Thanks Curtis, I believe you’re correct - there really exists no perfect solution doing continuous license management using maven, beyond some really basic stuff. Almost all of what exists in maven land seems to only deal with homogenous licensing of a module and management of module dependencies, which is likely a good 80% of what most need to manage. However there is a growing pattern of pulling small pieces of code from disparate sources (especially so at a research institution such as were I am) - hence there is a need to dig down into each file and manage each file separately - but at the same time, you need to have a global view across the enterprise.
So far what I’ve found FOSSology [1] which centralizes about 80% of the work I
need, however there’s really no direct maven integration other than via exec.
I could see possibly using a combination of approaches:
1) RAT or maven-license-plugin to ID files that just identifies missing
licenses
2) FOSSology to generate reports and manage exceptions
However there’s no real middle ground between the two in that I really need the
DB from FOSSology to influence RAT or the maven-license-plugin. Maybe the ideal
thing is to figure out a way to build a maven plugin for FOSSology…
- JK
[1] http://www.fossology.org/projects/fossology
> On Oct 5, 2015, at 2:26 PM, Curtis Rueden <[email protected]> wrote:
>
> Hi Jim,
>
> I struggled with licensing-related tooling too when I researched it awhile
> back—and my needs were simpler than yours. We ended up using
> license-maven-plugin to programmatically manage license headers of all our
> sources, with a single header with unified copyright date range and
> contributors list, which made things much easier. It sounds like your
> licensing situation is substantially more heterogeneous.
>
> I do not know of any excellent licensing-related tutorials for license
> management, auditing or both. Maybe you could take the bull by the horns
> and write a guide somewhere? It would surely be of great benefit to the
> Maven community.
>
> Regards,
> Curtis
>
> On Mon, Sep 28, 2015 at 11:13 AM, Jim Klo <[email protected]> wrote:
>
>> Hi,
>>
>> Looking for some guidance on doing some source license auditing. My needs
>> are two fold. I need to track down all the licenses of all our
>> dependencies, which there seems to be an abundance of plugins. But I also
>> need to audit the licenses of our committed source, as many come from open
>> and non-open projects, I need to track the individual files as well.
>>
>> I’ve started by using Apache RAT [1], which seems to be okay for auditing
>> the source, but given that we have a significant number of modules,
>> configuration of RAT is somewhat a pain (I have a bunch of custom license
>> definitions and matchers) which seem to have to be added to every POM file
>> (doesn’t like going into the parent POM likely because of the way we are
>> using Tycho).
>>
>> Can anyone recommend a plugin that might be better for my use case? I’d
>> like to be able to have a single config file (or artifact) that contains
>> the license declarations, and then be able to reference that from all my
>> modules. The Codehaus License Maven Plugin [2] seems close to what I want,
>> but I can’t seem to figure out how to get it to show me files that are
>> missing license headers or even show me a per file license summary. If
>> anyone can point me to some examples or tutorials that explain this that
>> would be much appreciated.
>>
>> [1]
>> http://creadur.apache.org/rat/apache-rat-plugin/examples/custom-license.html
>> [2]
>> http://www.mojohaus.org/license-maven-plugin/examples/example-thirdparty.html
>>
>> Thanks,
>>
>> JK
>>
>> *Jim KloSenior Software EngineerCenter for Software EngineeringSRI
>> International*
>> *t. @nsomnac*
>>
>>
smime.p7s
Description: S/MIME cryptographic signature
