dhockey dhockey - 1 month ago 11
Java Question

Analyze all JARs in project to get version and license info

Maven has a feature where it can build a site. This site has a tab called dependencies that shows the version and license info of all the jars the project depends on. I'm trying to find similar functionality without using maven. I've been tasked with gathering this info for a very large amount of JARs in a big project so anything automated would help.

Answer

The maven report relies on some information in the pom.xml files - since a lot of jar's don't include license information you will need to query several information sources. There will be quite some empty entries in that list - even with maven and the pom meta information.

Possible solutions that come to mind:

In the sonatype portfolio is a product called nexus iq (or nexus firewall) that allows to analyze dependencies (for both license information and security issues). I only used it with maven but there seems to be a CLI available. This is a commercial product.

Another option might be to take from the maven plugin what you need and replicate it into an ant task. Do you use ivy with ant? The plugin that generates the site is this one: - it does not look to complicated to retrieve some information from maven central (even if your are not using maven that might be a good source). The sources are in SVN.

The artifact resolution from maven central can be done with Eclipse Aether. So you could retrieve the information from maven central (if you can map your jars to those). But only if the pom contains a license section there will be some information. Sometimes a license.txt is packed with the jar, sometimes you can find the license in the class headers. But there is no guarantee for any of those. The information for those jars will need to be maintained by yourself.

Comments