Eclipse Dash License Tool and The Maven Reactor
The Eclipse Dash License Tool identifies the licenses of content. It is intended primarily for use by Eclipse committers to vet third party content used by their Eclipse open source project.
The license tool has a Maven plugin that you can use find license information for all of your Maven project’s dependencies. That is, the Maven plugin can identify the entire transitive closure of dependencies described in your project’s pom.xml file(s) (dependencies of dependencies recursively) and from that sort out curated license information.
You can generate a file that summarizes the licenses of all of the dependencies by asking the plugin to create a summary file.
$ mvn org.eclipse.dash:license-tool-plugin:license-check -Ddash.summary=DEPENDENCIES
...
$ cat DEPENDENCIES
maven/mavencentral/com.fasterxml.jackson.core/jackson-annotations/2.10.3, Apache-2.0, approved, CQ21280
maven/mavencentral/com.fasterxml.jackson.core/jackson-core/2.10.3, Apache-2.0, approved, CQ21186
maven/mavencentral/com.fasterxml.jackson.core/jackson-databind/2.10.3, Apache-2.0, approved, CQ21187
maven/mavencentral/com.fasterxml.jackson.jaxrs/jackson-jaxrs-base/2.10.3, Apache-2.0, approved, #813
maven/mavencentral/com.fasterxml.jackson.jaxrs/jackson-jaxrs-json-provider/2.10.3, Apache-2.0, approved, #811
maven/mavencentral/com.fasterxml.jackson.module/jackson-module-jaxb-annotations/2.10.3, Apache-2.0, approved, #816
...
$ _
The Maven plugin gets its information from the Maven reactor. The Maven reactor works through dependency declarations; sorts out dependencies of dependencies, dependencies of dependencies of dependencies, and so on; and mashes it all together to build a comprehensive list of dependencies while downloading half of Maven Central into your local cache. The short version is that as far as the Dash License Tool is concerned, when the Maven reactor thinks that a particular library is a dependency, it’s a dependency, whether you agree with the assessment or not.
I’m certainly not a Maven expert, all I know for certain is that saying things like “the Maven reactor something-or-other…” makes me feel like I sound smart.
The dependency plugin uses the same information. If you’re not sure why a particularly library is being included, you can use the dependency plugin to find out. In the example below, the sshd-core library is being pulled in as a prerequisite of ssh-sftp, and sshd-common as a prerequisite of sshd-core:
$ mvn dependency:tree
...
[INFO] +- org.apache.sshd:sshd-sftp:jar:2.8.0:compile
[INFO] | \- org.apache.sshd:sshd-core:jar:2.8.0:compile
[INFO] | \- org.apache.sshd:sshd-common:jar:2.8.0:compile
...
Maven doesn’t know what you mean, it only knows what you say. If you’re certain that the prerequisites aren’t really needed or shouldn’t be included in the generated list of project dependencies, you have three options:
The first (and IMHO best) option is to exclude the transient dependencies in the pom.xml file. By adding exclusions to your dependency declaration, you can force the Maven reactor to skip those libraries:
...
<dependency>
<groupId>org.apache.sshd</groupId>
<artifactId>sshd-sftp</artifactId>
<version>${apache-sshd-version}</version>
<exclusions>
<exclusion>
<groupId>org.apache.sshd</groupId>
<artifactId>sshd-core</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.sshd</groupId>
<artifactId>sshd-common</artifactId>
</exclusion>
</exclusions>
</dependency>
...
I describe this as the best option because it forces you to express your intent with precision (and lets the tools validate your belief that you “don’t use” a particular library).
The second option is to tell the Dash License Tool to skip specific groups or artifacts. You can use the excludeArtifactIds option when you invoke the license tool:
$ mvn -DexcludeArtifactIds=sshd-core,sshd-commons org.eclipse.dash:license-tool-plugin:license
The third option is either automatically or manually modify the generated output. This option is terrible: friends don’t let friends modify generated content.