sbt / sbt-license-report Goto Github PK
View Code? Open in Web Editor NEWReport on licenses used in an sbt project.
Report on licenses used in an sbt project.
The report doesn't print a license for about half my dependencies. This appears to be because they're popular libraries with many components and because there are so many components they just put the licensing information once in the parent pom, which the report seems to miss. Here are a couple examples:
io.dropwizard.metrics # metrics-json # 3.1.1
com.fasterxml.jackson.core # jackson-databind # 2.5.3
Would be nice to have a standardized means of marking a license as non-permissive.
The license for junit is not being printed out despite the license being in the pom file
Thank you for great product!
Recently we've upgraded Scala version of our product to 2.13, then sbt-license-report fails on
sbt.librarymanagement.ResolveException: Error downloading com.typesafe.sbt:sbt-license-report;sbtVersion=1.0;scalaVersion=2.
13:1.2.0
:
not found: https://repo1.maven.org/maven2/com/typesafe/sbt/sbt-license-report_2.13_1.0/1.2.0/sbt-license-report-1.2.0.pom
:
Do you have some plans to support scala 2.13 in your product?
Thanks,
The report identifies a dependency to an artifact via its GAV coordinates; e.g:
Apache | [Apache 2](http://www.apache.org/licenses/LICENSE-2.0.html) | com.typesafe.sbt # sbt-license-report # 1.0.0 | <notextile></notextile>
It would be nice if the GAV coordinates identifying an artifact were a link to that artifact's homepage (if available); e.g.:
Apache | [Apache 2](http://www.apache.org/licenses/LICENSE-2.0.html) | [com.typesafe.sbt # sbt-license-report # 1.0.0](https://github.com/sbt/sbt-license-report) | <notextile></notextile>
Using version 1.0.0 of sbt-license-report it seems to have an issue with resolving license information set in the parent POM of a project. For many Apache projects sbt-license-report is unable to determine the license of the project. A good example is Apache Commons IO (https://repo1.maven.org/maven2/commons-io/commons-io/2.4/commons-io-2.4.pom). The POM of Commons IO relies on the license information provided by the parent POM but is reported as not specified by sbt-license-report.
So, it would be great if sbt-license-report would be able to use also licence information provided by a parent POM.
This repo finally needs to be migrated to the com.github.sbt
groupid with sbt-ci-release set up. I can do the ci-release setup part, however @eed3si9n or @SethTisue can you add the secrets?
Originally posted by @mkurz in #49 (comment)
For example, in Mellite:
git clone https://github.com/Sciss/Mellite.git
cd Mellite
git checkout v2.40.0
sbt mellite-app/dumpLicenseReport
gives
cat app/target/license-reports/mellite-app-licenses.md | grep AGPL
GPL | [AGPL v3+](http://www.gnu.org/licenses/agpl-3.0.txt) | de.sciss # patterns-core_2.12 # 0.15.1 | <notextile></notextile>
GPL | [AGPL v3+](http://www.gnu.org/licenses/agpl-3.0.txt) | de.sciss # patterns-lucre_2.12 # 0.15.1 | <notextile></notextile>
but
$ cat app/target/license-reports/mellite-app-licenses.md | grep unrecognized
unrecognized | [GNU Lesser General Public Licence](http://www.gnu.org/licenses/lgpl.txt) | de.sciss # scala-chart_2.12 # 0.7.1 | <notextile></notextile>
unrecognized | [GNU Lesser General Public Licence](http://www.gnu.org/licenses/lgpl.txt) | org.jfree # jcommon # 1.0.23 | <notextile></notextile>
unrecognized | [GNU Lesser General Public Licence](http://www.gnu.org/licenses/lgpl.txt) | org.jfree # jfreechart # 1.0.19 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # fscape-core_2.12 # 2.31.0 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # fscape-lucre_2.12 # 2.31.0 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # fscape-views_2.12 # 2.31.0 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # lucre-adjunct_2.12 # 3.15.2 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # lucre-base_2.12 # 3.15.2 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # lucre-bdb_2.12 # 3.15.2 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # lucre-confluent_2.12 # 3.15.2 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # lucre-core_2.12 # 3.15.2 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # lucre-data_2.12 # 3.15.2 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # lucre-expr_2.12 # 3.15.2 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # lucre-geom_2.12 # 3.15.2 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # lucre-swing_2.12 # 1.19.1 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # lucre-synth_2.12 # 3.32.2 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # negatum-core_2.12 # 0.10.0 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # negatum-views_2.12 # 0.10.0 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # scalafreesound-compression_2.12 # 1.21.0 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # scalafreesound-core_2.12 # 1.21.0 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # scalafreesound-lucre_2.12 # 1.21.0 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # scalafreesound-swing_2.12 # 1.21.0 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # scalafreesound-views_2.12 # 1.21.0 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # soundprocesses-compiler_2.12 # 3.32.2 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # soundprocesses-core_2.12 # 3.32.2 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # soundprocesses-views_2.12 # 3.32.2 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # span_2.12 # 1.4.3 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # wolkenpumpe-basic_2.12 # 2.37.0 | <notextile></notextile>
unrecognized | [none specified](none specified) | de.sciss # wolkenpumpe-core_2.12 # 2.37.0 | <notextile></notextile>
unrecognized | [none specified](none specified) | lucene # lucene # 1.4.3 | <notextile></notextile>
If I take the successful example, patterns, and one that fails, fscape, and compare their maven poms, I cannot spot a single difference:
The license information is identical:
<licenses>
<license>
<name>AGPL v3+</name>
<url>http://www.gnu.org/licenses/agpl-3.0.txt</url>
<distribution>repo</distribution>
</license
So why do get all these recognition failures?
As explained in #86 it would be ideal to just use the update
task in order to retrieve the dependencies from the report however we are blocked by coursier/coursier#1790 (tl;dr coursier doesn't populate license information from ivy.xml
descriptor files).
Using Ivy Resolution is also causing other problems, i.e. for dependencies that use packaging.type
there is a workaround at sbt/sbt#3618 (comment) however this doesn't seem to work with ivy resolution done by sbt plugins (I think that because of classloader isolation maybe the system properties aren't propogating?)
Given the poor handling of the recent security incident (https://arstechnica.com/information-technology/2021/09/travis-ci-flaw-exposed-secrets-for-thousands-of-open-source-projects/) I'm suspending Travis CI integration indefinitely.
Let's move on to GitHub Actions.
sbt: 1.9.9
sbt-license-report: 1.6.1
I am getting following error when running dumpLicenseReport
. Could you guide me where is the wrong version as "working@98df71d077cd" coming from?
Following block repeats for every dependency in sbt project.
...
[error] local: unhandled revision => working@98df71d077cd
[error] maven-proxy-releases: unhandled revision => working@98df71d077cd
[error] ivy-proxy-releases: unhandled revision => working@98df71d077cd
...
[warn] module not found: junit#junit;working@98df71d077cd
[warn] ==== local: tried
[warn] ==== maven-proxy-releases: tried
[warn] ==== ivy-proxy-releases: tried
...
Some libraries are dual (or more) licensed. But the report picks one. This is the case with ch.qos.logback % logback-parent % 1.2.3
which is EPL and LGPL licensed.
Logback shows up as LGPL but it is dual licensed with EPL.
The MANIFEST.MF contains:
Bundle-License: http://www.eclipse.org/legal/epl-v10.html, http://www.
gnu.org/licenses/old-licenses/lgpl-2.1.html
Right now, it looks like license information only comes from managed dependencies via Ivy. This means that any unmanaged dependencies are not part of the report. It would be nice if there was an easy way to specify the license information in the sbt configuration for unmanaged dependencies so the license report could be complete.
I am trying to add a license to the report, where no ivy dependency exists (project is included). Here is my attempt:
updateLicenses := {
val regular = updateLicenses.value
val plexLic = DepLicense(
DepModuleInfo("com.ibm", "plex-mono", "4.0.2"),
LicenseInfo(LicenseCategory("OFL"), name = "SIL Open Font License 1.1",
url = "https://opensource.org/licenses/OFL-1.1"
),
configs = Set(Test.name, Compile.name) // .empty
)
regular.copy(licenses = regular.licenses :+ plexLic)
},
However, while I can verify that the code is executed when I run dumpLicenseReport
, the new license doesn't show up in the CSV. What am I doing wrong?
Having a pom such as this
https://repo1.maven.org/maven2/org/keycloak/keycloak-adapter-core/23.0.0/keycloak-adapter-core-23.0.0.pom
<groupId>org.keycloak</groupId>
<artifactId>${keycloak.crypto.artifactId}</artifactId>
</dependency>
Will lead to :
(updateLicenses) sbt.librarymanagement.ResolveException: unresolved dependency: org.keycloak#${keycloak.crypto.artifactId};working@company: java.net.URISyntaxException: Illegal character in path at index 64: https://nexus.io/repository/company-central/org/keycloak/${keycloak.crypto.artifactId}/working@company/${keycloak.crypto.artifactId}[email protected]
See https://github.com/apache/incubator-pekko-http/pull/147/files#r1194719727 for a case where this occurs. While sbt's .from
can support arbitrary URL's, we can make our job easier if we restrict this to github.
Currently when sbt-license-report generates a report, it only uses the current Scala version where as ideally we should aggregate the dependencies from all Scala versions as its possible for projects to resolve dependencies differently based on the Scala version. Similarly a Scala version
column should also be added as an option for those projects which do happen to resolve dependencies differently based on CrossScalaVersion
.
Thankfully we don't need to explicitly handle the common usecase where dependencies are the same across different Scala versions since #57 added the functionality that filters out all duplicates.
Currently there is a Notes
column which lets you add custom notes when a report is generated. Ideally if there is no data in the Notes
column then we should skip rendering the column at all because as of now its just created wasted space (i.e. you have an entire vertical Notes
column with no data inside of it).
Some artifacts specify their license in their parent POM. That information should propagate.
There's been a few fixes recently. It'd be good to cut a new release after #26 is merged
hi there,
current sbt cannot locate the plugin after bintray shutdown:
[error] Error downloading com.typesafe.sbt:sbt-license-report;sbtVersion=1.0;scalaVersion=2.12:1.2.0
[error] Not found
[error] Not found
[error] not found: ~/.ivy2/local/com.typesafe.sbt/sbt-license-report/scala_2.12/sbt_1.0/1.2.0/ivys/ivy.xml
[error] not found: https://repo1.maven.org/maven2/com/typesafe/sbt/sbt-license-report_2.12_1.0/1.2.0/sbt-license-report-1.2.0.pom
can you publish to sonatype, or is there an alternative resolver?
In order to support reactive streams
It would be nice to be able to export an aggregated report for a multimodule project where the root has .aggregate(...) set up.
Currently, the plugin resolves the dependencies using ivy resolver. Our builds only work with coursier, therefore we noticed sbt failing to resolve the dependencies.
The plugin seems not maintained anymore. Any pointers on how the plugin could be improved to respect the actual sbt dependency resolution configuration?
Currently the report file format is new File(config.reportDir, s"${title}.${language.ext}")
, where title
is the value of the setting licenseReportTitle
. If your title is something like "Third-Party Licenses", it may be that one would rather the report be name third-party-licenses.html
instead of Third-Party Licenses.html
(which requires having the space escaped).
It appears to me that the report does not distinguish between licenses for main dependencies and test dependencies. I believe it's perfectly valid for example to have a project whose test dependencies contain a library licensed under GPL without requiring the project to be covered by GPL, because neither test sources nor test binaries are published. I therefore suggest to either mark licenses that result from test dependencies or simply to remove them.
I'm seeing lots of duplicate libraries in my report. E.g.
none specified com.google.http-client # google-http-client # 1.19.0
none specified com.google.http-client # google-http-client # 1.20.0
It doesn't seem necessary to included evicted libraries in the license report since they're not actually being used. In this case we could just include 1.20.0
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.