RE: License Auditing
Hi Jim, Although it does not directly address your needs for license auditing, there is a plugin to produce SPDX documents containing detailed licensing information as part of a Maven goal. Many of the scanning tools such as FOSSOlogy are generating (or planning to generate) SPDX documents (the version of FOSSOlogy to generate SPDX is currently in beta). There are also a few commercial tools which generate SPDX. By using the plugin, you could use a scanning tool which supports SPDX and the plugin to capture and maintain the licensing information. SPDX currently maintains license information down to the source file level and maintains information on relationships to dependencies. We are planning to support licensing information down to the code snippet level in release 2.1 of the spec. The plugin is in an "alpha" state and could use a bit more user testing before being broadly deployed. The project is hosted on github at https://github.com/goneall/spdx-maven-plugin. Information on SPDX can be found at http://spdx.org/ and a list of tools that support SPDX can be found at http://spdx.org/tools Please let me know if you would like more information or have any feedback on this approach. Thanks, Gary O'Neall From: Jim Klo [mailto:jim@sri.com] Sent: Monday, September 28, 2015 9:13 AM To: Maven Users List Subject: License Auditing Hi, Looking for some guidance on doing some source license auditing. My needs are two fold. I need to track down all the licenses of all our dependencies, which there seems to be an abundance of plugins. But I also need to audit the licenses of our committed source, as many come from open and non-open projects, I need to track the individual files as well. I’ve started by using Apache RAT [1], which seems to be okay for auditing the source, but given that we have a significant number of modules, configuration of RAT is somewhat a pain (I have a bunch of custom license definitions and matchers) which seem to have to be added to every POM file (doesn’t like going into the parent POM likely because of the way we are using Tycho). Can anyone recommend a plugin that might be better for my use case? I’d like to be able to have a single config file (or artifact) that contains the license declarations, and then be able to reference that from all my modules. The Codehaus License Maven Plugin [2] seems close to what I want, but I can’t seem to figure out how to get it to show me files that are missing license headers or even show me a per file license summary. If anyone can point me to some examples or tutorials that explain this that would be much appreciated. [1] http://creadur.apache.org/rat/apache-rat-plugin/examples/custom-license.html <http://creadur.apache.org/rat/apache-rat-plugin/examples/custom-license.html> [2] http://www.mojohaus.org/license-maven-plugin/examples/example-thirdparty.html <http://www.mojohaus.org/license-maven-plugin/examples/example-thirdparty.html> Thanks, JK Jim Klo Senior Software Engineer Center for Software Engineering SRI International t. @nsomnac Hi,Looking for some guidance on doing some source license auditing. My needs are two fold. I need to track down all the licenses of all our dependencies, which there seems to be an abundance of plugins. But I also need to audit the licenses of our committed source, as many come from open and non-open projects, I need to track the individual files as well.I’ve started by using Apache RAT [1], which seems to be okay for auditing the source, but given that we have a significant number of modules, configuration of RAT is somewhat a pain (I have a bunch of custom license definitions and matchers) which seem to have to be added to every POM file (doesn’t like going into the parent POM likely because of the way we are using Tycho).Can anyone recommend a plugin that might be better for my use case? I’d like to be able to have a single config file (or artifact) that contains the license declarations, and then be able to reference that from all my modules. The Codehaus License Maven Plugin [2] seems close to what I want, but I can’t seem to figure out how to get it to show me files that are missing license headers or even show me a per file license summary. If anyone can point me to some examples or tutorials that explain this that would be much appreciated.[1] http://creadur.apache.org/rat/apache-rat-plugin/examples/custom-license.html"; class="">http://creadur.apache.org/rat/apache-rat-plugin/examples/custom-license.html[2] http://www.mojohaus.org/license-maven-plugin/examples/example-thirdparty.html"; class="">http://www.mojohaus.org/license-maven-plugin/examples/example-thirdparty.htmlThanks,JK Jim KloSenior Software EngineerCenter for Software EngineeringSRI Internationalt. @nsomnac
RE: License Auditing
Hi Jim, Another suggestion, FWIW: our organization is using WhiteSource<http://www.whitesourcesoftware.com/>. We have it hooked into TeamCity, but they also have a Maven plugin<https://github.com/whitesource/maven-plugin> (although seemingly not very actively maintained). As the Maven advocate in our organization, I had first set us up with listings from the license-maven-plugin. I’m hearing that WhiteSource is giving us better insights. I do not know if it goes into the detail that you need. And I have no stakes in WhiteSource either ☺ Best regards, Sander. Sander Verhagen [ san...@sanderverhagen.net<mailto:san...@sanderverhagen.net> ] From: Jim Klo [mailto:jim@sri.com] Sent: Tuesday, October 06, 2015 8:52 To: Maven Users List Subject: Re: License Auditing Thanks, We’re an Artifactory shop - so no Nexus - however however Artifactory Pro has a comparable feature. The issue really though is that the license management I need is more granular than either solution offers. From what I can tell from their documentation, Nexus and Artifactory both manage licensing at the artifact level (source and binaries) not really the individual file level. Both seem to rely upon a license declaration to be present for each module and not necessarily look at the individual license headers within source files. Jim Klo Senior Software Engineer Center for Software Engineering SRI International t. @nsomnac On Oct 6, 2015, at 7:09 AM, kemet.ctr.uh...@faa.gov<mailto:kemet.ctr.uh...@faa.gov> wrote: Hello Mark, Nexus Pro Plus has that feature: http://www.sonatype.com/nexus/product-overview/nexus-pro-plus Best Regards, G Kemet Uhuru, PMP(r), SSGBP SWIM COTSWG/SFDPS SW CM Lead Communications, Information & Network Programs, Enterprise Product Support, AJM-3122 Engility Corporation-Engineering & Program Support Services William J. Hughes Technical Center Building 316 Second Floor Cubicle 2N131 (E-13) Atlantic City International Airport, NJ 08405 Office Phone: 609-485-6154 Cell Phone: 609-254-6876 How many times per day do you say "like or you know" ? http://sixminutes.dlugan.com/stop-um-uh-filler-words/ Don't make excusesMake Time!
Re: License Auditing
Thanks, We’re an Artifactory shop - so no Nexus - however however Artifactory Pro has a comparable feature. The issue really though is that the license management I need is more granular than either solution offers. From what I can tell from their documentation, Nexus and Artifactory both manage licensing at the artifact level (source and binaries) not really the individual file level. Both seem to rely upon a license declaration to be present for each module and not necessarily look at the individual license headers within source files. Jim Klo Senior Software Engineer Center for Software Engineering SRI International t. @nsomnac > On Oct 6, 2015, at 7:09 AM, kemet.ctr.uh...@faa.gov wrote: > > Hello Mark, > > Nexus Pro Plus has that feature: > http://www.sonatype.com/nexus/product-overview/nexus-pro-plus > > Best Regards, > > G Kemet Uhuru, PMP(r), SSGBP > SWIM COTSWG/SFDPS SW CM Lead > Communications, Information & Network Programs, Enterprise Product Support, > AJM-3122 > Engility Corporation-Engineering & Program Support Services > William J. Hughes Technical Center > Building 316 Second Floor Cubicle 2N131 (E-13) > Atlantic City International Airport, NJ 08405 > Office Phone: 609-485-6154 > Cell Phone: 609-254-6876 > > > > How many times per day do you say "like or you know" ? > > http://sixminutes.dlugan.com/stop-um-uh-filler-words/ > > Don't make excusesMake Time! smime.p7s Description: S/MIME cryptographic signature
RE: License Auditing
Hello Mark, Nexus Pro Plus has that feature: http://www.sonatype.com/nexus/product-overview/nexus-pro-plus Best Regards, G Kemet Uhuru, PMP(r), SSGBP SWIM COTSWG/SFDPS SW CM Lead Communications, Information & Network Programs, Enterprise Product Support, AJM-3122 Engility Corporation-Engineering & Program Support Services William J. Hughes Technical Center Building 316 Second Floor Cubicle 2N131 (E-13) Atlantic City International Airport, NJ 08405 Office Phone: 609-485-6154 Cell Phone: 609-254-6876 How many times per day do you say "like or you know" ? http://sixminutes.dlugan.com/stop-um-uh-filler-words/ Don't make excusesMake Time! -Original Message- From: Mark H. Wood [mailto:mw...@iupui.edu] Sent: Tuesday, October 06, 2015 9:41 AM To: users@maven.apache.org Subject: Re: License Auditing Doesn't the pro version of Nexus do license auditing and analysis? -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: License Auditing
Doesn't the pro version of Nexus do license auditing and analysis? -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu smime.p7s Description: S/MIME cryptographic signature
Re: License Auditing
Thanks Curtis, I believe you’re correct - there really exists no perfect solution doing continuous license management using maven, beyond some really basic stuff. Almost all of what exists in maven land seems to only deal with homogenous licensing of a module and management of module dependencies, which is likely a good 80% of what most need to manage. However there is a growing pattern of pulling small pieces of code from disparate sources (especially so at a research institution such as were I am) - hence there is a need to dig down into each file and manage each file separately - but at the same time, you need to have a global view across the enterprise. So far what I’ve found FOSSology [1] which centralizes about 80% of the work I need, however there’s really no direct maven integration other than via exec. I could see possibly using a combination of approaches: 1) RAT or maven-license-plugin to ID files that just identifies missing licenses 2) FOSSology to generate reports and manage exceptions However there’s no real middle ground between the two in that I really need the DB from FOSSology to influence RAT or the maven-license-plugin. Maybe the ideal thing is to figure out a way to build a maven plugin for FOSSology… - JK [1] http://www.fossology.org/projects/fossology > On Oct 5, 2015, at 2:26 PM, Curtis Rueden wrote: > > Hi Jim, > > I struggled with licensing-related tooling too when I researched it awhile > back—and my needs were simpler than yours. We ended up using > license-maven-plugin to programmatically manage license headers of all our > sources, with a single header with unified copyright date range and > contributors list, which made things much easier. It sounds like your > licensing situation is substantially more heterogeneous. > > I do not know of any excellent licensing-related tutorials for license > management, auditing or both. Maybe you could take the bull by the horns > and write a guide somewhere? It would surely be of great benefit to the > Maven community. > > Regards, > Curtis > > On Mon, Sep 28, 2015 at 11:13 AM, Jim Klo wrote: > >> Hi, >> >> Looking for some guidance on doing some source license auditing. My needs >> are two fold. I need to track down all the licenses of all our >> dependencies, which there seems to be an abundance of plugins. But I also >> need to audit the licenses of our committed source, as many come from open >> and non-open projects, I need to track the individual files as well. >> >> I’ve started by using Apache RAT [1], which seems to be okay for auditing >> the source, but given that we have a significant number of modules, >> configuration of RAT is somewhat a pain (I have a bunch of custom license >> definitions and matchers) which seem to have to be added to every POM file >> (doesn’t like going into the parent POM likely because of the way we are >> using Tycho). >> >> Can anyone recommend a plugin that might be better for my use case? I’d >> like to be able to have a single config file (or artifact) that contains >> the license declarations, and then be able to reference that from all my >> modules. The Codehaus License Maven Plugin [2] seems close to what I want, >> but I can’t seem to figure out how to get it to show me files that are >> missing license headers or even show me a per file license summary. If >> anyone can point me to some examples or tutorials that explain this that >> would be much appreciated. >> >> [1] >> http://creadur.apache.org/rat/apache-rat-plugin/examples/custom-license.html >> [2] >> http://www.mojohaus.org/license-maven-plugin/examples/example-thirdparty.html >> >> Thanks, >> >> JK >> >> *Jim KloSenior Software EngineerCenter for Software EngineeringSRI >> International* >> *t. @nsomnac* >> >> smime.p7s Description: S/MIME cryptographic signature
Re: License Auditing
Hi Jim, I struggled with licensing-related tooling too when I researched it awhile back—and my needs were simpler than yours. We ended up using license-maven-plugin to programmatically manage license headers of all our sources, with a single header with unified copyright date range and contributors list, which made things much easier. It sounds like your licensing situation is substantially more heterogeneous. I do not know of any excellent licensing-related tutorials for license management, auditing or both. Maybe you could take the bull by the horns and write a guide somewhere? It would surely be of great benefit to the Maven community. Regards, Curtis On Mon, Sep 28, 2015 at 11:13 AM, Jim Klo wrote: > Hi, > > Looking for some guidance on doing some source license auditing. My needs > are two fold. I need to track down all the licenses of all our > dependencies, which there seems to be an abundance of plugins. But I also > need to audit the licenses of our committed source, as many come from open > and non-open projects, I need to track the individual files as well. > > I’ve started by using Apache RAT [1], which seems to be okay for auditing > the source, but given that we have a significant number of modules, > configuration of RAT is somewhat a pain (I have a bunch of custom license > definitions and matchers) which seem to have to be added to every POM file > (doesn’t like going into the parent POM likely because of the way we are > using Tycho). > > Can anyone recommend a plugin that might be better for my use case? I’d > like to be able to have a single config file (or artifact) that contains > the license declarations, and then be able to reference that from all my > modules. The Codehaus License Maven Plugin [2] seems close to what I want, > but I can’t seem to figure out how to get it to show me files that are > missing license headers or even show me a per file license summary. If > anyone can point me to some examples or tutorials that explain this that > would be much appreciated. > > [1] > http://creadur.apache.org/rat/apache-rat-plugin/examples/custom-license.html > [2] > http://www.mojohaus.org/license-maven-plugin/examples/example-thirdparty.html > > Thanks, > > JK > > *Jim KloSenior Software EngineerCenter for Software EngineeringSRI > International* > *t. @nsomnac* > >
License Auditing
Hi, Looking for some guidance on doing some source license auditing. My needs are two fold. I need to track down all the licenses of all our dependencies, which there seems to be an abundance of plugins. But I also need to audit the licenses of our committed source, as many come from open and non-open projects, I need to track the individual files as well. I’ve started by using Apache RAT [1], which seems to be okay for auditing the source, but given that we have a significant number of modules, configuration of RAT is somewhat a pain (I have a bunch of custom license definitions and matchers) which seem to have to be added to every POM file (doesn’t like going into the parent POM likely because of the way we are using Tycho). Can anyone recommend a plugin that might be better for my use case? I’d like to be able to have a single config file (or artifact) that contains the license declarations, and then be able to reference that from all my modules. The Codehaus License Maven Plugin [2] seems close to what I want, but I can’t seem to figure out how to get it to show me files that are missing license headers or even show me a per file license summary. If anyone can point me to some examples or tutorials that explain this that would be much appreciated. [1] http://creadur.apache.org/rat/apache-rat-plugin/examples/custom-license.html <http://creadur.apache.org/rat/apache-rat-plugin/examples/custom-license.html> [2] http://www.mojohaus.org/license-maven-plugin/examples/example-thirdparty.html <http://www.mojohaus.org/license-maven-plugin/examples/example-thirdparty.html> Thanks, JK Jim Klo Senior Software Engineer Center for Software Engineering SRI International t. @nsomnac smime.p7s Description: S/MIME cryptographic signature