Description
I noticed some that some dependencies were not in the output, because it happens they are dual licensed.
EDIT: Actually, it may be (partly) working as some dependencies are in the report but not all of those that are ignored due to multiple licenses in Bundle-License.
> LICENSE-like files are missing
==============================
BSD-3-Clause
* org.pushing-pixels:radiance-animation:6.0.1
MIT
* com.github.scribejava:scribejava-core:8.3.1
* com.github.scribejava:scribejava-java8:8.3.1
* org.brotli:dec:0.1.2
Apache-2.0 AND LGPL 2.1 (http://www.gnu.org/licenses/lgpl-2.1.html) AND MPL-1.1
* org.javassist:javassist:3.25.0-GA
EPL-2.0 AND GPL2 w/ CPE (https://www.gnu.org/software/classpath/license.html)
* org.glassfish.hk2:osgi-resource-locator:1.0.3
I discovered by adding the --info
Ignoring Bundle-License 'http://www.eclipse.org/legal/epl-2.0, https://www.gnu.org/software/classpath/license.html, http://www.apache.org/licenses/LICENSE-2.0.html' in /Users/brice.dutheil/.gradle/caches/modules-2/files-2.1/org.glassfish.jersey.media/jersey-media-json-jackson/3.0.4/cad1796630c5c79decde3f9dc2205bd95093aee5/jersey-media-json-jackson-3.0.4.jar since it contains multiple license references
Looking at the jar itself, we see that
-
jersey-media-json-jackson-3.0.4.jar!/META-INF/MANIFEST.MFBundle-License: http://www.eclipse.org/legal/epl-2.0, https://www.gnu. org/software/classpath/license.html, http://www.apache.org/licenses/L ICENSE-2.0.html -
jersey-media-json-jackson-3.0.4.jar!/META-INF/LICENSE.md# Eclipse Public License - v 2.0 THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE --- ## The GNU General Public License (GPL) Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. ... --- ## CLASSPATH EXCEPTION Linking this library statically or dynamically with other modules is ...
The most interesting details seem to come from the pom licenses element.
-
jersey-media-json-jackson-3.0.4.jar!/META-INF/maven/org.glassfish.jersey.media/jersey-media-json-jackson/pom.xml<licenses> <license> <name>EPL 2.0</name> <url>http://www.eclipse.org/legal/epl-2.0</url> <distribution>repo</distribution> <comments>Except for Guava, JSR-166 files, Dropwizard Monitoring inspired classes, ASM and Jackson JAX-RS Providers. See also https://github.com/eclipse-ee4j/jersey/blob/master/NOTICE.md</comments> </license> <license> <name>The GNU General Public License (GPL), Version 2, With Classpath Exception</name> <url>https://www.gnu.org/software/classpath/license.html</url> <distribution>repo</distribution> <comments>Except for Jackson JAX-RS Providers. See also https://github.com/jersey/jersey/blob/master/NOTICE.md</comments> </license> <license> <name>Apache License, 2.0</name> <url>http://www.apache.org/licenses/LICENSE-2.0.html</url> <distribution>repo</distribution> <comments>Jackson JAX-RS Providers @ org.glassfish.jersey.jackson.internal.jackson.jaxrs</comments> </license> </licenses>
I'm not sure how to handle these cases, but this seem legitimate in particular if the artifact has shadowed dependencies or if it's simply a fatjar.