by prefixing the string with "regex:" like this: regex:Apache.*.

Try adding the prefix 'regex:' in the license filters, since you switched to regexes.

Also notice that from your attached outputs, the exact filter to use is ''GNU General Public License Version 3". Previously you were only catching the version 2.0 or something. See the problem?

alaindesilets commented 4 years ago

Try adding the prefix 'regex:' in the license filters, since you switched to regexes.

It worked, thx!

You should probably change the sample pom.xml provided in the official README as it contains the following line:

<license>.*Affero.*</license>

which suggests that you do not need to put the regex: prefix to specify a license regexp