Configure the Mojo Maven License Plugin
You can use it from command line but this will limit the ability to sustainably configure it (shown later). Therefore we add it permanently as a build-plugin to the project parent-pom like this:
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>license-maven-plugin</artifactId>
<version>1.14</version>
<configuration>
<outputDirectory>${project.build.directory}/generated-resources</outputDirectory>
<sortArtifactByName>true</sortArtifactByName>
<includeTransitiveDependencies>true</includeTransitiveDependencies>
<!-- the "missing file" declares licenses for dependencies that could not be detected automatically -->
<useMissingFile>true</useMissingFile>
<!-- find the "missing files" in all child-projects at the following location -->
<missingFile>src/license/THIRD-PARTY.properties</missingFile>
<!-- if the "missing files" are not yet existing in child-projects they will be created automatically -->
<failOnMissing>false</failOnMissing>
<overrideFile>src/license/override-THIRD-PARTY.properties</overrideFile>
<!-- harmonize different ways of writing license names -->
<licenseMerges>
<licenseMerge>Apache-2.0|Apache 2.0</licenseMerge>
<licenseMerge>Apache-2.0|Apache License, Version 2.0</licenseMerge>
<licenseMerge>Apache-2.0|Apache Software License, Version 2.0</licenseMerge>
<licenseMerge>Apache-2.0|The Apache Software License, Version 2.0</licenseMerge>
</licenseMerges>
<encoding>utf-8</encoding>
</configuration>
</plugin>In the config above there are several settings that help to permanently improve the result of an automated OSS scan. We explain these now.
Declare additional licenses
Sometimes the licenses of used OSS cannot be resolved automatically. That is not the mistake of the maven-license-tool, but the mistake of the OSS author who didn’t make the respective license-information properly available.
Declare additional licenses in a "missing file" within each maven-subproject: /src/license/THIRD-PARTY.properties.
# Generated by org.codehaus.mojo.license.AddThirdPartyMojo
#-------------------------------------------------------------------------------
# Already used licenses in project :
# - ASF 2.0
# - Apache 2
...
#-------------------------------------------------------------------------------
# Please fill the missing licenses for dependencies :
...
dom4j--dom4j--1.6.1=BSD 3-Clause
javax.servlet--jstl--1.2=CDDL
...In case the use of "missing files" is activated, but the THIRD-PARTY.properties-file is not yet existing, the first run of an "aggregate-add-third-party" goal (see below) will fail. Luckily the license-plugin just helped us and created the properties-files automatically (in each maven-subproject) and prefilled it with:
-
a list of all detected licenses within the maven project
-
all OSS libraries where a license could not be detected automatically.
You now need to fill in missing license information and rerun the plugin.
Redefine wrongly detected licenses
In case automatically detected licenses proof to be wrong by closer investigation, this wrong detection can be overwritten. Add a configuration to declare alternative licenses within each maven-subproject: /src/license/override-THIRD-PARTY.properties
com.sun.mail--javax.mail--1.5.6=Common Development and Distribution License 1.1This can be also be useful for OSS that provides a multi-license to make a decision which license to actually choose .
Merge licenses
You will see that many prominent licenses come in all sorts of notations, e.g. Apache-2.0 as: "Apache 2" or "ASL-2.0" or "The Apache License, Version 2.0". The Mojo Maven License Plugin allows to harmonize different forms of a license-naming like this:
<!-- harmonize different ways of writing license names -->
<licenseMerges>
<licenseMerge>Apache-2.0|Apache 2.0</licenseMerge>
<licenseMerge>Apache-2.0|Apache License, Version 2.0</licenseMerge>
<licenseMerge>Apache-2.0|Apache Software License, Version 2.0</licenseMerge>
<licenseMerge>Apache-2.0|The Apache Software License, Version 2.0</licenseMerge>
</licenseMerges>License-names will be harmonized in the OSS report to one common term. We propose to harmonize to short-license-IDs defined by the SPDX standard.