jfrog-cli icon indicating copy to clipboard operation
jfrog-cli copied to clipboard
verified publisher icon jfrog

Improper license classification when performing license auditing

Open NathanEckert opened this issue 1 year ago • 0 comments

Describe the bug

When running jf audit --mvn --licenses --format=json > output.json on my project, I get some dependencies tagged with the wrong licenses.

When looking in the output, I find that two of my dependencies are licenses only under the GPL and GPL classpath exception, when I am expecting to find Apache-2 based on their metadata, see:

  • https://mvnrepository.com/artifact/com.google.api.grpc/proto-google-cloud-storage-v2/2.43.0-beta
  • https://mvnrepository.com/artifact/org.eclipse.jetty.ee10.websocket/jetty-ee10-websocket-servlet/12.0.15

Current behavior

Current output file

      {
        "license_key": "GPL-2.0",
        "components": {
          "gav://com.google.api.grpc:proto-google-cloud-storage-v2:2.43.0-beta": {
            "impact_paths": [...]
          },
        "license_key": "Classpath-exception-2.0",
        "components": {
          "gav://com.google.api.grpc:proto-google-cloud-storage-v2:2.43.0-beta": {
            "impact_paths": [...]
          },

Reproduction steps

With a dummy empty project and the following pom.xml:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>

  <groupId>com.activeviam.activepivot</groupId>
  <artifactId>jfrog_audit</artifactId>
  <version>1.0-SNAPSHOT</version>

  <properties>
    <maven.compiler.source>21</maven.compiler.source>
    <maven.compiler.target>21</maven.compiler.target>
  </properties>

  <dependencies>
    <dependency>
      <groupId>com.google.api.grpc</groupId>
      <artifactId>proto-google-cloud-storage-v2</artifactId>
      <version>2.43.0-beta</version>
    </dependency>

    <dependency>
      <groupId>org.eclipse.jetty.ee10.websocket</groupId>
      <artifactId>jetty-ee10-websocket-servlet</artifactId>
      <version>12.0.15</version>
    </dependency>
  </dependencies>
</project>

Expected behavior

I would expect a section in the output file with the Apache 2 license information, and no GPL licenses:

      {
        "license_key": "Apache-2.0",
        "components": {
          "gav://com.google.api.grpc:proto-google-cloud-storage-v2:2.43.0-beta": {
            "impact_paths": [...]
          }

JFrog CLI version

jf version 2.74.0

Operating system type and version

Ubuntu 24.04.2

JFrog Artifactory version

No response

JFrog Xray version

No response

NathanEckert avatar Mar 05 '25 15:03 NathanEckert