MavenでOSSのライセンス一覧を出力する
Spring Bootを使っていると大量のOSSライブラリを使用することになるのですが、使用しているライブラリの一覧が必要になることがあります。
具体的にはOSSライセンスの適合性検証1、脆弱性対策の要否判断などで必要になるのですが、ライブラリの依存ライブラリなどもあり、全て列挙すると大きな手間になります。
License Maven Plugin
License Maven Pluginというプラグインで実現できそうです。
使い方はこちら。
使用方法
Spring Bootのプロジェクトで以下を実行すると、target/generated-sources/license/THIRD-PARTY.txtに出力されます。
mvnw license:add-third-party
このままだとリリースパッケージに含まれないtestスコープのライブラリも一覧に入ってしまうのですが、以下のようにスコープを指定すると除外できます。
mvnw license:add-third-party -D license.excludedScopes=test
実行例
今回OSS一覧を出力するプロジェクトでは、pom.xmlに以下の依存関係を定義しています。
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-configuration-processor</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>Spring Boot 2.1.2の環境でスコープがtest以外のものを出力した所、以下の一覧が得られました。
Lists of 72 third-party dependencies.
(BSD License) AntLR Parser Generator (antlr:antlr:2.7.7 - http://www.antlr.org/)
(Eclipse Public License - v 1.0) (GNU Lesser General Public License) Logback Classic Module (ch.qos.logback:logback-classic:1.2.3 - http://logback.qos.ch/logback-classic)
(Eclipse Public License - v 1.0) (GNU Lesser General Public License) Logback Core Module (ch.qos.logback:logback-core:1.2.3 - http://logback.qos.ch/logback-core)
(The Apache Software License, Version 2.0) ClassMate (com.fasterxml:classmate:1.4.0 - http://github.com/FasterXML/java-classmate)
(The Apache Software License, Version 2.0) Jackson-annotations (com.fasterxml.jackson.core:jackson-annotations:2.9.0 - http://github.com/FasterXML/jackson)
(The Apache Software License, Version 2.0) Jackson-core (com.fasterxml.jackson.core:jackson-core:2.9.8 - https://github.com/FasterXML/jackson-core)
(The Apache Software License, Version 2.0) jackson-databind (com.fasterxml.jackson.core:jackson-databind:2.9.8 - http://github.com/FasterXML/jackson)
(The Apache Software License, Version 2.0) Jackson datatype: jdk8 (com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.9.8 - https://github.com/FasterXML/jackson-modules-java8/jackson-datatype-jdk8)
(The Apache Software License, Version 2.0) Jackson datatype: JSR310 (com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.9.8 - https://github.com/FasterXML/jackson-modules-java8/jackson-datatype-jsr310)
(The Apache Software License, Version 2.0) Jackson-module-parameter-names (com.fasterxml.jackson.module:jackson-module-parameter-names:2.9.8 - https://github.com/FasterXML/jackson-modules-java8/jackson-module-parameter-names)
(MPL 2.0 or EPL 1.0) H2 Database Engine (com.h2database:h2:1.4.197 - http://www.h2database.com)
(The Apache Software License, Version 2.0) HikariCP (com.zaxxer:HikariCP:3.2.0 - https://github.com/brettwooldridge/HikariCP)
(CDDL/GPLv2+CE) JavaBeans Activation Framework API jar (javax.activation:javax.activation-api:1.2.0 - http://java.net/all/javax.activation-api/)
(CDDL + GPLv2 with classpath exception) javax.annotation API (javax.annotation:javax.annotation-api:1.3.2 - http://jcp.org/en/jsr/detail?id=250)
(Eclipse Distribution License v. 1.0) (Eclipse Public License v1.0) javax.persistence-api (javax.persistence:javax.persistence-api:2.2 - https://github.com/javaee/jpa-spec)
(CDDL + GPLv2 with classpath exception) javax.transaction API (javax.transaction:javax.transaction-api:1.3 - http://jta-spec.java.net)
(Apache License 2.0) Bean Validation API (javax.validation:validation-api:2.0.1.Final - http://beanvalidation.org)
(CDDL 1.1) (GPL2 w/ CPE) jaxb-api (javax.xml.bind:jaxb-api:2.3.1 - https://github.com/javaee/jaxb-spec/jaxb-api)
(The Apache Software License, Version 2.0) Byte Buddy (without dependencies) (net.bytebuddy:byte-buddy:1.9.7 - http://bytebuddy.net/byte-buddy)
(Apache License, Version 2.0) Apache Log4j API (org.apache.logging.log4j:log4j-api:2.11.1 - https://logging.apache.org/log4j/2.x/log4j-api/)
(Apache License, Version 2.0) Apache Log4j to SLF4J Adapter (org.apache.logging.log4j:log4j-to-slf4j:2.11.1 - https://logging.apache.org/log4j/2.x/log4j-to-slf4j/)
(Apache License, Version 2.0) tomcat-embed-core (org.apache.tomcat.embed:tomcat-embed-core:9.0.14 - https://tomcat.apache.org/)
(Apache License, Version 2.0) tomcat-embed-el (org.apache.tomcat.embed:tomcat-embed-el:9.0.14 - https://tomcat.apache.org/)
(Apache License, Version 2.0) tomcat-embed-websocket (org.apache.tomcat.embed:tomcat-embed-websocket:9.0.14 - https://tomcat.apache.org/)
(Eclipse Public License - v 1.0) AspectJ weaver (org.aspectj:aspectjweaver:1.9.2 - http://www.aspectj.org)
(The Apache Software License, Version 2.0) attoparser (org.attoparser:attoparser:2.0.5.RELEASE - http://www.attoparser.org)
(BSD 3-clause New License) dom4j (org.dom4j:dom4j:2.1.1 - http://dom4j.github.io/)
(GNU Library General Public License v2.1 or later) Hibernate ORM - hibernate-core (org.hibernate:hibernate-core:5.3.7.Final - http://hibernate.org/orm)
(GNU Lesser General Public License v2.1 or later) Hibernate Commons Annotations (org.hibernate.common:hibernate-commons-annotations:5.0.4.Final - http://hibernate.org)
(Apache License 2.0) Hibernate Validator Engine (org.hibernate.validator:hibernate-validator:6.0.14.Final - http://hibernate.org/validator/hibernate-validator)
(Apache License 2.0) (LGPL 2.1) (MPL 1.1) Javassist (org.javassist:javassist:3.23.1-GA - http://www.javassist.org/)
(Apache License, Version 2.0) Java Annotation Indexer (org.jboss:jandex:2.0.5.Final - http://www.jboss.org/jandex)
(Apache License, version 2.0) JBoss Logging 3 (org.jboss.logging:jboss-logging:3.3.2.Final - http://www.jboss.org)
(The MIT License) Project Lombok (org.projectlombok:lombok:1.18.4 - https://projectlombok.org)
(MIT License) JUL to SLF4J bridge (org.slf4j:jul-to-slf4j:1.7.25 - http://www.slf4j.org)
(MIT License) SLF4J API Module (org.slf4j:slf4j-api:1.7.25 - http://www.slf4j.org)
(Apache License, Version 2.0) Spring AOP (org.springframework:spring-aop:5.1.4.RELEASE - https://github.com/spring-projects/spring-framework)
(Apache License, Version 2.0) Spring Aspects (org.springframework:spring-aspects:5.1.4.RELEASE - https://github.com/spring-projects/spring-framework)
(Apache License, Version 2.0) Spring Beans (org.springframework:spring-beans:5.1.4.RELEASE - https://github.com/spring-projects/spring-framework)
(Apache License, Version 2.0) Spring Context (org.springframework:spring-context:5.1.4.RELEASE - https://github.com/spring-projects/spring-framework)
(Apache License, Version 2.0) Spring Core (org.springframework:spring-core:5.1.4.RELEASE - https://github.com/spring-projects/spring-framework)
(Apache License, Version 2.0) Spring Expression Language (SpEL) (org.springframework:spring-expression:5.1.4.RELEASE - https://github.com/spring-projects/spring-framework)
(Apache License, Version 2.0) Spring Commons Logging Bridge (org.springframework:spring-jcl:5.1.4.RELEASE - https://github.com/spring-projects/spring-framework)
(Apache License, Version 2.0) Spring JDBC (org.springframework:spring-jdbc:5.1.4.RELEASE - https://github.com/spring-projects/spring-framework)
(Apache License, Version 2.0) Spring Object/Relational Mapping (org.springframework:spring-orm:5.1.4.RELEASE - https://github.com/spring-projects/spring-framework)
(Apache License, Version 2.0) Spring Transaction (org.springframework:spring-tx:5.1.4.RELEASE - https://github.com/spring-projects/spring-framework)
(Apache License, Version 2.0) Spring Web (org.springframework:spring-web:5.1.4.RELEASE - https://github.com/spring-projects/spring-framework)
(Apache License, Version 2.0) Spring Web MVC (org.springframework:spring-webmvc:5.1.4.RELEASE - https://github.com/spring-projects/spring-framework)
(Apache License, Version 2.0) Spring Boot (org.springframework.boot:spring-boot:2.1.2.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot)
(Apache License, Version 2.0) Spring Boot AutoConfigure (org.springframework.boot:spring-boot-autoconfigure:2.1.2.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-autoconfigure)
(Apache License, Version 2.0) Spring Boot Configuration Processor (org.springframework.boot:spring-boot-configuration-processor:2.1.2.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-tools/spring-boot-configuration-processor)
(Apache License, Version 2.0) Spring Boot Developer Tools (org.springframework.boot:spring-boot-devtools:2.1.2.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-devtools)
(Apache License, Version 2.0) Spring Boot Starter (org.springframework.boot:spring-boot-starter:2.1.2.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter)
(Apache License, Version 2.0) Spring Boot AOP Starter (org.springframework.boot:spring-boot-starter-aop:2.1.2.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-aop)
(Apache License, Version 2.0) Spring Boot Data JPA Starter (org.springframework.boot:spring-boot-starter-data-jpa:2.1.2.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-data-jpa)
(Apache License, Version 2.0) Spring Boot JDBC Starter (org.springframework.boot:spring-boot-starter-jdbc:2.1.2.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-jdbc)
(Apache License, Version 2.0) Spring Boot Json Starter (org.springframework.boot:spring-boot-starter-json:2.1.2.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-json)
(Apache License, Version 2.0) Spring Boot Logging Starter (org.springframework.boot:spring-boot-starter-logging:2.1.2.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-logging)
(Apache License, Version 2.0) Spring Boot Security Starter (org.springframework.boot:spring-boot-starter-security:2.1.2.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-security)
(Apache License, Version 2.0) Spring Boot Thymeleaf Starter (org.springframework.boot:spring-boot-starter-thymeleaf:2.1.2.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-thymeleaf)
(Apache License, Version 2.0) Spring Boot Tomcat Starter (org.springframework.boot:spring-boot-starter-tomcat:2.1.2.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-tomcat)
(Apache License, Version 2.0) Spring Boot Web Starter (org.springframework.boot:spring-boot-starter-web:2.1.2.RELEASE - https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-web)
(Apache License, Version 2.0) Spring Data Core (org.springframework.data:spring-data-commons:2.1.4.RELEASE - http://www.spring.io/spring-data/spring-data-commons)
(Apache License, Version 2.0) Spring Data JPA (org.springframework.data:spring-data-jpa:2.1.4.RELEASE - http://projects.spring.io/spring-data-jpa)
(The Apache Software License, Version 2.0) spring-security-config (org.springframework.security:spring-security-config:5.1.3.RELEASE - http://spring.io/spring-security)
(The Apache Software License, Version 2.0) spring-security-core (org.springframework.security:spring-security-core:5.1.3.RELEASE - http://spring.io/spring-security)
(The Apache Software License, Version 2.0) spring-security-web (org.springframework.security:spring-security-web:5.1.3.RELEASE - http://spring.io/spring-security)
(The Apache Software License, Version 2.0) thymeleaf (org.thymeleaf:thymeleaf:3.0.11.RELEASE - http://www.thymeleaf.org)
(The Apache Software License, Version 2.0) thymeleaf-spring5 (org.thymeleaf:thymeleaf-spring5:3.0.11.RELEASE - http://www.thymeleaf.org)
(The Apache Software License, Version 2.0) thymeleaf-extras-java8time (org.thymeleaf.extras:thymeleaf-extras-java8time:3.0.2.RELEASE - http://www.thymeleaf.org)
(The Apache Software License, Version 2.0) unbescape (org.unbescape:unbescape:1.1.6.RELEASE - http://www.unbescape.org)
(Apache License, Version 2.0) SnakeYAML (org.yaml:snakeyaml:1.23 - http://www.snakeyaml.org)
OSSのライブラリ名、ライセンス、バージョン、URLの一覧が出力されました。
いろいろ試したところ、中にはライセンスやURLがUnknownになるものもありましたが、全部一つ一つ調べるよりは圧倒的に効率化できそうです。
所感
Mavenで各OSSのライセンスやバージョン等の一覧を出力することができました。
コマンド一つで出力できるので、Jenkinsでバージョン毎に出力するのも簡単にできますね。
あとはWebjarsと併用すれば、JavaScriptライブラリのライセンスを併せて管理することもできそうです。
-
配布する際に互換性のないOSSを使用していないことの確認、各ライセンスにおける必要な対応実施など そこで、使用しているOSSやライセンス一覧を出力する方法を調べました。 ↩︎