开源软件的License是一个很重要的声明,这代表了软件是基于何种许可证向世人开放的,对于其的使用又需要遵循何种规则。
开源软件自身又会依赖其他的开源软件,而那些依赖又会有自己的License,所以对于依赖的License检查是非常重要的。因为有些License是不兼容的,比如一个基于Apache License的开源软件是不能包含一个依赖于GPLv3的库。
所以检查依赖的License就变得很重要。
如果你精通各类开源软件,看名字就知道软件对应的License和兼容性,那自然不需要其他辅助,但是大部分情况这个很难做到。
License Maven Plugin是一个专门处理这种问题的插件。对于任何一个maven项目,简单地运行
mvn license:add-third-party -Dlicense.useMissingFile -Dlicense.includeOptional=true
输出如下:
Lists of 67 third-party dependencies. (BSD License) AntLR Parser Generator (antlr:antlr:2.7.7 – http://www.antlr.org/) (Apache Software License 2.0) A Swiss Army Knife for OSGi (biz.aQute.bnd:bndlib:2.4.0 – http://www.aQute.biz/Code/Bnd/bndlib) (Eclipse Public License – v 1.0) (GNU Lesser General Public License) Logback Classic Module (ch.qos.logback:logback-classic:1.1.7 – http://logback.qos.ch/logback-classic) (Eclipse Public License – v 1.0) (GNU Lesser General Public License) Logback Core Module (ch.qos.logback:logback-core:1.1.7 – http://logback.qos.ch/logback-core) (The BSD License) barchart-udt-bundle (com.barchart.udt:barchart-udt-bundle:2.3.0 – https://github.com/barchart/barchart-udt/wiki) (The Apache Software License, Version 2.0) Guava: Google Core Libraries for Java (com.google.guava:guava:19.0 – https://github.com/google/guava/guava) (GNU Lesser General Public License) checkstyle (com.puppycrawl.tools:checkstyle:6.16.1 – http://checkstyle.sourceforge.net/) (The Apache Software License, Version 2.0) Apache Commons BeanUtils (commons-beanutils:commons-beanutils:1.9.2 – http://commons.apache.org/proper/commons-beanutils/) (Apache License, Version 2.0) Apache Commons CLI (commons-cli:commons-cli:1.3.1 – http://commons.apache.org/proper/commons-cli/) (The Apache Software License, Version 2.0) Commons Collections (commons-collections:commons-collections:3.2.1 – http://commons.apache.org/collections/) (The Apache Software License, Version 2.0) Apache Commons Logging (commons-logging:commons-logging:1.2 – http://commons.apache.org/proper/commons-logging/) (Apache License, Version 2.0) Netty/Buffer (io.netty:netty-buffer:4.1.34.Final-SNAPSHOT – http://netty.io/netty-buffer/) (Apache License, Version 2.0) Netty/Build (io.netty:netty-build:22 – http://netty.io/) (Apache License, Version 2.0) Netty/Codec (io.netty:netty-codec:4.1.34.Final-SNAPSHOT – http://netty.io/netty-codec/) (Apache License, Version 2.0) Netty/Codec/DNS (io.netty:netty-codec-dns:4.1.34.Final-SNAPSHOT – http://netty.io/netty-codec-dns/) (Apache License, Version 2.0) Netty/Codec/HAProxy (io.netty:netty-codec-haproxy:4.1.34.Final-SNAPSHOT – http://netty.io/netty-codec-haproxy/) (Apache License, Version 2.0) Netty/Codec/HTTP (io.netty:netty-codec-http:4.1.34.Final-SNAPSHOT – http://netty.io/netty-codec-http/) (Apache License, Version 2.0) Netty/Codec/HTTP2 (io.netty:netty-codec-http2:4.1.34.Final-SNAPSHOT – http://netty.io/netty-codec-http2/) (Apache License, Version 2.0) Netty/Codec/Memcache (io.netty:netty-codec-memcache:4.1.34.Final-SNAPSHOT – http://netty.io/netty-codec-memcache/) (Apache License, Version 2.0) Netty/Codec/MQTT (io.netty:netty-codec-mqtt:4.1.34.Final-SNAPSHOT – http://netty.io/netty-codec-mqtt/) (Apache License, Version 2.0) Netty/Codec/Socks (io.netty:netty-codec-socks:4.1.34.Final-SNAPSHOT – http://netty.io/netty-codec-socks/) (Apache License, Version 2.0) Netty/Codec/Stomp (io.netty:netty-codec-stomp:4.1.34.Final-SNAPSHOT – http://netty.io/netty-codec-stomp/) (Apache License, Version 2.0) Netty/Common (io.netty:netty-common:4.1.34.Final-SNAPSHOT – http://netty.io/netty-common/) (Apache License, Version 2.0) Netty/Handler (io.netty:netty-handler:4.1.34.Final-SNAPSHOT – http://netty.io/netty-handler/) (Apache License, Version 2.0) Netty/Handler/Proxy (io.netty:netty-handler-proxy:4.1.34.Final-SNAPSHOT – http://netty.io/netty-handler-proxy/) (Apache License, Version 2.0) Netty/Resolver (io.netty:netty-resolver:4.1.34.Final-SNAPSHOT – http://netty.io/netty-resolver/) (Apache License, Version 2.0) Netty/Resolver/DNS (io.netty:netty-resolver-dns:4.1.34.Final-SNAPSHOT – http://netty.io/netty-resolver-dns/) (Apache License, Version 2.0) Netty/Transport (io.netty:netty-transport:4.1.34.Final-SNAPSHOT – http://netty.io/netty-transport/) (Apache License, Version 2.0) Netty/Transport/RXTX (io.netty:netty-transport-rxtx:4.1.34.Final-SNAPSHOT – http://netty.io/netty-transport-rxtx/) (Apache License, Version 2.0) Netty/Transport/SCTP (io.netty:netty-transport-sctp:4.1.34.Final-SNAPSHOT – http://netty.io/netty-transport-sctp/) (Apache License, Version 2.0) Netty/Transport/UDT (io.netty:netty-transport-udt:4.1.34.Final-SNAPSHOT – http://netty.io/netty-transport-udt/) (Eclipse Public License 1.0) JUnit (junit:junit:4.12 – http://junit.org) (The BSD License) ANTLR 4 Runtime (org.antlr:antlr4-runtime:4.5.2-1 – http://www.antlr.org/antlr4-runtime) (Apache License, Version 2.0) Apache Commons Lang (org.apache.commons:commons-lang3:3.4 – http://commons.apache.org/proper/commons-lang/) (Apache License, Version 2.0) Apache Felix Framework (org.apache.felix:org.apache.felix.framework:5.6.10 – http://felix.apache.org/org.apache.felix.framework/) (New BSD License) Hamcrest Core (org.hamcrest:hamcrest-core:1.3 – https://github.com/hamcrest/JavaHamcrest/hamcrest-core) (New BSD License) Hamcrest library (org.hamcrest:hamcrest-library:1.3 – https://github.com/hamcrest/JavaHamcrest/hamcrest-library) (Apache License 2.0) (LGPL 2.1) (MPL 1.1) Javassist (org.javassist:javassist:3.20.0-GA – http://www.javassist.org/) (Apache License, Version 2.0) Java Concurrency Tools Core Library (org.jctools:jctools-core:2.1.1 – https://github.com/JCTools) (ALv2) OPS4J Base – IO (org.ops4j.base:ops4j-base-io:1.5.0 – http://team.ops4j.org/wiki/display/base/ops4j-base-io/) (ALv2) OPS4J Base – Lang (org.ops4j.base:ops4j-base-lang:1.5.0 – http://team.ops4j.org/wiki/display/base/ops4j-base-lang/) (ALv2) OPS4J Base – Monitors (org.ops4j.base:ops4j-base-monitors:1.5.0 – http://team.ops4j.org/wiki/display/base/ops4j-base-monitors/) (ALv2) OPS4J Base – Net (org.ops4j.base:ops4j-base-net:1.5.0 – http://team.ops4j.org/wiki/display/base/ops4j-base-net/) (ALv2) OPS4J Base – Service Provider Access (org.ops4j.base:ops4j-base-spi:1.5.0 – http://team.ops4j.org/wiki/display/base/ops4j-base-spi/) (ALv2) OPS4J Base – Store (org.ops4j.base:ops4j-base-store:1.5.0 – http://team.ops4j.org/wiki/display/base/ops4j-base-store/) (ALv2) OPS4J Base – Util – Property (org.ops4j.base:ops4j-base-util-property:1.5.0 – http://team.ops4j.org/wiki/display/base/ops4j-base-util-property/) (Apache License, Version 2.0) OPS4J Pax Exam API (org.ops4j.pax.exam:pax-exam:4.13.0 – http://team.ops4j.org/wiki/display/paxexam/pax-exam/) (Apache License, Version 2.0) OPS4J Pax Exam TestContainer Native (org.ops4j.pax.exam:pax-exam-container-native:4.13.0 – http://team.ops4j.org/wiki/display/paxexam/pax-exam-container-native/) (Apache License, Version 2.0) OPS4J Pax Exam Driver JUnit4 (org.ops4j.pax.exam:pax-exam-junit4:4.13.0 – http://team.ops4j.org/wiki/display/paxexam/pax-exam-junit4/) (Apache License, Version 2.0) OPS4J Pax Exam Links for Maven (org.ops4j.pax.exam:pax-exam-link-mvn:4.13.0 – http://team.ops4j.org/wiki/display/paxexam/pax-exam-link-mvn/) (Apache License, Version 2.0) OPS4J Pax Exam UI Low Level SPI (org.ops4j.pax.exam:pax-exam-spi:4.13.0 – http://team.ops4j.org/wiki/display/paxexam/pax-exam-spi/) (ALv2) OPS4J Pax Swissbox :: Bnd Utils (org.ops4j.pax.swissbox:pax-swissbox-bnd:1.8.2 – http://team.ops4j.org/wiki/display/PAXSB/pax-swissbox-bnd) (ALv2) OPS4J Pax Swissbox :: OSGi Core (org.ops4j.pax.swissbox:pax-swissbox-core:1.8.2 – http://team.ops4j.org/wiki/display/PAXSB/pax-swissbox-core) (ALv2) OPS4J Pax Swissbox :: Lifecycle (org.ops4j.pax.swissbox:pax-swissbox-lifecycle:1.8.2 – http://team.ops4j.org/wiki/display/PAXSB/pax-swissbox-lifecycle) (ALv2) OPS4J Pax Swissbox :: Optional JCL (org.ops4j.pax.swissbox:pax-swissbox-optional-jcl:1.8.2 – http://team.ops4j.org/wiki/display/PAXSB/pax-swissbox-optional-jcl) (ALv2) OPS4J Pax Swissbox :: Property (org.ops4j.pax.swissbox:pax-swissbox-property:1.8.2 – http://team.ops4j.org/wiki/display/PAXSB/pax-swissbox-property) (ALv2) OPS4J Pax Swissbox :: Tracker (org.ops4j.pax.swissbox:pax-swissbox-tracker:1.8.2 – http://team.ops4j.org/wiki/display/PAXSB/pax-swissbox-tracker) (ALv2) OPS4J Pax Tinybundles (org.ops4j.pax.tinybundles:tinybundles:2.1.1 – http://team.ops4j.org/wiki/display/ops4j/Tinybundles) (ALv2) OPS4J Pax Url – aether: (org.ops4j.pax.url:pax-url-aether:2.4.5 – http://team.ops4j.org/wiki/display/paxurl/pax-url-aether) (ALv2) OPS4J Pax Url – classpath: (org.ops4j.pax.url:pax-url-classpath:2.4.5 – http://team.ops4j.org/wiki/display/paxurl/pax-url-classpath) (ALv2) OPS4J Pax Url – Commons (org.ops4j.pax.url:pax-url-commons:2.4.7 – http://team.ops4j.org/wiki/display/paxurl/pax-url-commons) (ALv2) OPS4J Pax Url – link: (org.ops4j.pax.url:pax-url-link:2.4.5 – http://team.ops4j.org/wiki/display/paxurl/pax-url-link) (ALv2) OPS4J Pax Url – wrap: (org.ops4j.pax.url:pax-url-wrap:2.4.7 – http://team.ops4j.org/wiki/display/paxurl/pax-url-wrap) (Apache License, Version 2.0) org.osgi.core (org.osgi:org.osgi.core:6.0.0 – http://www.osgi.org) (GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version.) RXTX serial and parallel I/O libraries (org.rxtx:rxtx:2.1.7 – http://www.rxtx.org) (MIT License) JCL 1.1.1 implemented over SLF4J (org.slf4j:jcl-over-slf4j:1.6.6 – http://www.slf4j.org) (MIT License) SLF4J API Module (org.slf4j:slf4j-api:1.7.21 – http://www.slf4j.org)
对于需要检测License兼容性地情况,可以直接配置黑名单,当新增属于黑名单License的依赖的时候可以快速被CI工具检测出来。