This maven plugin shows dependencies of a project and metadata including license information, either as a detailed tree, a summary tree, a detailed list, or a CSV formatted text file. The last one, and some of the options, are designed to facilitate making the types of spreadsheets and reports big companies typically want.
It's also useful -- the summary tree in particular -- to debug version conflict woes,
making it easy to see where different versions are coming from.
An irritation with mvn dependency:tree is that it only lists each dependency once,
where it is actually pulled in; other items which depend on it are suppressed.
It quickly gets very complicated; this seems to work nicely even on a big project,
but there may be bugs.
Note this requires Maven version 3.1.
This project is not currently uploaded to maven central, so you'll need to download it and then
mvn clean install
Note Java 8 is required (only for tests to run). After a successful run it should be ready for use.
To run the plugin and show dependency information, once it's installed, simply go to the directory of the project you're interested in, and run:
mvn org.heneveld.maven:license-audit-maven-plugin:report
This generates a detailed tree view of the project and
all the dependencies (transitive) which will bundled with it.
For each, license information and project authors/URL info is included,
a summary explanation of every dependency it declares,
and detail of those dependencies which maven/aether deems "pulled in" by this node.
(Where a dependency is referenced in multiple places, it is "pulled in" by exactly one referent,
usually the first, as shown by mvn dependency:tree.)
This tree looks like:
org.heneveld.maven:license-audit-maven-plugin:1.0-SNAPSHOT
Name: license-audit-maven-plugin Maven Plugin
License: ASL2
URL: http://maven.apache.org
Dependencies:
org.apache.maven:maven-compat:jar:3.3.3 (compile, included, detail below)
...
org.codehaus.plexus:plexus-utils:jar:3.0.15 (compile, included, detail below)
org.apache.maven:maven-core:jar:3.3.3 (compile, included, detail below)
...
junit:junit:jar:4.8.2 (test, excluded from report)
Dependencies pulled in here detail:
+-org.apache.maven:maven-compat:3.3.3
| ...
| Dependencies:
| org.apache.maven:maven-model:jar:3.3.3 (compile, included, detail below)
| org.codehaus.plexus:plexus-utils:jar:3.0.20 (compile, version 3.0.15 included, from org.heneveld.maven:license-audit-maven-plugin:1.0-SNAPSHOT)
| ...
| Dependencies pulled in here detail:
| +-org.apache.maven:maven-model:3.3.3
| | ...
:
+-org.codehaus.plexus:plexus-utils:3.0.15
| ...
+-org.apache.maven:maven-core:3.3.3
| ...
| Dependencies:
| org.apache.maven:maven-model:jar:3.3.3 (compile, included, from org.apache.maven:maven-compat:3.3.3)
| org.apache.maven:maven-settings-builder:jar:3.3.3 (compile, included, detail below)
| ...
| Dependencies pulled in here detail:
| +-org.apache.maven:maven-settings-builder:3.3.3
| | ...
:
You can also create a summary tree giving one-line info for each dependency, merging the info of the detail tree so that all included dependencies are shown, each expanded only once, where it is pulled in. This example creates such a tree with all dependencies in scope at the root, including those which won't be bundled (test, provided, and runtime), without license information, and with info on optional dependencies in dependent projects:
mvn org.heneveld.maven:license-audit-maven-plugin:report \
-Dformat=summary \
-DincludeDependencyScopes=all \
-DsuppressLicenseInfo=true \
-DlistUnusedNestedOptionalDependencies=true
It's like mvn dependency:tree on steroids,
much terser than tree (or list) but giving much of the same information
once you know how to read it.
The output looks like this:
org.heneveld.maven:license-audit-maven-plugin:1.0-SNAPSHOT
+-org.apache.maven:maven-compat:3.3.3 (compile)
| +-org.apache.maven:maven-model:3.3.3 (compile)
| | +-org.codehaus.plexus:plexus-utils:3.0.20 (compile, v 3.0.15 used)
| | +-junit:junit:4.11 (test, v 4.8.2 used)
| :
:
+-org.codehaus.plexus:plexus-utils:3.0.15 (compile)
:
+-org.apache.maven:maven-core:3.3.3 (compile)
| +-org.apache.maven:maven-model:3.3.3 (compile, reported above)
| +-org.apache.maven:maven-settings-builder:3.3.3 (compile)
| | ...
:
Here's a syntax for generating a CSV report to a file, omitting any mention of dependencies which are not bundled, and preferring certain licenses for reporting purposes when products are dual- or multi- licensed:
mvn org.heneveld.maven:license-audit-maven-plugin:report \
-Dformat=csv \
-DlistDependencyIdOnly=true \
-DsuppressExcludedDependencies=true \
-DlicensesPreferred=ASL2,ASL,EPL1,BSD-2-Clause,BSD-3-Clause \
-DoutputFile=dependencies-licenses.csv
If you're generating a report for a project used as a dependency instead of as a binary,
you would normally also add -DsuppressExcludedDependencies=true (because the optional
dependencies won't be transitively required).
The following report types are supported:
tree- a fairly detailed tree view of all dependenciessummary- a summary tree with one line for each dependency; similar tomvn dependency:tree, but showing more useful info and explicitly showing dependencies everywhere they are referencedreport- even more detail of each dependency, listed one after the other (no tree structure)list- one line on each dependency, listed one after the other (no tree structure)csv- a comma-separated-values file with all details fromreport, suitable for importing into a spreadsheetsorted-{report,list,csv}- asreportorlistorcsvbut sorted
These can be set with -Dformat=csv. The default is tree.
This plugin supports the following additional configuration:
outputFile- write a report to this file, in addition to logging itformat- the format of the report (see above)depth- maximum depth to traverse, or -1 for full depthincludeDependencyScopes- which dependency scopes should be reported, defaulting tocompile,runtime, withallrecognized as a synonym forcompile,runtime,test,system,provided; this affects both resolution and reporting, with dependencies restricted to these scopes on the root project (but not transitive) to resolve dependencies, and then these scopes shown on all nodes (transitively) when reporting (NB: omittingcompileis likely to yield a rather useless report)excludeRootOptionalDependencies- whether to report on optional dependencies on the project, defaulting tofalselistUnusedNestedOptionalDependencies- whether to show optional dependencies below the root which are not used, defaulting tofalse, but useful when you want to see what optional dependencies and versions are suggested by included projects; if an optional dependency is included elsewhere, even if a different version, it will always be listed; if this is specified along withsuppressExcludedDependencies, this one dominates, and all optional dependencies will be listedsuppressExcludedDependencies- whether to omit any mention of dependencies which are not included; by default (false), the report mentions non-optional excluded dependencies (i.e. by default test dependencies will be mentioned, but their dependencies will not be listed); this can be useful for generating reports for audiences who might be scared by a LGPL test dependencylistDependencyIdOnly- whether to omit detail of dependencies in the dependencies list, again useful for some audiences and for CSV reports; defaultfalse(no effect on the summary or list formats)suppressLicenseInfo- don't show any license detailslicensesPreferred- specifies the preference order of licenses; this is used to extract a single code when multiple licenses are supplied to maven (with no comments, as comments sometimes indicate mixed licensing; the absence of comments is interpreted to mean multiply licensed); the format should be a comma-separated list of license codes, e.g.ASL2,EPL1overridesFile- allow project information (licenses or URLs) to come from a file; useful if a project's pom is missing data (or has wrong information); the format should be YAML specifying a list of entries each with a projectidoridsand metadata to override, such aslicenseorurl; e.g.[ { id: "org.codehaus.jettison:jettison", license: ASL2, url: "https://github.com/codehaus/jettison" }, { ids: [ "dom4j:dom4j:*", "dom4j:dom4j-core:1.4-dev-8" ], license: { name: "BSD style", url: "http://dom4j.sourceforge.net/dom4j-1.6.1/license.html" }, url: "http://dom4j.sourceforge.net/" } ]extrasFile- allow info for additional projects to be supplied from a file and included in the report; useful if you want to include non-java dependencies; the format of the file is the same as foroverridesFile, butnameandversionare also supportedextrasFiles- asextrasFilebut allowing a list (using the system's path separator character)onlyExtras- whether only to show info for items inextraFileorextraFiles, i.e. ignoring maven dependencies (no tree/dependency structure will be shown); this is useful esp withnoticesfor a JAR or source build (where dependencies are not included)
There is also notices available which takes most of the same config options,
and generates a notices report including attribution requirements.
Additional keys it supports are:
noticeornoticestaking strings or list of strings to provide custom notices (e.g. copyright requirements)internalequallingtrueto suppress an entry in the notices (e.g. for your own project)
The following things would be nice to add/change:
-
Re-use the options in
dependency:build-classpathand the code there to scan dependencies in scope (or even contribute this to the maven dependency plugin); but note that target seems to mangle the order -
Show what drags in a dependency (esp in CSV view)
-
Produce an HTML tree
-
Consider using SPDX (standard metadata for licensing)
This software is copyright (c) 2015 by Alex Heneveld and Cloudsoft Corporation.
This software is released under the Apache Software License, v2.