Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

Licensee πŸ“œπŸ‘€

A Gradle plugin which validates the licenses of your dependency graph match what you expect, or it fails your build!

Jump to: Introduction | Usage | Configuration | Development | License


Imagine your closed-source product depends on an Apache 2-licensed artifact.

implementation 'com.example:example:1.0'

The developer releases a new version and you dutifully upgrade.

-implementation 'com.example:example:1.0'
+implementation 'com.example:example:1.1'

This new version has a transitive dependency on a GPL-licensed artifact which is incompatible with your closed-source product. Did you catch it?

You may have seen the new dependency in a dependency tree diff, but did you check its license?

-+--- com.example:example:1.0
++--- com.example:example:1.1
+     \--- com.other:other:2.5

With the Licensee plugin applied, you don't have to. First, configure it to allow Apache 2-licensed dependencies.

licensee {

Now attempting to upgrade the dependency will fail the build.

> Task :app:licensee FAILED
 - SPDX identifier 'GPL-3.0-or-later' is NOT allowed

Crisis averted!


Add the dependency and apply the plugin to the module whose dependency graph you want to check.

buildscript {
  repositories {
  dependencies {
    classpath ''

apply plugin: ''
Snapshots of the development version are available in Sonatype's snapshots repository.

buildscript {
  repository {
    maven {
      url ''
  dependencies {
    classpath ''

apply plugin: ''

The plugin's tasks will walk the entire transitive dependency graph, so it only needs to be applied to "leaf" modules (those without downstream dependencies) such as applications and services. If you are building a library, however, apply it to each library module.

Licensee requires a supported language/platform plugin to also be applied to the same module:

  • java-library
  • java
  • org.jetbrains.kotlin.jvm
  • org.jetbrains.kotlin.js
  • org.jetbrains.kotlin.multiplatform

Configure the list of allowed licenses using the licensee DSL:

licensee {

For more configuration options, see the configuration section.

The licensee task will be added to your build and automatically added as a dependency of the check task. Android and Kotlin multiplatform modules will have variant-specific versions of this task (such as licenseeDebug and licenseeJs) with the licensee task merely aggregating them together.

In addition to failing the build on detection of a disallowed license, the plugin will always generate some report files.

  1. artifacts.json

    A JSON file with license information on every artifact in the dependency graph.

  2. validation.txt

    A plain text report containing each artifact and whether its licenses are allowed or disallowed.

These files are generated into <buildDir>/reports/licensee, or for Android modules <buildDir>/reports/licensee/<variant name>/.


The following functions are available on the licensee DSL and/or type.


Allow artifacts with a license that matches a SPDX identifier.

licensee {

A full list of supported identifiers is available at


Allow artifacts with an unknown (non-SPDX) license which matches a URL.

licensee {

A reason string can be supplied to document why the URL is allowed.

licensee {
  allowUrl('') {
    because 'Apache-2.0, but self-hosted copy of the license'


Allow an artifact with a specific groupId, artifactId, and version. This is useful for artifacts which contain no license data or have invalid/incorrect license data.

licensee {
  allowDependency('com.example', 'example', '1.0')

A reason string can be supplied to document why the dependency is being allowed despite missing or invalid license data.

licensee {
  allowDependency('com.jetbrains', 'annotations', '16.0.1') {
    because 'Apache-2.0, but typo in license URL fixed in newer versions'

Reason strings will be included in validation reports.


Ignore a single dependency or group of dependencies during dependency graph resolution. Artifacts targeted with this method will not be analyzed for license information and will not show up in any report files.

This function can be used to ignore internal, closed-source libraries and commercial libraries for which you've purchased a license.

There are overloads which accept either a groupId or a groupId:artifactId pair.

licensee {
  ignoreDependencies('com.mycompany.utils', 'utils')

A reason string can be supplied to document why the dependencies are being ignored.

licensee {
  ignoreDependencies('com.example.sdk', 'sdk') {
    because "commercial SDK"

An ignore can be marked as transitive which will ignore an entire branch of the dependency tree. This will ignore the target artifact's dependencies regardless of the artifact coordinates or license info. Since it is especially dangerous, a reason string is required.

licensee {
  ignoreDependencies('com.other.sdk', 'sdk') {
    transitive = true
    because "commercial SDK"


Updating embedded license info

Run the updateLicenses task to update the embedded SPDX license file in src/main/resources/.


Copyright 2021 Square, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
See the License for the specific language governing permissions and
limitations under the License.