License Finder not able to handle snapshot versions properly

[PreHCM-MiBo]

Description

We are using mvn with snapshot versions in our projects and want to use License Finder to identify the licenses. Since we often use snapshots for in-house libraries during development, License Finder plays a vital role in ensuring proper license identification.

However, we are facing the following error when dealing with snapshot versions:

/usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/package_utils/maven_dependency_finder.rb:45:in `read': No such file or directory @ rb_sysopen - /root/.m2/repository/XX/XXXX/YY-TOOL/MAJOR.MINOR-YYYYMMDD.HHMMSS-BUILDNR/YY-TOOL-MAJOR.MINOR-YYYYMMDD.HHMMSS-BUILDNR.pom ((Errno::ENOENT)
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/package_utils/maven_dependency_finder.rb:45:in `read'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/package_utils/maven_dependency_finder.rb:45:in `add_info_from_pom'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/package_utils/maven_dependency_finder.rb:40:in `add_info_from_m2'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/package_utils/maven_dependency_finder.rb:21:in `block in dependencies'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/package_utils/maven_dependency_finder.rb:21:in `each'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/package_utils/maven_dependency_finder.rb:21:in `dependencies'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/package_managers/maven.rb:27:in `current_packages'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/package_manager.rb:105:in `current_packages_with_relations'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/scanner.rb:42:in `each'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/scanner.rb:42:in `flat_map'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/scanner.rb:42:in `active_packages'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/core.rb:84:in `current_packages'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/core.rb:79:in `decision_applier'
        from /usr/lib/ruby/3.3.0/forwardable.rb:234:in `any_packages?'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/license_aggregator.rb:17:in `block in any_packages?'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/license_aggregator.rb:15:in `map'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/license_aggregator.rb:15:in `any_packages?'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/cli/main.rb:121:in `action_items'
        from /usr/lib/ruby/gems/3.3.0/gems/thor-1.3.2/lib/thor/command.rb:28:in `run'
        from /usr/lib/ruby/gems/3.3.0/gems/thor-1.3.2/lib/thor/invocation.rb:127:in `invoke_command'
        from /usr/lib/ruby/gems/3.3.0/gems/thor-1.3.2/lib/thor.rb:538:in `dispatch'
        from /usr/lib/ruby/gems/3.3.0/gems/thor-1.3.2/lib/thor/base.rb:584:in `start'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/bin/license_finder:6:in `<top (required)>'
        from /usr/bin/license_finder:25:in `load'
        from /usr/bin/license_finder:25:in `<main>'

The underlying job, mvn org.codehaus.mojo:license-maven-plugin:download-licenses, creates a licenses.xml under the build folder "target" with the following entry:

<dependency>
  <groupId>XX.XXXX</groupId>
  <artifactId>YY-TOOL</artifactId>
  <version>MAJOR.MINOR-YYYYMMDD.HHMMSS-BUILDNR</version>
  <licenses>
    <!-- No license information available. -->
  </licenses>
</dependency>

The dependency is specified in the POM in the following way:

<dependency>
  <groupId>XX.XXXX</groupId>
  <artifactId>YY-TOOL</artifactId>
  <version>MAJOR.MINOR-SNAPSHOT</version>
</dependency>

Problem

I am unable to proceed with the license check due to this issue. Here are my observations:

• The POM file does not exist at the expected location. It is actually located under: /root/.m2/repository/XX/XXXX/YY-TOOL/MAJOR.MINOR-SNAPSHOT/YY-TOOL-MAJOR.MINOR-YYYYMMDD.HHMMSS-BUILDNR.pom.
• License Finder seems to be fetching the information from a different source.
• The underlying job mvn org.codehaus.mojo:license-maven-plugin:download-licenses executes without any issues.
• When switching from a snapshot version to a proper release version, this problem does not occur. However, requiring all development teams to always use release versions is not a feasible or desired solution.
• We use GitLab as a Package Registry.

Desired Solution

License Finder should properly support snapshot versions by searching for them in the correct directory.

Steps to Reproduce

1. Use License Finder with Maven in a project that uses snapshot versions for in-house libraries.
2. Observe the "No such file or directory" error pointing to the wrong POM location.

Expected Behavior

License Finder should correctly locate and handle snapshot versions during the license check process.

Please let me know if you need more information or if there are specific logs I can provide to assist in debugging this issue.