Extend Maven POM XML

Question

I would like to extend the Maven POM to include meta information about the dependencies. I'm doing this to make lawyers happy and stop developers from having to audit the POM once a quarter to see what OSS we added that legal didn't "approve" yet :P

So I wanted to add something like this:

    <dependency>
        <groupId>junit</groupId>
        <artifactId>junit</artifactId>
        <version>4.8.2</version>
        <license>Common Public License - v 1.0<license>
        <approved>true</approved>
    </dependency>

Then I could write a maven plug in or just a groovy script to audit the entries for my and tell me what is missing.

I can't find any good way to do this? Is it even possible? If not does anyone have a recommendation on a way to handle this?

Answer 1

The license information is already in the pom of the dependency so adding it there does not make sense. If you need more info like that you should look at Sonatype Insight and the integration of it in Sonatype Nexus as well as the Insight for CI plugin for Hudson or Jenkins. It will show you declared licenses as well as found licenses in the code and lot more other data.

You might want to check out the webinar about Insight for CI next week in fact as well as the webinar recording available now.

I general however you can not extend the pom with additional tags like that since it will stop maven from being able to parse it. The best you could do is add them as xml comments.

Answer 2

Sonatype's Insight product is the best solution I've seen to this problem.

Combine it with the procurement features offered by Nexus professional and it enables both regulation and audit of OSS in your companies applications.