"optional" Maven dependencies must be excluded

[yegor256]

This is part of my pom.xml (my license is MIT):

    <dependency>
      <groupId>javax.json</groupId>
      <artifactId>javax.json-api</artifactId>
      <version>1.1.4</version>
      <optional>true</optional>
    </dependency>
    <dependency>
      <groupId>org.glassfish</groupId>
      <artifactId>javax.json</artifactId>
      <version>1.1.4</version>
      <optional>true</optional>
    </dependency>

This is what ORT says:

ERROR: COPYLEFT_IN_DEPENDENCY - Maven:org.glassfish:javax.json:1.1.4 - GPL-2.0-only (DECLARED) - The dependency 'Maven:org.glassfish:javax.json:1.1.4' is licensed under the ScanCode 'copyleft' categorized license GPL-2.0-only.
ERROR: COPYLEFT_IN_DEPENDENCY - Maven:javax.json:javax.json-api:1.1.4 - GPL-2.0-only (DECLARED) - The dependency 'Maven:javax.json:javax.json-api:1.1.4' is licensed under the ScanCode 'copyleft' categorized license GPL-2.0-only.

I believe, it's a false positive, because the dependencies are optional. This means that my JAR doesn't include them and they won't be installed to the user, unless the user explicitly includes them into his own pom.xml. In other words, I don't re-distribute this software. I only use it. This is allowed by copyleft, I believe.

[sschuberth]

Looks like a sensible request to me, esp. as this says under "Why use optional dependencies?":

They prevent problematic jars that violate a license agreement or cause classpath issues

[yegor256]

@sschuberth that's exactly what optional scope is for: to avoid placing certain dependencies in the final JAR, thus letting the end user decide what exactly to use -- either this problematic dependency or something else.

ORT, I believe, must not blame the project for having such optional dependencies, since the project doesn't re-distribute them.

[yegor256]

@sschuberth the same is true about dependencies in the provided scope. They also are not included in the JAR that is being distributed. Technically, only dependencies in the system and compile scopes are distributed. Everything else I suggest excluding from the analysis.

[MNesche]

Hi,
as @sschuberth already mentioned, the scopes should be excluded via scopes excludes.
The "provided" scope i.e. is used by the tycho-packaging-plugin to make a difference between Maven Plugins (scope compile) and Eclipse P2 Plugins (scope provided). Provided in this case means, the plugin is in the target platform and will be used!

The "optional" plugins should also rather be excluded via an "option" in a config, similar to the scope excludes, if an implementation is necessary.
A result with too much licenses is a lot better than a result with missing licenses!
That way, anybody could decide on their own, if the optional package should be included or not.

[yegor256]

@MNesche this is what we did in our project, but I still believe that the role of ORT is not only to be a technically accurate scanner, but also a setter of standards. This is what Maven did to the world of Java, easily beating Ant (it was a technically accurate tool, but with no "what's right and what's wrong" principles behind it).