Full and up-to-date list of dependencies
Use the Eclipse Dash license tool (see https://github.com/eclipse/dash-licenses) during the build to:
- Automatically generate the list of dependencies
- Automatically check the list of dependencies to ensure only approved dependencies are used
We can do this by using the provided Maven plugin. Configure in
As part of
<!-- Dash license plugin. --> <pluginRepository> <id>dash-licenses-snapshots</id> <url>https://repo.eclipse.org/content/repositories/dash-licenses-snapshots/</url> <snapshots> <enabled>true</enabled> </snapshots> </pluginRepository>
As part of
<!-- Check licenses of third party dependencies. --> <plugin> <groupId>org.eclipse.dash</groupId> <artifactId>license-tool-plugin</artifactId> <version>0.0.1-SNAPSHOT</version> <executions> <execution> <id>license-check</id> <phase>verify</phase> <goals> <goal>license-check</goal> </goals> </execution> </executions> </plugin>
However, for now we get the following error:
[ERROR] Failed to execute goal org.eclipse.dash:license-tool-plugin:0.0.1-SNAPSHOT:license-check (license-check) on project org.eclipse.escet.root: Execution license-check of goal org.eclipse.dash:license-tool-plugin:0.0.1-SNAPSHOT:license-check failed: Unable to load the mojo 'license-check' in the plugin 'org.eclipse.dash:license-tool-plugin:0.0.1-SNAPSHOT' due to an API incompatibility: org.codehaus.plexus.component.repository.exception.ComponentLookupException: org/eclipse/dash/licenses/maven/LicenseCheckMojo has been compiled by a more recent version of the Java Runtime (class file version 55.0), this version of the Java Runtime only recognizes class file versions up to 52.0
It requires Java 11 (class file version 55) and we use Java 8 (class file version 52). We should pick this up again after switching to Java 11+.
We should check the settings of the tool as well. See e.g. https://github.com/eclipse/dash-licenses/blob/master/maven-plugin/src/main/java/org/eclipse/dash/licenses/maven/MavenSettings.java. I did not find an online documentation page for the plugin yet. You can also check the source code of the plugin JAR. See https://repo.eclipse.org/#view-repositories;dash-licenses-snapshots~browsestorage and https://repo.eclipse.org/service/local/repositories/dash-licenses-snapshots/content/org/eclipse/dash/license-tool-plugin/0.0.1-SNAPSHOT/license-tool-plugin-0.0.1-20210223.213346-4.jar (file META-INF/maven/plugin.xml).
See https://github.com/eclipse/dash-licenses/issues/45 for releasing the Maven plugin and https://github.com/eclipse/dash-licenses/issues/59 for the plugin being applied to the plugin itself.
We could let the plugin generate a 'DEPENDENCIES' file in the root of our Git repository. Then we don't need to duplicate that information in the 'NOTICE.asciidoc' file, as it can simply refer to the 'DEPENDENCIES' file. This is also proposed at https://github.com/eclipse/dash-licenses/issues/43.
We can run the tool manually on the Maven dependency:list output for now.