Skip to end of metadata
Go to start of metadata
Table of Contents

Controlling Third Party Licenses

The License Control Add-on completes the Artifactory Build Integration Add-on allowing you full control over the licenses of the dependencies used by your builds (and eventually in your software).

This Add-on is part of the Artifactory Pro Power Pack.

As part of the Build Server deployment to Artifactory, it analyzes the used dependencies and tries to match them against a set of license management rules.

Notifications can be sent to a selected list of recipients about dependencies with unknown or unapproved license information.

To support this feature Artifactory includes a new license management facility where rules about license matching and approval status are defined. These rules are consulted as part of the license analysis.

How does license analysis work?

Automatic analysis is performed upon deployment by examining information found in artifact module files. Currently Maven POM and Ivy Descriptor files are supported.

You can always override the automatic results and assign license information manually to dependencies. You can also compare the current license status to the auto calculated one and decide what results of the automatic analysis to accept.

License information is stored with the artifact and reused by the automatic license analysis on subsequent builds.

Central License Management

Licenses are managed under the Admin tab and then Configuration -> Licenses.

Editing License Information

For each license, you can configure general license information, the regular expression by which to match the license (by comparing it to license information in module files) and whether the license is an approved one or not.

If you leave the regexp field blank, Artifactory attempts an exact match against the license key.

Artifactory comes preconfigured with all the common OSI licenses and JFrog has already tuned these licenses against common project builds.

Finally, you can export the license list and import it later on to new Artifactory instances.

Using Build Licenses

Build Server Configuration

When you run a build from your CI server (Hudson, TeamCity or Bamboo), configure the Artifactory Plugin to run license checks as part of the build.

Below is a sample section from the Hudson configuration of the Artifactory Plugin:

You can configure whether or not you wish license checks to take place as part of deploying Build Info to Artifactory (the Build Info Bill of Materials must be deployed to Artifactory for license checks to run).

You can also set a list of recipients to be notified about license violations as soon as they occur.  This way whenever a dependency with an unknown or unapproved license is added to the build recipients receive an immediate email notification and can tend to any potential license violation.

Sending license violation notifications is performed through Artifactory and requires a valid mail server to be configured.

Not failing the build

Currently, Artifactory does not fail the build as a result of license violations.

This is an informed decision in the spirit of allowing technical development to continue, while alerting others about the advent of unauthorized dependencies in near or real-time, so they can be addressed early on by the appropriate parties.

Examining Build Licenses

Once the build has finished on the build server and Build Info has deployed to Artifactory, license checks are run.

The build license information is available under the Artifacts tab and then Browse -> Builds.  Drill down to the specific build and select the Licenses tab.

The licenses tabs contains information about all the dependencies used in the build (with selectable scopes) and the license they are associated with.

You can export this information as a CSV file.



The summary panel displays the overall count of licenses by status and inside the table itself, licenses are displayed in different colors according to their status:

License StatusDescription
Unapproved

 

The license found is not an approved license

Unknown

License information was found but cannot be related to any license managed in Artifactory

Not Found

No license information could be found for the artifact.

Neutral

The license found is unapproved, however another approved license was found for the artifact
(Only applicable for artifacts that are associated with multiple licenses)

ApprovedThe license found is an approved license
Inline License Editing

Admins can also change the license information directly from the decency in the table, using the Edit License pop-up action:

Running Manual License Discovery

Manually run the license discovery rules after a build has already run. There are several reasons why you may want to do this:

  1. License rules (configured licenses and regular expressions) have changed and you want to compare the existing build licenses with the results of the new rules, or use them to complete missing license information.
  2. To test the current rules against the dependencies and tweak the rules, if necessary.
  3. To check which license information can come from rules and which license information must be set manually.

To trigger license discovery select the Auto-find Licenses button.

Any license conflicts are displayed to the right of the table, with the option to override the existing license information with the discovered license (you must have annotate permissions for the artifacts you want to override licenses for). 

Setting License Information Manually

To set license information for artifacts manually:

  1. Navigate to the artifact from the tree browser or from the Show in Tree pop-up action on a dependency in the the build's licenses table.
  2. Select the artifact in the tree browser
  3. Select the General panel and under the License label choose Add or Edit to change the artifact's licenses.

NOTE! that an artifact can be associated with multiple licenses.

Scanning artifact Maven/Ivy model for license

Another option for editing the license information is by scanning the Maven/Ivy model for licenses, that is, looking for an existing pom matching the artifact.

Once you have the artifact selected in the tree browser go to the General tab and under the License label choose Scan and confirm licenses found in the scan results, if any.

Yet another option would be to use the 'Search For Archive License File' link, which will scan the artifact archive for a 'License' or 'License.txt' entry and ask for confirmation, if found.

 

License Information as Properties

Internally, license information is stored as regular properties, using the built-in artifactory.licenses property name.

Therefore, all operations with properties are available to license information (searches, recursive assignment, property-based deployment and resolution etc.)

Licenses REST API

License-oriented searches and management operations are available through the REST API.

Refer to the REST API Documentation for usage information.

Watch the Screencast

To see the License Control Add-on in action you can watch the short demo screencast below.

  • No labels