sbt-license-report icon indicating copy to clipboard operation
sbt-license-report copied to clipboard

Published 20 hours ago verified publisher icon sbt

Use `value` instead of `DependencyResolution`

Open mdedetrich opened this issue 1 year ago • 3 comments

As explained in https://github.com/sbt/sbt-license-report/pull/86 it would be ideal to just use the update task in order to retrieve the dependencies from the report however we are blocked by https://github.com/coursier/coursier/issues/1790 (tl;dr coursier doesn't populate license information from ivy.xml descriptor files).

Using Ivy Resolution is also causing other problems, i.e. for dependencies that use packaging.type there is a workaround at https://github.com/sbt/sbt/issues/3618#issuecomment-432276237 however this doesn't seem to work with ivy resolution done by sbt plugins (I think that because of classloader isolation maybe the system properties aren't propogating?)

mdedetrich avatar Sep 13 '23 15:09 mdedetrich

Great work. Just to move the needle on this a bit, I shared what I think is the change you had in mind at https://github.com/sbt/sbt-license-report/pull/123 - and it indeed demonstrates the problem of not having licensing information populated (which is presumably caused by https://github.com/coursier/coursier/issues/1790, haven't dug into that part yet).

If you're into that sort of thing, you can set scriptedLaunchOpts += "-Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=5005" and then scripted dumpLicenseReport/default-report in sbt to see the problem with a debugger attached.

raboof avatar Jul 02 '24 23:07 raboof

It indeed looks like https://github.com/coursier/sbt-coursier/blob/main/modules/lm-coursier/src/main/scala/lmcoursier/internal/SbtUpdateReport.scala#L124 only looks at licenses defined in the pom of the artifact itself (e.g. it sees the license of junit) but if that is missing it does not look in the parent pom (e.g. commons-lang3 and jackson-databind have no licenses)

raboof avatar Jul 02 '24 23:07 raboof

so I guess the question is where we should implement https://maven.apache.org/pom.html#inheritance . Without understanding the context too well, it seems reasonable to do this at https://github.com/coursier/sbt-coursier/blob/main/modules/lm-coursier/src/main/scala/lmcoursier/internal/SbtUpdateReport.scala#L255, i.e. after looking up the project in the Resolution, but before passing it to moduleReport. Keeping it this local also might allow us to avoid implementing inheritence fully, and instead only inherit the fields that end up in ModuleReport.

raboof avatar Jul 03 '24 00:07 raboof