Finding out the licenses of JAR libraries

java maven-2 licensing jar identification

11,483

Solution 1

The Maven "Project Info Reports" plugin produces a Dependencies report that includes the Licenses for the dependencies. Here's an example.

Obviously, this depends on the dependent POMs declaring their dependencies properly, and it requires that you build your site documentation "online".

Solution 2

During the acquisition of a company I was working for, the acquiring company used the following software / consultancy to do what you're describing.

http://www.blackducksoftware.com/transact

Although I'm guessing you were probably looking for a free alternative. There may be other methods, but the fact this company makes money doing this suggests an alternative is probably less thorough/accurate.

Solution 3

I also find this website (https://www.versioneye.com) provides license info. For instance, https://www.versioneye.com/java/tomcat:jasper-runtime/5.5.23 says License: Apache License 2.0

October 19, 2017

I’m shutting down VersionEye by end of this year!

I started the project round about 6 years ago and so far it was a journey with many ups and downs. The typical StartUp rollercoaster thing. I raised Money from a big VC in Berlin and almost went bankrupt after that. Raised Money again from small Angel Investors to prevent bankruptcy. Won one of the biggest Software companies in the world as customer and established a stable income for the company.

Solution 4

A free alternative for a license scanner is the "scancode-toolkit". It is able to scan your codebase for copyright information, license texts etc.

But like @Stephen C mentioned in his answer, it won't be always able to detect the license for a dependency.

https://github.com/nexB/scancode-toolkit

View more solutions

11,483

Author by

Prabhu R

A programmer at heart. Interests include C++, Spring Framework, HTML5, CSS3, JavaScript Frameworks

Updated on June 04, 2022

Comments

Prabhu R almost 2 years

I use Maven to build my web app projects, when I add some dependent library to the pom file, it again adds some more dependent jars to the project recursively. Is there a way to find out or restrict that only jars having a certain type of license - say Apache License, BSD etc should be included. Or is there a way to find out that a jar file is under GPL/ASL etc without going to the website for each jar in the application?
Prabhu R over 13 years

Yes, a free alternative will be great!
Prabhu R over 13 years

Thanks Stephen, this is what I exactly wanted. Though some of the libraries are under unknown, but I can live with it :)
hasgarion over 6 years

unfortunately versioneye is going to shut down their service in early 2018, but their API was great
Denis.Sabolotni about 5 years

A free alternative would be "scancode-toolkit". You can find it on Github: github.com/nexB/scancode-toolkit