Finding out the licenses of JAR libraries

Question

I use Maven to build my web app projects, when I add some dependent library to the pom file, it again adds some more dependent jars to the project recursively. Is there a way to find out or restrict that only jars having a certain type of license - say Apache License, BSD etc should be included. Or is there a way to find out that a jar file is under GPL/ASL etc without going to the website for each jar in the application?

Stephen C · Accepted Answer · 2016-09-21T11:51:02.277

12

The Maven "Project Info Reports" plugin produces a Dependencies report that includes the Licenses for the dependencies. Here's an example.

Obviously, this depends on the dependent POMs declaring their dependencies properly, and it requires that you build your site documentation "online".

edited Sep 21 '16 at 11:51

answered Aug 17 '10 at 09:40

Stephen C

698,415
94
811
1,216

Thanks Stephen, this is what I exactly wanted. Though some of the libraries are under unknown, but I can live with it :) – Prabhu R Aug 17 '10 at 16:21

score 6 · Answer 2 · edited Jan 09 '19 at 21:42

6

During the acquisition of a company I was working for, the acquiring company used the following software / consultancy to do what you're describing.

http://www.blackducksoftware.com/transact

Although I'm guessing you were probably looking for a free alternative. There may be other methods, but the fact this company makes money doing this suggests an alternative is probably less thorough/accurate.

edited Jan 09 '19 at 21:42

030

10,842
12
78
123

answered Aug 17 '10 at 08:10

lucas1000001

2,740
1
25
22

1

Yes, a free alternative will be great! – Prabhu R Aug 17 '10 at 09:34
A free alternative would be "scancode-toolkit". You can find it on Github: https://github.com/nexB/scancode-toolkit – Denis.Sabolotni Feb 05 '19 at 12:33

score 3 · Answer 3 · edited Jun 20 '20 at 09:12

I also find this website (https://www.versioneye.com) provides license info. For instance, https://www.versioneye.com/java/tomcat:jasper-runtime/5.5.23 says License: Apache License 2.0

October 19, 2017

I’m shutting down VersionEye by end of this year!

I started the project round about 6 years ago and so far it was a journey with many ups and downs. The typical StartUp rollercoaster thing. I raised Money from a big VC in Berlin and almost went bankrupt after that. Raised Money again from small Angel Investors to prevent bankruptcy. Won one of the biggest Software companies in the world as customer and established a stable income for the company.

unfortunately versioneye is going to shut down their service in early 2018, but their API was great — hasgarion, Jan 04 '18 at 07:45

score 1 · Answer 4 · answered Feb 05 '19 at 12:18

A free alternative for a license scanner is the "scancode-toolkit". It is able to scan your codebase for copyright information, license texts etc.

But like @Stephen C mentioned in his answer, it won't be always able to detect the license for a dependency.

https://github.com/nexB/scancode-toolkit

Finding out the licenses of JAR libraries

4 Answers4