Finding all dependencies in a jar

Question

Before I use a third-party library in my program, I want to make sure that all the material it contains is legal for me to use. For example I have the jline jar from repo1.maven.org

I want to confirm what packages it has so I run the following command:

$ unzip -l jline-2.13.jar
 Length      Date    Time    Name
---------  ---------- -----   ----
        0  08-10-2015 18:32   META-INF/
      989  08-10-2015 18:32   META-INF/MANIFEST.MF
        0  08-10-2015 18:32   jline/
... // more jline files
        0  08-10-2015 18:32   META-INF/maven/
... // more maven files
        0  08-10-2015 18:32   org/
        0  08-10-2015 18:32   org/fusesource/
        0  08-10-2015 18:32   org/fusesource/hawtjni/
... // more hawtjni files
        0  08-10-2015 18:32   org/fusesource/jansi/
... // more jansi files
---------                     -------
   549270                     133 files
$

From this output I see that jline, hawtjni, and jansi are used, so I go and find there licence files:

• https://github.com/jline/jline2/blob/master/LICENSE.txt
• https://github.com/fusesource/hawtjni/blob/master/license.txt
• https://github.com/fusesource/jansi/blob/master/license.txt

Are there any other things I should do to ensure no other packages are used?

---

Extra question: Because these are all Apache and BSD licences (and I do not edit their content or display their product names), do I only have to state that these libraries were used in my project and include their respective licences? This might be better asked on the legal stack exchange.

Answer 1

The license for a given library should declare or include the licenses for other dependencies it has bundled/included with it. If the library has transitive maven dependencies, then you'll need to examine its pom.xml file to see what else it is pulling in at build time, and example the licenses for those individually.