Skip to content

Comments

chore: include list of third party dependencies and their licenses in each artifact#8312

Draft
chadlwilson wants to merge 1 commit intodependency-check:mainfrom
chadlwilson:tidy-licenses
Draft

chore: include list of third party dependencies and their licenses in each artifact#8312
chadlwilson wants to merge 1 commit intodependency-check:mainfrom
chadlwilson:tidy-licenses

Conversation

@chadlwilson
Copy link
Collaborator

Description of Change

This change (requesting feedback) replaces the outdated embedded static files with dynamic generation from dependencies via the license-maven-plugin.

Right now it is just generating a THIRD-PARTY.txt with a list of the dependencies and their licenses for each transitive runtime non-optional dependency and including it in META-INF (for normal jars) or the root (for zips such as ant/cli releases)

It is normalising the license names to SPDX IDs.

e.g for the CLI

Lists of 69 third-party dependencies.
     (EPL-1.0) (LGPL-2.1-only) Logback Classic Module (ch.qos.logback:logback-classic:1.2.13 - http://logback.qos.ch/logback-classic)
     (EPL-1.0) (LGPL-2.1-only) Logback Core Module (ch.qos.logback:logback-core:1.2.13 - http://logback.qos.ch/logback-core)
     (BSD-3-Clause) MinLog (com.esotericsoftware:minlog:1.3.1 - https://github.com/EsotericSoftware/minlog)
     (Apache-2.0) Jackson-annotations (com.fasterxml.jackson.core:jackson-annotations:2.21 - https://github.com/FasterXML/jackson)
     (Apache-2.0) Jackson-core (com.fasterxml.jackson.core:jackson-core:2.21.0 - https://github.com/FasterXML/jackson-core)
     (Apache-2.0) jackson-databind (com.fasterxml.jackson.core:jackson-databind:2.21.0 - https://github.com/FasterXML/jackson)
     (Apache-2.0) Jackson-dataformat-YAML (com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.21.0 - https://github.com/FasterXML/jackson-dataformats-text)
     (Apache-2.0) Jackson datatype: JSR310 (com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.21.0 - https://github.com/FasterXML/jackson-modules-java8/jackson-datatype-jsr310)
     (Apache-2.0) Jackson module: Blackbird (com.fasterxml.jackson.module:jackson-module-blackbird:2.21.0 - https://github.com/FasterXML/jackson-modules-base)
     (MIT) Package URL (com.github.package-url:packageurl-java:1.5.0 - https://github.com/package-url/packageurl-java)
     (Apache-2.0) compiler (com.github.spullara.mustache.java:compiler:0.9.6 - http://github.com/spullara/mustache.java)
     (Apache-2.0) Gson (com.google.code.gson:gson:2.9.0 - https://github.com/google/gson/gson)
     (Apache-2.0) Guava InternalFutureFailureAccess and InternalFutures (com.google.guava:failureaccess:1.0.3 - https://github.com/google/guava/failureaccess)
     (Apache-2.0) Guava: Google Core Libraries for Java (com.google.guava:guava:33.5.0-jre - https://github.com/google/guava)
     (EPL-1.0) (MPL-2.0) H2 Database Engine (com.h2database:h2:2.4.240 - https://h2database.com)
     (Apache-2.0) retirejs-core (com.h3xstream.retirejs:retirejs-core:3.0.4 - https://github.com/h3xstream/burp-retire-js/retirejs-core)
     (Apache-2.0) AhoCorasickDoubleArrayTrie (com.hankcs:aho-corasick-double-array-trie:1.2.3 - https://github.com/hankcs/AhoCorasickDoubleArrayTrie)
     (CPL-1.0) com.kichik.pecoff4j:pecoff4j (com.kichik.pecoff4j:pecoff4j:0.4.1 - https://github.com/kichik/pecoff4j)
     (MIT) toml4j (com.moandjiezana.toml:toml4j:0.7.2 - http://moandjiezana.com/toml/toml4j)
     (BSD-3-Clause) jmustache (com.samskivert:jmustache:1.16 - http://github.com/samskivert/jmustache)
     (Apache-2.0) Apache Commons CLI (commons-cli:commons-cli:1.11.0 - https://commons.apache.org/proper/commons-cli/)
     (Apache-2.0) Apache Commons Codec (commons-codec:commons-codec:1.21.0 - https://commons.apache.org/proper/commons-codec/)
     (Apache-2.0) Apache Commons IO (commons-io:commons-io:2.21.0 - https://commons.apache.org/proper/commons-io/)
     (Apache-2.0) Apache Commons Validator (commons-validator:commons-validator:1.10.1 - https://commons.apache.org/proper/commons-validator/)
     (Apache-2.0) jcs3-slf4j (io.github.jeremylong:jcs3-slf4j:1.0.5 - https://github.com/jeremylong/jcs3-slf4j/)
     (Apache-2.0) open-vulnerability-clients (io.github.jeremylong:open-vulnerability-clients:9.0.3 - https://github.com/jeremylong/open-vulnerability-clients/)
     (EPL-2.0) (GPL-2.0-only WITH Classpath-exception-2.0) javax.transaction API (jakarta.transaction:jakarta.transaction-api:1.3.3 - https://projects.eclipse.org/projects/ee4j.jta)
     (CDDL-1.1 WITH Classpath-exception-2.0) JavaBeans Activation Framework API jar (javax.activation:javax.activation-api:1.2.0 - http://java.net/all/javax.activation-api/)
     (Apache-2.0) javax.inject (javax.inject:javax.inject:1 - http://code.google.com/p/atinject/)
     (CDDL-1.1) (GPL-2.0-only WITH Classpath-exception-2.0) javax.ws.rs-api (javax.ws.rs:javax.ws.rs-api:2.0.1 - http://jax-rs-spec.java.net)
     (CDDL-1.1) (GPL-2.0-only WITH Classpath-exception-2.0) jaxb-api (javax.xml.bind:jaxb-api:2.3.1 - https://github.com/javaee/jaxb-spec/jaxb-api)
     (Apache-2.0) Joda-Time (joda-time:joda-time:2.14.0 - https://www.joda.org/joda-time/)
     (Apache-2.0) jdiagnostics (org.anarres.jdiagnostics:jdiagnostics:1.0.7 - https://github.com/shevek/jdiagnostics)
     (Apache-2.0) Apache Ant Core (org.apache.ant:ant:1.10.15 - https://ant.apache.org/)
     (Apache-2.0) Apache Commons Collections (org.apache.commons:commons-collections4:4.5.0 - https://commons.apache.org/proper/commons-collections/)
     (Apache-2.0) Apache Commons Compress (org.apache.commons:commons-compress:1.27.1 - https://commons.apache.org/proper/commons-compress/)
     (Apache-2.0) Apache Commons DBCP (org.apache.commons:commons-dbcp2:2.14.0 - https://commons.apache.org/proper/commons-dbcp/)
     (Apache-2.0) Apache Commons JCS :: Core (org.apache.commons:commons-jcs3-core:3.2.1 - http://commons.apache.org/proper/commons-jcs/commons-jcs3-core/)
     (Apache-2.0) Apache Commons Lang (org.apache.commons:commons-lang3:3.20.0 - https://commons.apache.org/proper/commons-lang/)
     (Apache-2.0) Apache Commons Pool (org.apache.commons:commons-pool2:2.13.0 - https://commons.apache.org/proper/commons-pool/)
     (Apache-2.0) Apache Commons Text (org.apache.commons:commons-text:1.15.0 - https://commons.apache.org/proper/commons-text)
     (Apache-2.0) Apache HttpClient (org.apache.httpcomponents.client5:httpclient5:5.5.1 - https://hc.apache.org/httpcomponents-client-5.5.x/5.5.1/httpclient5/)
     (Apache-2.0) Apache HttpClient Cache (org.apache.httpcomponents.client5:httpclient5-cache:5.5.1 - https://hc.apache.org/httpcomponents-client-5.5.x/5.5.1/httpclient5-cache/)
     (Apache-2.0) Apache HttpComponents Core HTTP/1.1 (org.apache.httpcomponents.core5:httpcore5:5.3.6 - https://hc.apache.org/httpcomponents-core-5.3.x/5.3.6/httpcore5/)
     (Apache-2.0) Apache HttpComponents Core HTTP/2 (org.apache.httpcomponents.core5:httpcore5-h2:5.3.6 - https://hc.apache.org/httpcomponents-core-5.3.x/5.3.6/httpcore5-h2/)
     (Apache-2.0) Apache Lucene (module: common) (org.apache.lucene:lucene-analysis-common:9.12.3 - https://lucene.apache.org/)
     (Apache-2.0) Apache Lucene (module: core) (org.apache.lucene:lucene-core:9.12.3 - https://lucene.apache.org/)
     (Apache-2.0) Apache Lucene (module: facet) (org.apache.lucene:lucene-facet:9.12.3 - https://lucene.apache.org/)
     (Apache-2.0) Apache Lucene (module: queries) (org.apache.lucene:lucene-queries:9.12.3 - https://lucene.apache.org/)
     (Apache-2.0) Apache Lucene (module: queryparser) (org.apache.lucene:lucene-queryparser:9.12.3 - https://lucene.apache.org/)
     (Apache-2.0) Apache Lucene (module: sandbox) (org.apache.lucene:lucene-sandbox:9.12.3 - https://lucene.apache.org/)
     (Apache-2.0) Apache Velocity - Engine (org.apache.velocity:velocity-engine-core:2.4.1 - http://velocity.apache.org/engine/devel/velocity-engine-core/)
     (EPL-2.0) Eclipse Packager :: Core (org.eclipse.packager:packager-core:0.21.0 - https://eclipse.org/packager/packager-core)
     (EPL-2.0) Eclipse Packager :: RPM (org.eclipse.packager:packager-rpm:0.21.0 - https://eclipse.org/packager/packager-rpm)
     (EPL-2.0) (GPL-2.0-only WITH Classpath-exception-2.0) JSON-P with Parsson Provider (org.eclipse.parsson:jakarta.json:1.1.7 - https://github.com/eclipse-ee4j/parsson/parsson-bundles/jakarta.json)
     (Public Domain) JSON in Java (org.json:json:20251224 - https://github.com/douglascrockford/JSON-java)
     (MIT) jsoup Java HTML Parser (org.jsoup:jsoup:1.22.1 - https://jsoup.org/)
     (Apache-2.0) Dependency-Check Core (org.owasp:dependency-check-core:12.2.1-SNAPSHOT - https://github.com/dependency-check/DependencyCheck.git/dependency-check-core)
     (Apache-2.0) Dependency-Check Utils (org.owasp:dependency-check-utils:12.2.1-SNAPSHOT - https://github.com/dependency-check/DependencyCheck.git/dependency-check-utils)
     (MIT) semver4j (org.semver4j:semver4j:5.8.0 - https://github.com/semver4j/semver4j)
     (Apache-2.0) JCL 1.2 implemented over SLF4J (org.slf4j:jcl-over-slf4j:1.7.36 - http://www.slf4j.org)
     (MIT) JUL to SLF4J bridge (org.slf4j:jul-to-slf4j:1.7.36 - http://www.slf4j.org)
     (MIT) SLF4J API Module (org.slf4j:slf4j-api:1.7.36 - http://www.slf4j.org)
     (Apache-2.0) org.sonatype.goodies:package-url-java (org.sonatype.goodies:package-url-java:1.2.0 - https://sonatype.github.io/package-url-java/)
     (Apache-2.0) org.sonatype.ossindex:ossindex-service-api (org.sonatype.ossindex:ossindex-service-api:1.8.2 - https://sonatype.github.io/ossindex-public/ossindex-service-api/)
     (Apache-2.0) org.sonatype.ossindex:ossindex-service-client (org.sonatype.ossindex:ossindex-service-client:1.8.2 - https://sonatype.github.io/ossindex-public/ossindex-service-client/)
     (Public Domain) XZ for Java (org.tukaani:xz:1.9 - https://tukaani.org/xz/java.html)
     (Apache-2.0) SnakeYAML (org.yaml:snakeyaml:2.4 - https://bitbucket.org/snakeyaml/snakeyaml)
     (Apache-2.0) CPE Parser (us.springett:cpe-parser:3.0.1 - https://github.com/stevespringett/CPE-Parser)

Related issues

N/A

Have test cases been added to cover the new functionality?

N/A

Questions for feedback

  • It somewhat duplicates NOTICE.txt. As an alternative I could make it generate NOTICE.txt instead, and get it to include the general notes on the data sources that are currently mentioned in the NOTICE.txt?
  • do we need to extract and include full license content? If so, I imagine we only actually need to do that for ant and cli since these are distributed standalone outside dependency management tooling?
  • it currently doesn't include any hard-coded dependencies to refer to licenses for the javascript etc included in reports, e.g JQuery etc. If this is going a useful direction, I can add configuration to include those.
  • there may be a better direction to go via cyclonedx-maven-plugin or spdx-maven-plugin or similar that will generate an SBOM of some description in addition to this. It might be better to go this direction if they can also handle licenses. Since CycloneDX is OWASP-adjacent I imagine there's a preference for that above spdx.

… each artifact

Replace the outdated embedded static files with license-maven-plugin.

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
@boring-cyborg boring-cyborg bot added ant changes to ant cli changes to the cli core changes to core maven changes to the maven plugin tests test cases labels Feb 17, 2026
@chadlwilson
Copy link
Collaborator Author

After more thinking, while it's na improvement on the current state, I'm not super happy about this as there are some weird ASL things about keeping NOTICE.txt and moving straight to including an SBOM in ant/CLI/docker would be better.

I'll keep it open for comment for a bit before embarking on something more ambitious via cyclonedx-maven-plugin and see if that can handle the licenses detection/normalisation sufficiently.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ant changes to ant cli changes to the cli core changes to core maven changes to the maven plugin tests test cases

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant