Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

License lost when migrating from 1.8 to 1.9 for javax dependencies #479

Open
lefevre00 opened this issue Aug 1, 2024 · 2 comments
Open
Labels
bug Something isn't working

Comments

@lefevre00
Copy link

Hello,

When using v1.8, license was present for my legacy dependency (implementation("javax.annotation:javax.annotation-api:1.3.2")).
It was not the case any more in 1.9, no license field present in my BOM for component with
"bom-ref" : "pkg:maven/javax.annotation/javax.annotation-api@1.3.2?type=jar"

This may come from transition from javax to jakarta group for new versions. But old versions style exists.

Very easy to reproduce in a dummy project, with build.gradle.kts like this:

plugins {
    id("java")
    id("org.cyclonedx.bom") version "1.9.0"
}

group = "net.example"
version = "1.0-SNAPSHOT"

repositories {
    mavenCentral()
}

dependencies {
    implementation("javax.annotation:javax.annotation-api:1.3.2")
    testImplementation(platform("org.junit:junit-bom:5.10.0"))
    testImplementation("org.junit.jupiter:junit-jupiter")
}

tasks.test {
    useJUnitPlatform()
}
@lefevre00
Copy link
Author

License lost for javax.servlet:javax.servlet-api:3.1.0 too.

@skhokhlov
Copy link
Member

Since the actual licence resolution is happening in the core library I believe it's a bug there. In this plugin we are just using that implementation.

Packages that you mentioned are using quite custom license:
https://repo.maven.apache.org/maven2/javax/servlet/javax.servlet-api/3.1.0/javax.servlet-api-3.1.0.pom

    <licenses>
        <license>
            <name>CDDL + GPLv2 with classpath exception</name>
            <url>https://github.com/javaee/javax.annotation/blob/master/LICENSE</url>
            <distribution>repo</distribution>
            <comments>A business-friendly OSS license</comments>
        </license>
    </licenses>

Which is not present in the license list.

Raised core library issue for this: CycloneDX/cyclonedx-core-java#471

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants