There's been a few fixes recently. It'd be good to cut a new release after #26 is merged

I am trying to add a license to the report, where no ivy dependency exists (project is included). Here is my attempt:

    updateLicenses := {
      val regular = updateLicenses.value
      val plexLic = DepLicense(
        DepModuleInfo("com.ibm", "plex-mono", "4.0.2"),
        LicenseInfo(LicenseCategory("OFL"), name = "SIL Open Font License 1.1",
          url = "https://opensource.org/licenses/OFL-1.1"
        ),
        configs = Set(Test.name, Compile.name) // .empty
      )
      regular.copy(licenses = regular.licenses :+ plexLic)
    },

However, while I can verify that the code is executed when I run dumpLicenseReport, the new license doesn't show up in the CSV. What am I doing wrong?

The license for junit is not being printed out despite the license being in the pom file

Currently there is a Notes column which lets you add custom notes when a report is generated. Ideally if there is no data in the Notes column then we should skip rendering the column at all because as of now its just created wasted space (i.e. you have an entire vertical Notes column with no data inside of it).

sbt: 1.9.9
sbt-license-report: 1.6.1

I am getting following error when running dumpLicenseReport. Could you guide me where is the wrong version as "working@98df71d077cd" coming from?

Following block repeats for every dependency in sbt project.

...
[error]         local: unhandled revision => working@98df71d077cd
[error]         maven-proxy-releases: unhandled revision => working@98df71d077cd
[error]         ivy-proxy-releases: unhandled revision => working@98df71d077cd
...
[warn]  module not found: junit#junit;working@98df71d077cd
[warn] ==== local: tried
[warn] ==== maven-proxy-releases: tried
[warn] ==== ivy-proxy-releases: tried
...

Some artifacts specify their license in their parent POM. That information should propagate.

The report doesn't print a license for about half my dependencies. This appears to be because they're popular libraries with many components and because there are so many components they just put the licensing information once in the parent pom, which the report seems to miss. Here are a couple examples:

io.dropwizard.metrics # metrics-json # 3.1.1 
com.fasterxml.jackson.core # jackson-databind # 2.5.3 

Currently the report file format is new File(config.reportDir, s"${title}.${language.ext}"), where title is the value of the setting licenseReportTitle. If your title is something like "Third-Party Licenses", it may be that one would rather the report be name third-party-licenses.html instead of Third-Party Licenses.html (which requires having the space escaped).

In order to support reactive streams

Logback shows up as LGPL but it is dual licensed with EPL.

The MANIFEST.MF contains:

Bundle-License: http://www.eclipse.org/legal/epl-v10.html, http://www.
 gnu.org/licenses/old-licenses/lgpl-2.1.html

Some libraries are dual (or more) licensed. But the report picks one. This is the case with ch.qos.logback % logback-parent % 1.2.3 which is EPL and LGPL licensed.

For example, in Mellite:

git clone https://github.com/Sciss/Mellite.git
cd Mellite
git checkout v2.40.0
sbt mellite-app/dumpLicenseReport

gives

cat app/target/license-reports/mellite-app-licenses.md | grep AGPL
GPL | [AGPL v3+](http://www.gnu.org/licenses/agpl-3.0.txt) | de.sciss # patterns-core_2.12 # 0.15.1 | <notextile></notextile>
GPL | [AGPL v3+](http://www.gnu.org/licenses/agpl-3.0.txt) | de.sciss # patterns-lucre_2.12 # 0.15.1 | <notextile></notextile>

but

$ cat app/target/license-reports/mellite-app-licenses.md | grep unrecognized
unrecognized | [GNU Lesser General Public Licence](http://www.gnu.org/licenses/lgpl.txt) | de.sciss # scala-chart_2.12 # 0.7.1 | <notextile></notextile>
unrecognized | [GNU Lesser General Public Licence](http://www.gnu.org/licenses/lgpl.txt) | org.jfree # jcommon # 1.0.23 | <notextile></notextile>
unrecognized | [GNU Lesser General Public Licence](http://www.gnu.org/licenses/lgpl.txt) | org.jfree # jfreechart # 1.0.19 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # fscape-core_2.12 # 2.31.0 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # fscape-lucre_2.12 # 2.31.0 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # fscape-views_2.12 # 2.31.0 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # lucre-adjunct_2.12 # 3.15.2 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # lucre-base_2.12 # 3.15.2 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # lucre-bdb_2.12 # 3.15.2 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # lucre-confluent_2.12 # 3.15.2 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # lucre-core_2.12 # 3.15.2 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # lucre-data_2.12 # 3.15.2 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # lucre-expr_2.12 # 3.15.2 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # lucre-geom_2.12 # 3.15.2 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # lucre-swing_2.12 # 1.19.1 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # lucre-synth_2.12 # 3.32.2 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # negatum-core_2.12 # 0.10.0 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # negatum-views_2.12 # 0.10.0 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # scalafreesound-compression_2.12 # 1.21.0 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # scalafreesound-core_2.12 # 1.21.0 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # scalafreesound-lucre_2.12 # 1.21.0 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # scalafreesound-swing_2.12 # 1.21.0 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # scalafreesound-views_2.12 # 1.21.0 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # soundprocesses-compiler_2.12 # 3.32.2 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # soundprocesses-core_2.12 # 3.32.2 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # soundprocesses-views_2.12 # 3.32.2 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # span_2.12 # 1.4.3 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # wolkenpumpe-basic_2.12 # 2.37.0 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # wolkenpumpe-core_2.12 # 2.37.0 | <notextile></notextile>
unrecognized | [none specified](none specified) | lucene # lucene # 1.4.3 | <notextile></notextile>

If I take the successful example, patterns, and one that fails, fscape, and compare their maven poms, I cannot spot a single difference:

• https://search.maven.org/artifact/de.sciss/patterns-core_2.12/0.15.1/jar
• https://search.maven.org/artifact/de.sciss/fscape-core_2.12/2.31.0/jar

The license information is identical:

    <licenses>
        <license>
            <name>AGPL v3+</name>
            <url>http://www.gnu.org/licenses/agpl-3.0.txt</url>
            <distribution>repo</distribution>
        </license

So why do get all these recognition failures?

It appears to me that the report does not distinguish between licenses for main dependencies and test dependencies. I believe it's perfectly valid for example to have a project whose test dependencies contain a library licensed under GPL without requiring the project to be covered by GPL, because neither test sources nor test binaries are published. I therefore suggest to either mark licenses that result from test dependencies or simply to remove them.

Currently when sbt-license-report generates a report, it only uses the current Scala version where as ideally we should aggregate the dependencies from all Scala versions as its possible for projects to resolve dependencies differently based on the Scala version. Similarly a Scala version column should also be added as an option for those projects which do happen to resolve dependencies differently based on CrossScalaVersion.

Thankfully we don't need to explicitly handle the common usecase where dependencies are the same across different Scala versions since #57 added the functionality that filters out all duplicates.

Using version 1.0.0 of sbt-license-report it seems to have an issue with resolving license information set in the parent POM of a project. For many Apache projects sbt-license-report is unable to determine the license of the project. A good example is Apache Commons IO (https://repo1.maven.org/maven2/commons-io/commons-io/2.4/commons-io-2.4.pom). The POM of Commons IO relies on the license information provided by the parent POM but is reported as not specified by sbt-license-report.

So, it would be great if sbt-license-report would be able to use also licence information provided by a parent POM.

Having a pom such as this
https://repo1.maven.org/maven2/org/keycloak/keycloak-adapter-core/23.0.0/keycloak-adapter-core-23.0.0.pom

<groupId>org.keycloak</groupId>
     <artifactId>${keycloak.crypto.artifactId}</artifactId>
</dependency>

Will lead to :

(updateLicenses) sbt.librarymanagement.ResolveException: unresolved dependency: org.keycloak#${keycloak.crypto.artifactId};working@company: java.net.URISyntaxException: Illegal character in path at index 64: https://nexus.io/repository/company-central/org/keycloak/${keycloak.crypto.artifactId}/working@company/${keycloak.crypto.artifactId}[email protected]

See https://github.com/apache/incubator-pekko-http/pull/147/files#r1194719727 for a case where this occurs. While sbt's .from can support arbitrary URL's, we can make our job easier if we restrict this to github.

This repo finally needs to be migrated to the com.github.sbt groupid with sbt-ci-release set up. I can do the ci-release setup part, however @eed3si9n or @SethTisue can you add the secrets?

Originally posted by @mkurz in #49 (comment)

I'm seeing lots of duplicate libraries in my report. E.g.

none specified com.google.http-client # google-http-client # 1.19.0
none specified com.google.http-client # google-http-client # 1.20.0

It doesn't seem necessary to included evicted libraries in the license report since they're not actually being used. In this case we could just include 1.20.0

Thank you for great product!
Recently we've upgraded Scala version of our product to 2.13, then sbt-license-report fails on

sbt.librarymanagement.ResolveException: Error downloading com.typesafe.sbt:sbt-license-report;sbtVersion=1.0;scalaVersion=2.
13:1.2.0
 :
not found: https://repo1.maven.org/maven2/com/typesafe/sbt/sbt-license-report_2.13_1.0/1.2.0/sbt-license-report-1.2.0.pom
 :

Do you have some plans to support scala 2.13 in your product?
Thanks,

hi there,

current sbt cannot locate the plugin after bintray shutdown:

[error] Error downloading com.typesafe.sbt:sbt-license-report;sbtVersion=1.0;scalaVersion=2.12:1.2.0
[error]   Not found
[error]   Not found
[error]   not found: ~/.ivy2/local/com.typesafe.sbt/sbt-license-report/scala_2.12/sbt_1.0/1.2.0/ivys/ivy.xml
[error]   not found: https://repo1.maven.org/maven2/com/typesafe/sbt/sbt-license-report_2.12_1.0/1.2.0/sbt-license-report-1.2.0.pom

can you publish to sonatype, or is there an alternative resolver?

Currently, the plugin resolves the dependencies using ivy resolver. Our builds only work with coursier, therefore we noticed sbt failing to resolve the dependencies.

The plugin seems not maintained anymore. Any pointers on how the plugin could be improved to respect the actual sbt dependency resolution configuration?

As explained in #86 it would be ideal to just use the update task in order to retrieve the dependencies from the report however we are blocked by coursier/coursier#1790 (tl;dr coursier doesn't populate license information from ivy.xml descriptor files).

Using Ivy Resolution is also causing other problems, i.e. for dependencies that use packaging.type there is a workaround at sbt/sbt#3618 (comment) however this doesn't seem to work with ivy resolution done by sbt plugins (I think that because of classloader isolation maybe the system properties aren't propogating?)

The report identifies a dependency to an artifact via its GAV coordinates; e.g:

Apache | [Apache 2](http://www.apache.org/licenses/LICENSE-2.0.html) | com.typesafe.sbt # sbt-license-report # 1.0.0 | <notextile></notextile>

It would be nice if the GAV coordinates identifying an artifact were a link to that artifact's homepage (if available); e.g.:

Apache | [Apache 2](http://www.apache.org/licenses/LICENSE-2.0.html) | [com.typesafe.sbt # sbt-license-report # 1.0.0](https://github.com/sbt/sbt-license-report) | <notextile></notextile>

Given the poor handling of the recent security incident (https://arstechnica.com/information-technology/2021/09/travis-ci-flaw-exposed-secrets-for-thousands-of-open-source-projects/) I'm suspending Travis CI integration indefinitely.

Let's move on to GitHub Actions.

It would be nice to be able to export an aggregated report for a multimodule project where the root has .aggregate(...) set up.

Would be nice to have a standardized means of marking a license as non-permissive.

Right now, it looks like license information only comes from managed dependencies via Ivy. This means that any unmanaged dependencies are not part of the report. It would be nice if there was an easy way to specify the license information in the sbt configuration for unmanaged dependencies so the license report could be complete.