How Do We Aggregate Licenses

13. February 2020

If you develop a public software product that uses third party code, it's very likely that licenses force you to list them on some visible place. You can find them in your smartphone OS or even in a car if you have one with the onboard computer. You usually have to dig deep in the UI but it's there. In the same way, we have to provide licenses in our Model Governance Suite product. The easy way would be to aggregate all licenses and dump them somewhere just as they are. But we wanted to have a more sophisticated and automated solution that will produce formatted text output for UI and Excel overview file for us.

We started with analyzing our package managers as they are usually able to generate a license overview. For backend, we use Maven. React GUI is using NPM. When making a web application in Java and JavaScript, it's likely you will use these so supporting Maven and NPM was our goal. Maven has a license-maven-plugin and NPM license-checker but the formating capabilities are limited and each manager is producing different file type. Merging them without any glue would result in the Frankenfile monster so we decided to develop our glue in a form of simple Java command-line tool.

I won't go into the details since important information about usage is already written in the project repository. The License parser is able to read default outputs of Maven and NPM and produce a configurable text and Excel file. The user is able to provide a text template with replacement tags and adjust the look of text output according to his needs. The Excel file has configurable columns. The tool is also able to read a predefined JSON scheme so the user can provide another set of external licenses (when the dependency isn't coming from NPM and Maven).

License parser

As the last step that automates the execution, we have a Jenkins job that executes a Bash script. It clones and builds License parser from source code, clones all relevant MGS modules and executes mvn license:download-licenses and license-checker --json on them. The job then executes License parser. We also provide other licenses as a job parameter with a default value. Output files are then archived with a post-build action.

Since the tool was developed quickly and for our use-case, there is still a room for improvement technical-wise and feature-wise. If you think that the current version doesn't fulfill your needs, don't hesitate to fork our project on GitHub. Pull requests are welcomed.

Author: Luděk Novotný