Foss Report generates various reports regarding the dependencies and FOSS licenses used in a project.
The foss-report tool works on license report generated on the repositories of a project. foss-report collects the license reports from all repositories in a given folder and aggregates the artifact and license information in a single collection. For this collection reports can be generated and the licenses and source artifacts can be downloaded. The foss-report can also generate diff report on two versions of the repositories or reports.
Currently THIRD-PARTY.txt reports generated with Apache Maven are supported.
As there is no standard way of naming specific licenses in project files, the foss-report tool uses a configuration file named 'txt2spdx.json'. It contains the mapping of the license names as provided by the project (e.g. in the pom.xml) to the SPDX id of the license. The SPDX id of the license can be used to get further information for the license, like the license text or OSS/FSF compatibility.
The foss-tool uses leiningen as a build tool. With leiningen installed, you can generate a jar containing all the dependencies with
lein uberjar
You can generate the Thirdparty file from the directory of a maven project with th maven license plugin, e.g.
mvn license:add-third-party -Dlicense.excludedScopes=test
If you have a directory with multiple maven projects, you can use the following bash command to generate the Thirdparty files for all projects in a directory, e.g. for repositories residing in the git directory
find git -maxdepth 3 -type f -name pom.xml -execdir mvn license:add-third-party -Dlicense.excludedScopes=test \;
You can run the uberjar with java:
java -jar <path-to-jar>\foss-report.jar [options]
You can also run the foss-tool from build directory with leiningen for testing:
lein run [options]
Options:
Option Default Description
-b, --base-dir DIRNAME Base directory. If set, the paths are relative to this directory.
-c, --current FILENAME Name of the file or directory with current artifact information.
-p, --previous FILENAME Name of the file or directory with current artifact information.
-i, --spdx-file FILENAME txt2spdx.json Name of the license names to SPDX ID mapping file.
-r, --foss-report Generate a FOSS report.
-d, --foss-diff Generate a FOSS diff report. Needs current and previous input.
-u, --update-spdx-mapping Generate an updated license names to SPDX ID mapping.
-l, --download-licenses Download the relevant licenses from SPDX.
-L, --licenses-dir DIRNAME licenses Directory for the download of licenses from SPDX.
-s, --download-sources Download the relevant source jars.
-S, --sources-dir DIRNAME sources Directory for the download of source jars.
-y, --scan-sources Scan the sources for copyrights and notices.
-f, --report-format FORMAT xls The output format for reports (xls, json, stdout).
-v, --versions Process each artifact version.
-g, --gpl-only Reports the list of GPL only licensed artifacts.
-n, --no-foss-license Reports the list of artifacts without FOSS license.
-h, --help Print usage information.
THe foss-report tool uses a mapping file from the various forms of a license to its SPDX ID, which acts as a canonical identifier for the most common licenses.
Errors accessing spdx.org (e.g. Exception in thread "main" java.io.FileNotFoundException: https://spdx.org/licenses/CC0.json) -> Edit the txt2spdx.json file to fix the missing entry.