转载

开源软件依赖License检测

开源软件的License是一个很重要的声明，这代表了软件是基于何种许可证向世人开放的，对于其的使用又需要遵循何种规则。

开源软件自身又会依赖其他的开源软件，而那些依赖又会有自己的License，所以对于依赖的License检查是非常重要的。因为有些License是不兼容的，比如一个基于Apache License的开源软件是不能包含一个依赖于GPLv3的库。

所以检查依赖的License就变得很重要。

如果你精通各类开源软件，看名字就知道软件对应的License和兼容性，那自然不需要其他辅助，但是大部分情况这个很难做到。

License Maven Plugin是一个专门处理这种问题的插件。对于任何一个maven项目，简单地运行

mvn license:add-third-party -Dlicense.useMissingFile -Dlicense.includeOptional=true

输出如下：

Lists of 67 third-party dependencies.  (BSD License) AntLR Parser Generator (antlr:antlr:2.7.7 – http://www.antlr.org/)  (Apache Software License 2.0) A Swiss Army Knife for OSGi (biz.aQute.bnd:bndlib:2.4.0 – http://www.aQute.biz/Code/Bnd/bndlib)  (Eclipse Public License – v 1.0) (GNU Lesser General Public License) Logback Classic Module (ch.qos.logback:logback-classic:1.1.7 – http://logback.qos.ch/logback-classic)  (Eclipse Public License – v 1.0) (GNU Lesser General Public License) Logback Core Module (ch.qos.logback:logback-core:1.1.7 – http://logback.qos.ch/logback-core)  (The BSD License) barchart-udt-bundle (com.barchart.udt:barchart-udt-bundle:2.3.0 – https://github.com/barchart/barchart-udt/wiki)  (The Apache Software License, Version 2.0) Guava: Google Core Libraries for Java (com.google.guava:guava:19.0 – https://github.com/google/guava/guava)  (GNU Lesser General Public License) checkstyle (com.puppycrawl.tools:checkstyle:6.16.1 – http://checkstyle.sourceforge.net/)  (The Apache Software License, Version 2.0) Apache Commons BeanUtils (commons-beanutils:commons-beanutils:1.9.2 – http://commons.apache.org/proper/commons-beanutils/)  (Apache License, Version 2.0) Apache Commons CLI (commons-cli:commons-cli:1.3.1 – http://commons.apache.org/proper/commons-cli/)  (The Apache Software License, Version 2.0) Commons Collections (commons-collections:commons-collections:3.2.1 – http://commons.apache.org/collections/)  (The Apache Software License, Version 2.0) Apache Commons Logging (commons-logging:commons-logging:1.2 – http://commons.apache.org/proper/commons-logging/)  (Apache License, Version 2.0) Netty/Buffer (io.netty:netty-buffer:4.1.34.Final-SNAPSHOT – http://netty.io/netty-buffer/)  (Apache License, Version 2.0) Netty/Build (io.netty:netty-build:22 – http://netty.io/)  (Apache License, Version 2.0) Netty/Codec (io.netty:netty-codec:4.1.34.Final-SNAPSHOT – http://netty.io/netty-codec/)  (Apache License, Version 2.0) Netty/Codec/DNS (io.netty:netty-codec-dns:4.1.34.Final-SNAPSHOT – http://netty.io/netty-codec-dns/)  (Apache License, Version 2.0) Netty/Codec/HAProxy (io.netty:netty-codec-haproxy:4.1.34.Final-SNAPSHOT – http://netty.io/netty-codec-haproxy/)  (Apache License, Version 2.0) Netty/Codec/HTTP (io.netty:netty-codec-http:4.1.34.Final-SNAPSHOT – http://netty.io/netty-codec-http/)  (Apache License, Version 2.0) Netty/Codec/HTTP2 (io.netty:netty-codec-http2:4.1.34.Final-SNAPSHOT – http://netty.io/netty-codec-http2/)  (Apache License, Version 2.0) Netty/Codec/Memcache (io.netty:netty-codec-memcache:4.1.34.Final-SNAPSHOT – http://netty.io/netty-codec-memcache/)  (Apache License, Version 2.0) Netty/Codec/MQTT (io.netty:netty-codec-mqtt:4.1.34.Final-SNAPSHOT – http://netty.io/netty-codec-mqtt/)  (Apache License, Version 2.0) Netty/Codec/Socks (io.netty:netty-codec-socks:4.1.34.Final-SNAPSHOT – http://netty.io/netty-codec-socks/)  (Apache License, Version 2.0) Netty/Codec/Stomp (io.netty:netty-codec-stomp:4.1.34.Final-SNAPSHOT – http://netty.io/netty-codec-stomp/)  (Apache License, Version 2.0) Netty/Common (io.netty:netty-common:4.1.34.Final-SNAPSHOT – http://netty.io/netty-common/)  (Apache License, Version 2.0) Netty/Handler (io.netty:netty-handler:4.1.34.Final-SNAPSHOT – http://netty.io/netty-handler/)  (Apache License, Version 2.0) Netty/Handler/Proxy (io.netty:netty-handler-proxy:4.1.34.Final-SNAPSHOT – http://netty.io/netty-handler-proxy/)  (Apache License, Version 2.0) Netty/Resolver (io.netty:netty-resolver:4.1.34.Final-SNAPSHOT – http://netty.io/netty-resolver/)  (Apache License, Version 2.0) Netty/Resolver/DNS (io.netty:netty-resolver-dns:4.1.34.Final-SNAPSHOT – http://netty.io/netty-resolver-dns/)  (Apache License, Version 2.0) Netty/Transport (io.netty:netty-transport:4.1.34.Final-SNAPSHOT – http://netty.io/netty-transport/)  (Apache License, Version 2.0) Netty/Transport/RXTX (io.netty:netty-transport-rxtx:4.1.34.Final-SNAPSHOT – http://netty.io/netty-transport-rxtx/)  (Apache License, Version 2.0) Netty/Transport/SCTP (io.netty:netty-transport-sctp:4.1.34.Final-SNAPSHOT – http://netty.io/netty-transport-sctp/)  (Apache License, Version 2.0) Netty/Transport/UDT (io.netty:netty-transport-udt:4.1.34.Final-SNAPSHOT – http://netty.io/netty-transport-udt/)  (Eclipse Public License 1.0) JUnit (junit:junit:4.12 – http://junit.org)  (The BSD License) ANTLR 4 Runtime (org.antlr:antlr4-runtime:4.5.2-1 – http://www.antlr.org/antlr4-runtime)  (Apache License, Version 2.0) Apache Commons Lang (org.apache.commons:commons-lang3:3.4 – http://commons.apache.org/proper/commons-lang/)  (Apache License, Version 2.0) Apache Felix Framework (org.apache.felix:org.apache.felix.framework:5.6.10 – http://felix.apache.org/org.apache.felix.framework/)  (New BSD License) Hamcrest Core (org.hamcrest:hamcrest-core:1.3 – https://github.com/hamcrest/JavaHamcrest/hamcrest-core)  (New BSD License) Hamcrest library (org.hamcrest:hamcrest-library:1.3 – https://github.com/hamcrest/JavaHamcrest/hamcrest-library)  (Apache License 2.0) (LGPL 2.1) (MPL 1.1) Javassist (org.javassist:javassist:3.20.0-GA – http://www.javassist.org/)  (Apache License, Version 2.0) Java Concurrency Tools Core Library (org.jctools:jctools-core:2.1.1 – https://github.com/JCTools)  (ALv2) OPS4J Base – IO (org.ops4j.base:ops4j-base-io:1.5.0 – http://team.ops4j.org/wiki/display/base/ops4j-base-io/)  (ALv2) OPS4J Base – Lang (org.ops4j.base:ops4j-base-lang:1.5.0 – http://team.ops4j.org/wiki/display/base/ops4j-base-lang/)  (ALv2) OPS4J Base – Monitors (org.ops4j.base:ops4j-base-monitors:1.5.0 – http://team.ops4j.org/wiki/display/base/ops4j-base-monitors/)  (ALv2) OPS4J Base – Net (org.ops4j.base:ops4j-base-net:1.5.0 – http://team.ops4j.org/wiki/display/base/ops4j-base-net/)  (ALv2) OPS4J Base – Service Provider Access (org.ops4j.base:ops4j-base-spi:1.5.0 – http://team.ops4j.org/wiki/display/base/ops4j-base-spi/)  (ALv2) OPS4J Base – Store (org.ops4j.base:ops4j-base-store:1.5.0 – http://team.ops4j.org/wiki/display/base/ops4j-base-store/)  (ALv2) OPS4J Base – Util – Property (org.ops4j.base:ops4j-base-util-property:1.5.0 – http://team.ops4j.org/wiki/display/base/ops4j-base-util-property/)  (Apache License, Version 2.0) OPS4J Pax Exam API (org.ops4j.pax.exam:pax-exam:4.13.0 – http://team.ops4j.org/wiki/display/paxexam/pax-exam/)  (Apache License, Version 2.0) OPS4J Pax Exam TestContainer Native (org.ops4j.pax.exam:pax-exam-container-native:4.13.0 – http://team.ops4j.org/wiki/display/paxexam/pax-exam-container-native/)  (Apache License, Version 2.0) OPS4J Pax Exam Driver JUnit4 (org.ops4j.pax.exam:pax-exam-junit4:4.13.0 – http://team.ops4j.org/wiki/display/paxexam/pax-exam-junit4/)  (Apache License, Version 2.0) OPS4J Pax Exam Links for Maven (org.ops4j.pax.exam:pax-exam-link-mvn:4.13.0 – http://team.ops4j.org/wiki/display/paxexam/pax-exam-link-mvn/)  (Apache License, Version 2.0) OPS4J Pax Exam UI Low Level SPI (org.ops4j.pax.exam:pax-exam-spi:4.13.0 – http://team.ops4j.org/wiki/display/paxexam/pax-exam-spi/)  (ALv2) OPS4J Pax Swissbox :: Bnd Utils (org.ops4j.pax.swissbox:pax-swissbox-bnd:1.8.2 – http://team.ops4j.org/wiki/display/PAXSB/pax-swissbox-bnd)  (ALv2) OPS4J Pax Swissbox :: OSGi Core (org.ops4j.pax.swissbox:pax-swissbox-core:1.8.2 – http://team.ops4j.org/wiki/display/PAXSB/pax-swissbox-core)  (ALv2) OPS4J Pax Swissbox :: Lifecycle (org.ops4j.pax.swissbox:pax-swissbox-lifecycle:1.8.2 – http://team.ops4j.org/wiki/display/PAXSB/pax-swissbox-lifecycle)  (ALv2) OPS4J Pax Swissbox :: Optional JCL (org.ops4j.pax.swissbox:pax-swissbox-optional-jcl:1.8.2 – http://team.ops4j.org/wiki/display/PAXSB/pax-swissbox-optional-jcl)  (ALv2) OPS4J Pax Swissbox :: Property (org.ops4j.pax.swissbox:pax-swissbox-property:1.8.2 – http://team.ops4j.org/wiki/display/PAXSB/pax-swissbox-property)  (ALv2) OPS4J Pax Swissbox :: Tracker (org.ops4j.pax.swissbox:pax-swissbox-tracker:1.8.2 – http://team.ops4j.org/wiki/display/PAXSB/pax-swissbox-tracker)  (ALv2) OPS4J Pax Tinybundles (org.ops4j.pax.tinybundles:tinybundles:2.1.1 – http://team.ops4j.org/wiki/display/ops4j/Tinybundles)  (ALv2) OPS4J Pax Url – aether: (org.ops4j.pax.url:pax-url-aether:2.4.5 – http://team.ops4j.org/wiki/display/paxurl/pax-url-aether)  (ALv2) OPS4J Pax Url – classpath: (org.ops4j.pax.url:pax-url-classpath:2.4.5 – http://team.ops4j.org/wiki/display/paxurl/pax-url-classpath)  (ALv2) OPS4J Pax Url – Commons (org.ops4j.pax.url:pax-url-commons:2.4.7 – http://team.ops4j.org/wiki/display/paxurl/pax-url-commons)  (ALv2) OPS4J Pax Url – link: (org.ops4j.pax.url:pax-url-link:2.4.5 – http://team.ops4j.org/wiki/display/paxurl/pax-url-link)  (ALv2) OPS4J Pax Url – wrap: (org.ops4j.pax.url:pax-url-wrap:2.4.7 – http://team.ops4j.org/wiki/display/paxurl/pax-url-wrap)  (Apache License, Version 2.0) org.osgi.core (org.osgi:org.osgi.core:6.0.0 – http://www.osgi.org)  (GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version.) RXTX serial and parallel I/O libraries (org.rxtx:rxtx:2.1.7 – http://www.rxtx.org)  (MIT License) JCL 1.1.1 implemented over SLF4J (org.slf4j:jcl-over-slf4j:1.6.6 – http://www.slf4j.org)  (MIT License) SLF4J API Module (org.slf4j:slf4j-api:1.7.21 – http://www.slf4j.org)

对于需要检测License兼容性地情况，可以直接配置黑名单，当新增属于黑名单License的依赖的时候可以快速被CI工具检测出来。

原文 https://www.huangyunkun.com/2019/04/04/opensource-license-check/

正文到此结束