Skip to content

Create THIRD-PARTY-NOTICES#39

Merged
Mahesh-Binayak merged 1 commit into
mosip:developfrom
rajapandi1234:patch-5
Jan 6, 2026
Merged

Create THIRD-PARTY-NOTICES#39
Mahesh-Binayak merged 1 commit into
mosip:developfrom
rajapandi1234:patch-5

Conversation

@rajapandi1234

@rajapandi1234 rajapandi1234 commented Jan 6, 2026

Copy link
Copy Markdown

Summary by CodeRabbit

  • Documentation
    • Added THIRD-PARTY-NOTICES file providing a consolidated reference for all third-party packages used in the project, including license information, versions, and homepages, with references to detailed license texts.

✏️ Tip: You can customize this high-level summary in your review settings.

Signed-off-by: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com>
@coderabbitai

coderabbitai Bot commented Jan 6, 2026

Copy link
Copy Markdown

Walkthrough

A new THIRD-PARTY-NOTICES file has been added at the project root, providing a consolidated registry of third-party packages used by the project. The file lists package coordinates, versions, licenses, and homepages, with a reference to the license/ directory for full license texts.

Changes

Cohort / File(s) Summary
Project Documentation
THIRD-PARTY-NOTICES
New file added listing third-party packages (org.slf4j, Jackson, JUnit, MOSIP kernels, imagedecoder, etc.) with version, license (MIT, Apache-2.0, MPL-2.0, LGPL-3.0, EPL-2.0), and homepage; points to license/ directory for complete texts.

Possibly related PRs

  • license folder #38: Adds the actual license files (licenses/* and NOTICE) that this THIRD-PARTY-NOTICES file references, providing the full license text sources mentioned in the notices.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 Acknowledgments bundled neat and tight,
Third-party friends brought into light,
Each package named with license clear,
Their contributions we hold dear,
A grateful nod to all we use,
With proper credits—no excuse!

Pre-merge checks

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'Create THIRD-PARTY-NOTICES' directly and clearly describes the primary change in the pull request—the addition of a new THIRD-PARTY-NOTICES file at the project root.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@Mahesh-Binayak

Copy link
Copy Markdown

@CodeRabbit review

@coderabbitai

coderabbitai Bot commented Jan 6, 2026

Copy link
Copy Markdown
✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@Mahesh-Binayak Mahesh-Binayak merged commit f212dbe into mosip:develop Jan 6, 2026
5 checks passed

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Fix all issues with AI Agents
In @THIRD-PARTY-NOTICES:
- Around line 20-24: Update the THIRD-PARTY-NOTICES entries for kernel-core,
kernel-bom, and kernel-logger-logback to match the pom.xml by changing their
versions to 1.2.1-SNAPSHOT (replace any 1.3.0-SNAPSHOT occurrences), and remove
the duplicate 1.3.0-beta.1 entries associated with these kernel packages so each
package appears once with version 1.2.1-SNAPSHOT.
🧹 Nitpick comments (1)
THIRD-PARTY-NOTICES (1)

13-17: Consider whether build-time Maven plugins should be included.

The file lists several Maven plugins (maven-source-plugin, maven-gpg-plugin, git-commit-id-plugin, maven-assembly-plugin, maven-compiler-plugin, maven-javadoc-plugin, maven-surefire-plugin, maven-jar-plugin, maven-dependency-plugin).

Typically, build-time dependencies like Maven plugins only need to be included in THIRD-PARTY-NOTICES if:

  • You're distributing source code that includes these build configurations
  • The plugins generate code or resources that are embedded in your distribution

If you're only distributing compiled artifacts (JAR/WAR files), build-time plugins generally don't need to be listed since they're not part of the runtime distribution.

Verify your distribution model and consider whether these build-time dependencies should be included:

#!/bin/bash
# Description: Check Maven plugins usage to determine if they're runtime dependencies

echo "=== Checking pom.xml for plugin configurations ==="
rg -n "<plugin>" pom.xml -A 5 | rg -E "(groupId|artifactId)" | head -30

echo -e "\n=== Checking if any plugins generate embedded resources ==="
rg -n "generate-sources|generate-resources" pom.xml -A 3 -B 3

Also applies to: 41-45, 48-52, 55-59, 76-80, 97-101, 104-108, 111-115, 118-122

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1e345f5 and f3a286c.

📒 Files selected for processing (1)
  • THIRD-PARTY-NOTICES
🔇 Additional comments (1)
THIRD-PARTY-NOTICES (1)

152-152: Fix the directory path reference: change "license/" to "licenses/"

Line 152 references license/ but the actual directory in the repository is licenses/ (plural). Update the text to correctly point to the existing directory.

Comment thread THIRD-PARTY-NOTICES
Comment on lines +6 to +10
Package: org.slf4j:jcl-over-slf4j
Version: Not specified
License: MIT License (Inferred from project’s official repository)
Homepage: https://www.slf4j.org
================================================================================

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

git ls-files | grep -E "(THIRD-PARTY|pom\.xml)" | head -20

Repository: mosip/imagedecoder

Length of output: 117


🏁 Script executed:

cat -n THIRD-PARTY-NOTICES | head -100

Repository: mosip/imagedecoder

Length of output: 5188


🏁 Script executed:

# Check if pom.xml exists
if [ -f pom.xml ]; then
  echo "=== pom.xml found ==="
  wc -l pom.xml
else
  echo "pom.xml not found"
fi

Repository: mosip/imagedecoder

Length of output: 79


🏁 Script executed:

cat -n imagedecoder/pom.xml | head -150

Repository: mosip/imagedecoder

Length of output: 6154


🏁 Script executed:

# Search for specific dependencies in pom.xml
echo "=== SLF4J dependencies ==="
rg -n "jcl-over-slf4j|jul-to-slf4j" imagedecoder/pom.xml -A 2 -B 2

echo -e "\n=== Jackson dependencies ==="
rg -n "jackson-core|jackson-databind" imagedecoder/pom.xml -A 2 -B 2

echo -e "\n=== JUnit vintage ==="
rg -n "junit-vintage-engine" imagedecoder/pom.xml -A 2 -B 2

Repository: mosip/imagedecoder

Length of output: 833


🌐 Web query:

SLF4J jcl-over-slf4j license official

💡 Result:

The official license for org.slf4j:jcl-over-slf4j is the Apache License, Version 2.0. [1][2]

Sources:
[1] SLF4J project / artifact listings and package metadata (Apache-2.0).
[2] Libraries.io / Maven metadata for org.slf4j:jcl-over-slf4j (Apache-2.0).


🌐 Web query:

SLF4J jul-to-slf4j license official

💡 Result:

The SLF4J jul-to-slf4j bridge is distributed under the MIT license. [1][2]

Sources:

  • SLF4J official license page. [1]
  • SLF4J GitHub repository (repository license/MIT). [2]

🌐 Web query:

FasterXML Jackson-core license official

💡 Result:

jackson-core (FasterXML) is licensed under the Apache License, Version 2.0. See the project repo LICENSE and the Apache 2.0 text for the official terms. [1] [2]

Sources:
[1] FasterXML jackson-core (GitHub) — "Apache-2.0 license".
[2] Apache License, Version 2.0 (official text).


🌐 Web query:

FasterXML Jackson-databind license official

💡 Result:

The jackson-databind project is licensed under the Apache License, Version 2.0. [1][2]

Sources:
[1] FasterXML/jackson-databind GitHub repository — License: Apache-2.0.
[2] jackson-databind project wiki — "Project is licensed under Apache License 2.0."


🌐 Web query:

JUnit 5 junit-vintage-engine license official

💡 Result:

The junit-vintage-engine (JUnit 5 Vintage) is published under the Eclipse Public License version 2.0 (EPL-2.0). [1][2]

Sources:
[1] JUnit 5 documentation (junit-vintage described as JUnit module; project uses EPL-2.0). (junit.org)
[2] JUnit GitHub repository (junit-team/junit-framework) — license: EPL-2.0. (github.com)

Citations:


Fix incorrect license for jcl-over-slf4j and verify all licenses are from official sources.

The license information in THIRD-PARTY-NOTICES contains an error: org.slf4j:jcl-over-slf4j is listed as "MIT License" but the official source indicates it is licensed under Apache License 2.0.

Additionally, several packages lack explicit version specifications in pom.xml (they are managed transitively through kernel-bom):

  • org.slf4j:jcl-over-slf4j, org.slf4j:jul-to-slf4j
  • com.fasterxml.jackson.core:jackson-core, jackson-databind
  • org.junit.vintage:junit-vintage-engine

For accurate legal compliance documentation, specify versions explicitly in pom.xml and source license information directly from official repositories rather than inferring. Consider integrating an automated license verification tool like maven-license-plugin into the build process to ensure accuracy.

Comment thread THIRD-PARTY-NOTICES
Comment on lines +20 to +24
Package: io.mosip.kernel:kernel-core
Version: 1.3.0-SNAPSHOT
License: MPL-2.0 (Inferred from MOSIP official repository)
Homepage: https://mosip.io
================================================================================

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, locate the THIRD-PARTY-NOTICES file
find . -name "THIRD-PARTY-NOTICES" -type f

Repository: mosip/imagedecoder

Length of output: 83


🏁 Script executed:

# Check file size and content
wc -l ./THIRD-PARTY-NOTICES
echo "---"
cat -n ./THIRD-PARTY-NOTICES

Repository: mosip/imagedecoder

Length of output: 7907


🏁 Script executed:

# Find and examine pom.xml files
find . -name "pom.xml" -type f | head -5

Repository: mosip/imagedecoder

Length of output: 101


🏁 Script executed:

# Examine the main pom.xml to check kernel package versions
cat ./imagedecoder/pom.xml

Repository: mosip/imagedecoder

Length of output: 10534


Update THIRD-PARTY-NOTICES with correct kernel package versions and remove duplicates.

The THIRD-PARTY-NOTICES file lists incorrect versions for the kernel packages. According to pom.xml, the actual declared versions are 1.2.1-SNAPSHOT, but the file contains entries for 1.3.0-SNAPSHOT and 1.3.0-beta.1:

  • kernel-core: Declared as 1.2.1-SNAPSHOT in pom.xml, but listed as 1.3.0-SNAPSHOT (lines 20-24) and 1.3.0-beta.1 (lines 132-136)
  • kernel-bom: Declared as 1.2.1-SNAPSHOT in pom.xml, but listed as 1.3.0-SNAPSHOT (lines 62-66) and 1.3.0-beta.1 (lines 125-129)
  • kernel-logger-logback: Declared as 1.2.1-SNAPSHOT in pom.xml, but listed as 1.3.0-SNAPSHOT (lines 69-73) and 1.3.0-beta.1 (lines 139-143)

Update all three packages to 1.2.1-SNAPSHOT and remove the duplicate beta.1 entries (lines 125-143).

🤖 Prompt for AI Agents
In @THIRD-PARTY-NOTICES around lines 20-24, Update the THIRD-PARTY-NOTICES
entries for kernel-core, kernel-bom, and kernel-logger-logback to match the
pom.xml by changing their versions to 1.2.1-SNAPSHOT (replace any 1.3.0-SNAPSHOT
occurrences), and remove the duplicate 1.3.0-beta.1 entries associated with
these kernel packages so each package appears once with version 1.2.1-SNAPSHOT.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants