Summary
FOSSA scans for https://github.com/open-telemetry/opentelemetry-demo reports the Maven artifact dev.openfeature.contrib.providers:flagd as unlicensed:
No license found
dev.openfeature.contrib.providers:flagd:0.11.20
The project itself is Apache-2.0 licensed, but the published Maven artifact metadata does not appear to expose that license directly enough for FOSSA to detect it.
Affected Artifact
dev.openfeature.contrib.providers:flagd:0.11.20
Maven Central:
https://repo1.maven.org/maven2/dev/openfeature/contrib/providers/flagd/0.11.20/
Published POM:
https://repo1.maven.org/maven2/dev/openfeature/contrib/providers/flagd/0.11.20/flagd-0.11.20.pom
Observed Behavior
The published flagd-0.11.20.pom does not contain a direct <licenses> block.
The published JAR and sources JAR also do not appear to include a license file such as:
LICENSE
LICENSE.txt
META-INF/LICENSE
NOTICE
As a result, license scanners that inspect the published artifact directly report the package as unlicensed.
I also checked the current latest Maven Central version, 0.13.1, and it appears to have the same issue: no direct <licenses> block in the artifact POM and no bundled license file in the JAR/source JAR.
Expected Behavior
The Maven artifact should be detected as Apache-2.0 by license scanners.
The repository already has an Apache-2.0 license:
https://github.com/open-feature/java-sdk-contrib/blob/main/LICENSE
The root parent POM also declares Apache-2.0:
https://github.com/open-feature/java-sdk-contrib/blob/main/pom.xml
However, the providers/flagd artifact POM does not declare the license directly:
https://github.com/open-feature/java-sdk-contrib/blob/main/providers/flagd/pom.xml
Possible Cause
The flagd module inherits from the parent POM:
<parent>
<groupId>dev.openfeature.contrib</groupId>
<artifactId>parent</artifactId>
<version>[1.0,2.0)</version>
<relativePath>../../pom.xml</relativePath>
</parent>Some scanners may not resolve inherited license metadata from the parent POM, especially with a parent version range. They may only inspect the published child POM and artifact files.
Proposed Fix
Add an explicit license declaration to providers/flagd/pom.xml:
<licenses>
<license>
<name>Apache License 2.0</name>
<url>https://www.apache.org/licenses/LICENSE-2.0</url>
</license>
</licenses>It may also help to include the repository LICENSE file in published artifacts, for example as:
After a new dev.openfeature.contrib.providers:flagd release is published with this metadata, downstream projects should be able to update to that version and have FOSSA detect the artifact as Apache-2.0.
Notes
Similar issue to go-lang: open-feature/flagd-schemas#211
Summary
FOSSA scans for https://github.com/open-telemetry/opentelemetry-demo reports the Maven artifact
dev.openfeature.contrib.providers:flagdas unlicensed:The project itself is Apache-2.0 licensed, but the published Maven artifact metadata does not appear to expose that license directly enough for FOSSA to detect it.
Affected Artifact
Maven Central:
https://repo1.maven.org/maven2/dev/openfeature/contrib/providers/flagd/0.11.20/
Published POM:
https://repo1.maven.org/maven2/dev/openfeature/contrib/providers/flagd/0.11.20/flagd-0.11.20.pom
Observed Behavior
The published
flagd-0.11.20.pomdoes not contain a direct<licenses>block.The published JAR and sources JAR also do not appear to include a license file such as:
As a result, license scanners that inspect the published artifact directly report the package as unlicensed.
I also checked the current latest Maven Central version,
0.13.1, and it appears to have the same issue: no direct<licenses>block in the artifact POM and no bundled license file in the JAR/source JAR.Expected Behavior
The Maven artifact should be detected as Apache-2.0 by license scanners.
The repository already has an Apache-2.0 license:
https://github.com/open-feature/java-sdk-contrib/blob/main/LICENSE
The root parent POM also declares Apache-2.0:
https://github.com/open-feature/java-sdk-contrib/blob/main/pom.xml
However, the
providers/flagdartifact POM does not declare the license directly:https://github.com/open-feature/java-sdk-contrib/blob/main/providers/flagd/pom.xml
Possible Cause
The
flagdmodule inherits from the parent POM:Some scanners may not resolve inherited license metadata from the parent POM, especially with a parent version range. They may only inspect the published child POM and artifact files.
Proposed Fix
Add an explicit license declaration to
providers/flagd/pom.xml:It may also help to include the repository
LICENSEfile in published artifacts, for example as:After a new
dev.openfeature.contrib.providers:flagdrelease is published with this metadata, downstream projects should be able to update to that version and have FOSSA detect the artifact as Apache-2.0.Notes
Similar issue to go-lang: open-feature/flagd-schemas#211