Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[license-gather-plugin] Ability to handle multiple licensed artefacts #54

Open
bric3 opened this issue Nov 2, 2022 · 1 comment
Open

[license-gather-plugin] Ability to handle multiple licensed artefacts #54

bric3 opened this issue Nov 2, 2022 · 1 comment

Comments

@bric3
Copy link

bric3 commented Nov 2, 2022
edited
Loading

I noticed some that some dependencies were not in the output, because it happens they are dual licensed.

EDIT: Actually, it may be (partly) working as some dependencies are in the report but not all of those that are ignored due to multiple licenses in Bundle-License.

> LICENSE-like files are missing
  ==============================
  
  BSD-3-Clause
  * org.pushing-pixels:radiance-animation:6.0.1
  
  MIT
  * com.github.scribejava:scribejava-core:8.3.1
  * com.github.scribejava:scribejava-java8:8.3.1
  * org.brotli:dec:0.1.2
  
  Apache-2.0 AND LGPL 2.1 (http://www.gnu.org/licenses/lgpl-2.1.html) AND MPL-1.1
  * org.javassist:javassist:3.25.0-GA
  
  EPL-2.0 AND GPL2 w/ CPE (https://www.gnu.org/software/classpath/license.html)
  * org.glassfish.hk2:osgi-resource-locator:1.0.3

I discovered by adding the --info

Ignoring Bundle-License 'http://www.eclipse.org/legal/epl-2.0, https://www.gnu.org/software/classpath/license.html, http://www.apache.org/licenses/LICENSE-2.0.html' in /Users/brice.dutheil/.gradle/caches/modules-2/files-2.1/org.glassfish.jersey.media/jersey-media-json-jackson/3.0.4/cad1796630c5c79decde3f9dc2205bd95093aee5/jersey-media-json-jackson-3.0.4.jar since it contains multiple license references

Looking at the jar itself, we see that

  • jersey-media-json-jackson-3.0.4.jar!/META-INF/MANIFEST.MF

    Bundle-License: http://www.eclipse.org/legal/epl-2.0, https://www.gnu.
 org/software/classpath/license.html, http://www.apache.org/licenses/L
 ICENSE-2.0.html

  • jersey-media-json-jackson-3.0.4.jar!/META-INF/LICENSE.md

    # Eclipse Public License - v 2.0

        THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE

---

##    The GNU General Public License (GPL) Version 2, June 1991

    Copyright (C) 1989, 1991 Free Software Foundation, Inc.
    ...

---

## CLASSPATH EXCEPTION

    Linking this library statically or dynamically with other modules is
    ...

The most interesting details seem to come from the pom licenses element.

  • jersey-media-json-jackson-3.0.4.jar!/META-INF/maven/org.glassfish.jersey.media/jersey-media-json-jackson/pom.xml

    <licenses>
    <license>
        <name>EPL 2.0</name>
        <url>http://www.eclipse.org/legal/epl-2.0</url>
        <distribution>repo</distribution>
        <comments>Except for Guava, JSR-166 files, Dropwizard Monitoring inspired classes, ASM and Jackson JAX-RS Providers.
            See also https://github.com/eclipse-ee4j/jersey/blob/master/NOTICE.md</comments>
    </license>
    <license>
        <name>The GNU General Public License (GPL), Version 2, With Classpath Exception</name>
        <url>https://www.gnu.org/software/classpath/license.html</url>
        <distribution>repo</distribution>
        <comments>Except for Jackson JAX-RS Providers.
            See also https://github.com/jersey/jersey/blob/master/NOTICE.md</comments>
    </license>
    <license>
        <name>Apache License, 2.0</name>
        <url>http://www.apache.org/licenses/LICENSE-2.0.html</url>
        <distribution>repo</distribution>
        <comments>Jackson JAX-RS Providers @ org.glassfish.jersey.jackson.internal.jackson.jaxrs</comments>
    </license>
</licenses>

I'm not sure how to handle these cases, but this seem legitimate in particular if the artifact has shadowed dependencies or if it's simply a fatjar.
@vlsi
Copy link
Owner

vlsi commented Nov 2, 2022

Does #50 (comment) cover your case?

Frankly speaking, there's no way to automatically resolve cases when the developer list multiple licenses.

It would be awesome if they used SPDX license expression in Bundle-License, however, they rarely do so,
In the non-tirival cases, I do the following:
a) Approach projects to update their MANIFEST, pom.xml, etc. For instance, here's the list of issues I created when adding license verification to JMeter: apache/jmeter#469 (comment)

b) Use overrideLicense to clarify the actual meaning. For instance, it detected EPL-2.0 AND GPL2 w/ CPE, and most likely the actual license is EPL-2.0 OR GPL2-or-later with Classpath-Exception. If that is the case, you could add the relevant override.

I might start collecting a set of well-known resolution cases (e.g. I have resolution history in JMeter: https://github.com/apache/jmeter/blob/da6efde33eb80751eff1f778d63b67e4f9bcd652/src/licenses/build.gradle.kts#L72 )
However, I have not explored that yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vlsi @bric3