Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Choose the best matching pom if multiple are found in the jar file #322

Open
AlexanderBartash opened this issue Oct 9, 2024 · 5 comments
Open

Choose the best matching pom if multiple are found in the jar file #322

AlexanderBartash opened this issue Oct 9, 2024 · 5 comments

Comments

@AlexanderBartash
Copy link

For some reason Jaxb has multiple pom.xml files in the jar file. At the moment the plugin chooses the first one, which happens to be an incorrect one, as the result license is not correct as well.

The report says pom license is GNU General Public License, version 2 with the GNU Classpath Exception - https://www.gnu.org/software/classpath/license.html when it is actually EDL-1.0.

https://github.com/eclipse-ee4j/jaxb-ri/blob/b7d1ff7a13cecfaadde733387216b5cad09cc5b5/jaxb-ri/bundles/core/pom.xml#L29
image
image
@AlexanderBartash
Copy link
Author

AlexanderBartash commented Oct 10, 2024
edited
Loading

Ok, it does choose the wrong file, then it downloads a correct one, because it happens that in the wrong file a license is also not present. But the reason why the license is wrong is that if the license is not found in the pom, it keeps resolving parents until it finds one and it goes up to a completely unrelated relicense in https://repo1.maven.org/maven2/org/eclipse/ee4j/project/1.0.9/project-1.0.9.pom which has that GNU General Public License, version 2 with the GNU Classpath Exception

@AlexanderBartash AlexanderBartash mentioned this issue Oct 10, 2024
Closed
AlexanderBartash added a commit to AlexanderBartash/Gradle-License-Report that referenced this issue Oct 10, 2024
@AlexanderBartash
jk1#322 Pick the best matching pom.xml in the jar, instead of randoml…
0b3ebde 
…y choosing the first one.
@AlexanderBartash AlexanderBartash mentioned this issue Oct 10, 2024
Open
@AlexanderBartash
Copy link
Author

AlexanderBartash commented Oct 10, 2024
edited
Loading

I submitted the fix anyway, since if they have multiple pom.xml files, others might as well, and the logic could misfire, but with this fix it will pick the best match.

@AlexanderBartash
Copy link
Author

Is it a but that it fetches parent poms despite unionParentPomLicenses = false ?

@AlexanderBartash
Copy link
Author

AlexanderBartash commented Oct 10, 2024
edited
Loading

It looks like no

Gradle-License-Report/src/main/groovy/com/github/jk1/license/reader/PomReader.groovy

Line 237 in 8da16c1

// If we didn't find a license in the root pom, then parent pom always applies (if it has one)

It would be nice to be able to turn that off, it is kind of counter intuitive. And contradicts the documentation https://github.com/jk1/Gradle-License-Report?tab=readme-ov-file#configuration

    // By default this plugin will collect the union of all licenses from 
    // the immediate pom and the parent poms. If your legal team thinks this 
    // is too liberal, you can restrict collected licenses to only include the
    // those found in the immediate pom file
    // Defaults to: true
    unionParentPomLicenses = false

AlexanderBartash added a commit to AlexanderBartash/Gradle-License-Report that referenced this issue Oct 10, 2024
@AlexanderBartash
jk1#322 Pick the best matching pom.xml in the jar, instead of randoml…
59c1388 
…y choosing the first one.
AlexanderBartash added a commit to AlexanderBartash/Gradle-License-Report that referenced this issue Oct 10, 2024
@AlexanderBartash
jk1#322 introduce unionParentPomLicensesWhenLicenseNotFound property …
ec09def 
…to allow to disable parent merging completely.
@AlexanderBartash
Copy link
Author

Here is a PR for that as well #324 with these changes, the report is much better.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@AlexanderBartash