Obtaining dependency licenses
We need to get all licenses for the dependencies of our services. While it's easy to get these from the report plugin (or mojohaus' maven-plugin license ), our lawyers want us to really go to the source of each dependency and grab the license file. Do you know how we can achieve this?
Alternatively - how can I get the artifact scm connection url? I can use this information to automate this process myself.
source to share
To get things right, you need to first build all the binaries and source jars for each Jar you depend on. This might be a good start: http://maven.apache.org/components/plugins/maven-dependency-plugin/ (I'm not a maven expert). It looks like he can get sources too. You probably want to run something like this, but I'm not sure where the sources are going:
mvn dependency:sources
See also: fooobar.com/questions/151098 / ...
After that you can install ScanCode ( https://github.com/nexB/scancode-toolkit ), then run extractcode
on the directory containing your jars to unzip them all, and then scancode --format html-app <you jar dir> my-jars.html
to get a detailed license and copyright report: open my-jars.html in your browser.
Disclosure: I am one of the authors of ScanCode, and by the way, I am working to get in ScanCode exactly what you asked: enable Maven division tree, fetch all jars and sources, and finally collect POM metadata and run a scan to binaries + sources. Maybe you are interested in the chip?
About connecting scm, it is not always present in the POM, so I would not recommend this route. Even less common than the original cans.
source to share