Skip to content

License Finder not able to handle snapshot versions properly #1050

New issue
New issue
Open
Open
License Finder not able to handle snapshot versions properly#1050
@PreHCM-MiBo

Description

@PreHCM-MiBo
PreHCM-MiBo
opened on Oct 25, 2024

Description

We are using mvn with snapshot versions in our projects and want to use License Finder to identify the licenses. Since we often use snapshots for in-house libraries during development, License Finder plays a vital role in ensuring proper license identification.

However, we are facing the following error when dealing with snapshot versions:

/usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/package_utils/maven_dependency_finder.rb:45:in `read': No such file or directory @ rb_sysopen - /root/.m2/repository/XX/XXXX/YY-TOOL/MAJOR.MINOR-YYYYMMDD.HHMMSS-BUILDNR/YY-TOOL-MAJOR.MINOR-YYYYMMDD.HHMMSS-BUILDNR.pom ((Errno::ENOENT)
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/package_utils/maven_dependency_finder.rb:45:in `read'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/package_utils/maven_dependency_finder.rb:45:in `add_info_from_pom'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/package_utils/maven_dependency_finder.rb:40:in `add_info_from_m2'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/package_utils/maven_dependency_finder.rb:21:in `block in dependencies'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/package_utils/maven_dependency_finder.rb:21:in `each'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/package_utils/maven_dependency_finder.rb:21:in `dependencies'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/package_managers/maven.rb:27:in `current_packages'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/package_manager.rb:105:in `current_packages_with_relations'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/scanner.rb:42:in `each'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/scanner.rb:42:in `flat_map'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/scanner.rb:42:in `active_packages'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/core.rb:84:in `current_packages'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/core.rb:79:in `decision_applier'
        from /usr/lib/ruby/3.3.0/forwardable.rb:234:in `any_packages?'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/license_aggregator.rb:17:in `block in any_packages?'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/license_aggregator.rb:15:in `map'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/license_aggregator.rb:15:in `any_packages?'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/lib/license_finder/cli/main.rb:121:in `action_items'
        from /usr/lib/ruby/gems/3.3.0/gems/thor-1.3.2/lib/thor/command.rb:28:in `run'
        from /usr/lib/ruby/gems/3.3.0/gems/thor-1.3.2/lib/thor/invocation.rb:127:in `invoke_command'
        from /usr/lib/ruby/gems/3.3.0/gems/thor-1.3.2/lib/thor.rb:538:in `dispatch'
        from /usr/lib/ruby/gems/3.3.0/gems/thor-1.3.2/lib/thor/base.rb:584:in `start'
        from /usr/lib/ruby/gems/3.3.0/gems/license_finder-7.2.1/bin/license_finder:6:in `<top (required)>'
        from /usr/bin/license_finder:25:in `load'
        from /usr/bin/license_finder:25:in `<main>'

The underlying job, mvn org.codehaus.mojo:license-maven-plugin:download-licenses, creates a licenses.xml under the build folder "target" with the following entry:

<dependency>
  <groupId>XX.XXXX</groupId>
  <artifactId>YY-TOOL</artifactId>
  <version>MAJOR.MINOR-YYYYMMDD.HHMMSS-BUILDNR</version>
  <licenses>
    <!-- No license information available. -->
  </licenses>
</dependency>

The dependency is specified in the POM in the following way:

<dependency>
  <groupId>XX.XXXX</groupId>
  <artifactId>YY-TOOL</artifactId>
  <version>MAJOR.MINOR-SNAPSHOT</version>
</dependency>

Problem

I am unable to proceed with the license check due to this issue. Here are my observations:

  • The POM file does not exist at the expected location. It is actually located under: /root/.m2/repository/XX/XXXX/YY-TOOL/MAJOR.MINOR-SNAPSHOT/YY-TOOL-MAJOR.MINOR-YYYYMMDD.HHMMSS-BUILDNR.pom.
  • License Finder seems to be fetching the information from a different source.
  • The underlying job mvn org.codehaus.mojo:license-maven-plugin:download-licenses executes without any issues.
  • When switching from a snapshot version to a proper release version, this problem does not occur. However, requiring all development teams to always use release versions is not a feasible or desired solution.
  • We use GitLab as a Package Registry.

Desired Solution

License Finder should properly support snapshot versions by searching for them in the correct directory.

Steps to Reproduce

  1. Use License Finder with Maven in a project that uses snapshot versions for in-house libraries.
  2. Observe the "No such file or directory" error pointing to the wrong POM location.

Expected Behavior

License Finder should correctly locate and handle snapshot versions during the license check process.

Please let me know if you need more information or if there are specific logs I can provide to assist in debugging this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions