maven-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lyons, Roy" <>
Subject Re: Source code verification/compliance with Maven?
Date Thu, 09 May 2013 14:15:53 GMT
Well, I know that Sonatype has a product they have been pretty aggressive
with called CLM.

CLM shows both vulnerabilities and license threats -- including undefined
licenses...  Perhaps that is what you need?


Roy Lyons

On 5/9/13 4:15 AM, "Daniel Pocock" <> wrote:

>There is a lot of confusion about the distinction between software that
>is free (like malware in app stores) and software that is really free
>with open source code.
>Several people have asked me how they can be sure that a Maven build
>(including all downloaded plugins) only uses genuine open source
>software, and that the binary downloads are identical to the source
>releases.  There are many users that want to build projects from source
>code in clean, non-networked environments.
>How can somebody tell Maven to
>a) recursively download source JARs for all plugins and dependencies
>(and their build plugins) and compile them one by one?
>b) stop if any source JAR contains binary artifacts or if a
>dependency/plugin source is not available?
>c) put all downloaded source in some kind of tree where it can be tarred
>up, copied onto a DVD and then built by a machine that is offline?
>I'm aware of the command "mvn dependency:sources", but this only appears
>to fetch the sources on a best effort basis and doesn't appear to
>compile them.
>To unsubscribe, e-mail:
>For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message