MavenでOSSのライセンス一覧を出力する

Spring Bootを使っていると大量のOSSライブラリを使用することになるのですが、使用しているライブラリの一覧が必要になることがあります。
具体的にはOSSライセンスの適合性検証1、脆弱性対策の要否判断などで必要になるのですが、ライブラリの依存ライブラリなどもあり、全て列挙すると大きな手間になります。
そこで、使用しているOSSやライセンス一覧を出力する方法を調べました。

License Maven Plugin

License Maven Pluginというプラグインで実現できそうです。
使い方はこちら

使用方法

Spring Bootのプロジェクトで以下を実行すると、target/generated-sources/license/THIRD-PARTY.txtに出力されます。

mvnw license:add-third-party

このままだとリリースパッケージに含まれないtestスコープのライブラリも一覧に入ってしまうのですが、以下のようにスコープを指定すると除外できます。

mvnw license:add-third-party -D license.excludedScopes=test

実行例

今回OSS一覧を出力するプロジェクトでは、pom.xmlに以下の依存関係を定義しています。

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-data-jpa</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-thymeleaf</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-devtools</artifactId>
        <scope>runtime</scope>
    </dependency>
    <dependency>
        <groupId>com.h2database</groupId>
        <artifactId>h2</artifactId>
        <scope>runtime</scope>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-configuration-processor</artifactId>
        <optional>true</optional>
    </dependency>
    <dependency>
        <groupId>org.projectlombok</groupId>
        <artifactId>lombok</artifactId>
        <optional>true</optional>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-test</artifactId>
        <scope>test</scope>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-test</artifactId>
        <scope>test</scope>
    </dependency>
</dependencies>

Spring Boot 2.1.2の環境でスコープがtest以外のものを出力した所、以下の一覧が得られました。

Lists of 72 third-party dependencies.
     (BSD License) AntLR Parser Generator (antlr:antlr:2.7.7 - http://www.antlr.org/)
     (Eclipse Public License - v 1.0) (GNU Lesser General Public License) Logback Classic Module (ch.qos.logback:logback-classic:1.2.3 - http://logback.qos.ch/logback-classic)
     (Eclipse Public License - v 1.0) (GNU Lesser General Public License) Logback Core Module (ch.qos.logback:logback-core:1.2.3 - http://logback.qos.ch/logback-core)
     (The Apache Software License, Version 2.0) ClassMate (com.fasterxml:classmate:1.4.0 - http://github.com/FasterXML/java-classmate)
     (The Apache Software License, Version 2.0) Jackson-annotations (com.fasterxml.jackson.core:jackson-annotations:2.9.0 - http://github.com/FasterXML/jackson)
     (The Apache Software License, Version 2.0) Jackson-core (com.fasterxml.jackson.core:jackson-core:2.9.8 - https://github.com/FasterXML/jackson-core)
     (The Apache Software License, Version 2.0) jackson-databind (com.fasterxml.jackson.core:jackson-databind:2.9.8 - http://github.com/FasterXML/jackson)
     (The Apache Software License, Version 2.0) Jackson datatype: jdk8 (com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.9.8 - https://github.com/FasterXML/jackson-modules-java8/jackson-datatype-jdk8)
     (The Apache Software License, Version 2.0) Jackson datatype: JSR310 (com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.9.8 - https://github.com/FasterXML/jackson-modules-java8/jackson-datatype-jsr310)
     (The Apache Software License, Version 2.0) Jackson-module-parameter-names (com.fasterxml.jackson.module:jackson-module-parameter-names:2.9.8 - https://github.com/FasterXML/jackson-modules-java8/jackson-module-parameter-names)
     (MPL 2.0 or EPL 1.0) H2 Database Engine (com.h2database:h2:1.4.197 - http://www.h2database.com)
     (The Apache Software License, Version 2.0) HikariCP (com.zaxxer:HikariCP:3.2.0 - https://github.com/brettwooldridge/HikariCP)
     (CDDL/GPLv2+CE) JavaBeans Activation Framework API jar (javax.activation:javax.activation-api:1.2.0 - http://java.net/all/javax.activation-api/)
     (CDDL + GPLv2 with classpath exception) javax.annotation API (javax.annotation:javax.annotation-api:1.3.2 - http://jcp.org/en/jsr/detail?id=250)
     (Eclipse Distribution License v. 1.0) (Eclipse Public License v1.0) javax.persistence-api (javax.persistence:javax.persistence-api:2.2 - https://github.com/javaee/jpa-spec)
     (CDDL + GPLv2 with classpath exception) javax.transaction API (javax.transaction:javax.transaction-api:1.3 - http://jta-spec.java.net)
     (Apache License 2.0) Bean Validation API (javax.validation:validation-api:2.0.1.Final - http://beanvalidation.org)
     (CDDL 1.1) (GPL2 w/ CPE) jaxb-api (javax.xml.bind:jaxb-api:2.3.1 - https://github.com/javaee/jaxb-spec/jaxb-api)
     (The Apache Software License, Version 2.0) Byte Buddy (without dependencies) (net.bytebuddy:byte-buddy:1.9.7 - http://bytebuddy.net/byte-buddy)
     (Apache License, Version 2.0) Apache Log4j API (org.apache.logging.log4j:log4j-api:2.11.1 - https://logging.apache.org/log4j/2.x/log4j-api/)
     (Apache License, Version 2.0) Apache Log4j to SLF4J Adapter (org.apache.logging.log4j:log4j-to-slf4j:2.11.1 - https://logging.apache.org/log4j/2.x/log4j-to-slf4j/)
     (Apache License, Version 2.0) tomcat-embed-core (org.apache.tomcat.embed:tomcat-embed-core:9.0.14 - https://tomcat.apache.org/)
     (Apache License, Version 2.0) tomcat-embed-el (org.apache.tomcat.embed:tomcat-embed-el:9.0.14 - https://tomcat.apache.org/)
     (Apache License, Version 2.0) tomcat-embed-websocket (org.apache.tomcat.embed:tomcat-embed-websocket:9.0.14 - https://tomcat.apache.org/)
     (Eclipse Public License - v 1.0) AspectJ weaver (org.aspectj:aspectjweaver:1.9.2 - http://www.aspectj.org)
     (The Apache Software License, Version 2.0) attoparser (org.attoparser:attoparser:2.0.5.RELEASE - http://www.attoparser.org)
     (BSD 3-clause New License) dom4j (org.dom4j:dom4j:2.1.1 - http://dom4j.github.io/)
     (GNU Library General Public License v2.1 or later) Hibernate ORM - hibernate-core (org.hibernate:hibernate-core:5.3.7.Final - http://hibernate.org/orm)
     (GNU Lesser General Public License v2.1 or later) Hibernate Commons Annotations (org.hibernate.common:hibernate-commons-annotations:5.0.4.Final - http://hibernate.org)
     (Apache License 2.0) Hibernate Validator Engine (org.hibernate.validator:hibernate-validator:6.0.14.Final - http://hibernate.org/validator/hibernate-validator)
     (Apache License 2.0) (LGPL 2.1) (MPL 1.1) Javassist (org.javassist:javassist:3.23.1-GA - http://www.javassist.org/)
     (Apache License, Version 2.0) Java Annotation Indexer (org.jboss:jandex:2.0.5.Final - http://www.jboss.org/jandex)
     (Apache License, version 2.0) JBoss Logging 3 (org.jboss.logging:jboss-logging:3.3.2.Final - http://www.jboss.org)
     (The MIT License) Project Lombok (org.projectlombok:lombok:1.18.4 - https://projectlombok.org)
     (MIT License) JUL to SLF4J bridge (org.slf4j:jul-to-slf4j:1.7.25 - http://www.slf4j.org)
     (MIT License) SLF4J API Module (org.slf4j:slf4j-api:1.7.25 - http://www.slf4j.org)
     (Apache License, Version 2.0) Spring AOP (org.springframework:spring-aop:5.1.4.RELEASE - https://github.com/spring-projects/spring-framework)
     (Apache License, Version 2.0) Spring Aspects (org.springframework:spring-aspects:5.1.4.RELEASE - https://github.com/spring-projects/spring-framework)
     (Apache License, Version 2.0) Spring Beans (org.springframework:spring-beans:5.1.4.RELEASE - https://github.com/spring-projects/spring-framework)
     (Apache License, Version 2.0) Spring Context (org.springframework:spring-context:5.1.4.RELEASE - https://github.com/spring-projects/spring-framework)
     (Apache License, Version 2.0) Spring Core (org.springframework:spring-core:5.1.4.RELEASE - https://github.com/spring-projects/spring-framework)
     (Apache License, Version 2.0) Spring Expression Language (SpEL) (org.springframework:spring-expression:5.1.4.RELEASE - https://github.com/spring-projects/spring-framework)
     (Apache License, Version 2.0) Spring Commons Logging Bridge (org.springframework:spring-jcl:5.1.4.RELEASE - https://github.com/spring-projects/spring-framework)
     (Apache License, Version 2.0) Spring JDBC (org.springframework:spring-jdbc:5.1.4.RELEASE - https://github.com/spring-projects/spring-framework)
     (Apache License, Version 2.0) Spring Object/Relational Mapping (org.springframework:spring-orm:5.1.4.RELEASE - https://github.com/spring-projects/spring-framework)
     (Apache License, Version 2.0) Spring Transaction (org.springframework:spring-tx:5.1.4.RELEASE - https://github.com/spring-projects/spring-framework)
     (Apache License, Version 2.0) Spring Web (org.springframework:spring-web:5.1.4.RELEASE - https://github.com/spring-projects/spring-framework)
     (Apache License, Version 2.0) Spring Web MVC (org.springframework:spring-webmvc:5.1.4.RELEASE - https://github.com/spring-projects/spring-framework)
     (Apache License, Version 2.0) Spring Boot (org.springframework.boot:spring-boot:2.1.2.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot)
     (Apache License, Version 2.0) Spring Boot AutoConfigure (org.springframework.boot:spring-boot-autoconfigure:2.1.2.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-autoconfigure)
     (Apache License, Version 2.0) Spring Boot Configuration Processor (org.springframework.boot:spring-boot-configuration-processor:2.1.2.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-tools/spring-boot-configuration-processor)
     (Apache License, Version 2.0) Spring Boot Developer Tools (org.springframework.boot:spring-boot-devtools:2.1.2.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-devtools)
     (Apache License, Version 2.0) Spring Boot Starter (org.springframework.boot:spring-boot-starter:2.1.2.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter)
     (Apache License, Version 2.0) Spring Boot AOP Starter (org.springframework.boot:spring-boot-starter-aop:2.1.2.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-aop)
     (Apache License, Version 2.0) Spring Boot Data JPA Starter (org.springframework.boot:spring-boot-starter-data-jpa:2.1.2.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-data-jpa)
     (Apache License, Version 2.0) Spring Boot JDBC Starter (org.springframework.boot:spring-boot-starter-jdbc:2.1.2.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-jdbc)
     (Apache License, Version 2.0) Spring Boot Json Starter (org.springframework.boot:spring-boot-starter-json:2.1.2.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-json)
     (Apache License, Version 2.0) Spring Boot Logging Starter (org.springframework.boot:spring-boot-starter-logging:2.1.2.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-logging)
     (Apache License, Version 2.0) Spring Boot Security Starter (org.springframework.boot:spring-boot-starter-security:2.1.2.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-security)
     (Apache License, Version 2.0) Spring Boot Thymeleaf Starter (org.springframework.boot:spring-boot-starter-thymeleaf:2.1.2.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-thymeleaf)
     (Apache License, Version 2.0) Spring Boot Tomcat Starter (org.springframework.boot:spring-boot-starter-tomcat:2.1.2.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-tomcat)
     (Apache License, Version 2.0) Spring Boot Web Starter (org.springframework.boot:spring-boot-starter-web:2.1.2.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-web)
     (Apache License, Version 2.0) Spring Data Core (org.springframework.data:spring-data-commons:2.1.4.RELEASE - http://www.spring.io/spring-data/spring-data-commons)
     (Apache License, Version 2.0) Spring Data JPA (org.springframework.data:spring-data-jpa:2.1.4.RELEASE - http://projects.spring.io/spring-data-jpa)
     (The Apache Software License, Version 2.0) spring-security-config (org.springframework.security:spring-security-config:5.1.3.RELEASE - http://spring.io/spring-security)
     (The Apache Software License, Version 2.0) spring-security-core (org.springframework.security:spring-security-core:5.1.3.RELEASE - http://spring.io/spring-security)
     (The Apache Software License, Version 2.0) spring-security-web (org.springframework.security:spring-security-web:5.1.3.RELEASE - http://spring.io/spring-security)
     (The Apache Software License, Version 2.0) thymeleaf (org.thymeleaf:thymeleaf:3.0.11.RELEASE - http://www.thymeleaf.org)
     (The Apache Software License, Version 2.0) thymeleaf-spring5 (org.thymeleaf:thymeleaf-spring5:3.0.11.RELEASE - http://www.thymeleaf.org)
     (The Apache Software License, Version 2.0) thymeleaf-extras-java8time (org.thymeleaf.extras:thymeleaf-extras-java8time:3.0.2.RELEASE - http://www.thymeleaf.org)
     (The Apache Software License, Version 2.0) unbescape (org.unbescape:unbescape:1.1.6.RELEASE - http://www.unbescape.org)
     (Apache License, Version 2.0) SnakeYAML (org.yaml:snakeyaml:1.23 - http://www.snakeyaml.org)

OSSのライブラリ名、ライセンス、バージョン、URLの一覧が出力されました。
いろいろ試したところ、中にはライセンスやURLがUnknownになるものもありましたが、全部一つ一つ調べるよりは圧倒的に効率化できそうです。

所感

Mavenで各OSSのライセンスやバージョン等の一覧を出力することができました。
コマンド一つで出力できるので、Jenkinsでバージョン毎に出力するのも簡単にできますね。
あとはWebjarsと併用すれば、JavaScriptライブラリのライセンスを併せて管理することもできそうです。


  1. 配布する際に互換性のないOSSを使用していないことの確認、各ライセンスにおける必要な対応実施など [return]

関連記事


  1. JJUG CCC 2019 Springに参加してきました
  2. Spring Data JPAのEntityクラスからDDLを生成する
  3. ModelMapperで1対1に対応しないフィールドのマッピング
  4. Javaでオブジェクト配列からフィールド配列を生成
  5. Javaサーブレットにおける部分URLやファイルパスの取得
  6. Windowsのコマンドラインから7-Zipでtar.gz形式に圧縮する
  7. exampleSiteのローカルサーバ起動やビルドを1行で実行する

tosi avatar
tosi
Web Application Engineer, Java / Spring / Azure / GCP
comments powered by Disqus