Well, I know that Sonatype has a product they have been pretty aggressive with called CLM.
CLM shows both vulnerabilities and license threats -- including undefined licenses... Perhaps that is what you need? Thanks, Roy Lyons On 5/9/13 4:15 AM, "Daniel Pocock" <[email protected]> wrote: > >Hi, > >There is a lot of confusion about the distinction between software that >is free (like malware in app stores) and software that is really free >with open source code. > >Several people have asked me how they can be sure that a Maven build >(including all downloaded plugins) only uses genuine open source >software, and that the binary downloads are identical to the source >releases. There are many users that want to build projects from source >code in clean, non-networked environments. > >How can somebody tell Maven to >a) recursively download source JARs for all plugins and dependencies >(and their build plugins) and compile them one by one? >b) stop if any source JAR contains binary artifacts or if a >dependency/plugin source is not available? >c) put all downloaded source in some kind of tree where it can be tarred >up, copied onto a DVD and then built by a machine that is offline? > >I'm aware of the command "mvn dependency:sources", but this only appears >to fetch the sources on a best effort basis and doesn't appear to >compile them. > >Regards, > >Daniel > > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [email protected] >For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
