chore: include list of third party dependencies and their licenses in each artifact

[chadlwilson]

Description of Change

This change (requesting feedback) replaces the outdated embedded static files with dynamic generation from dependencies via the license-maven-plugin.

Right now it is just generating a THIRD-PARTY.txt with a list of the dependencies and their licenses for each transitive runtime non-optional dependency and including it in META-INF (for normal jars) or the root (for zips such as ant/cli releases)

It is normalising the license names to SPDX IDs.

e.g for the CLI

Lists of 69 third-party dependencies.
     (EPL-1.0) (LGPL-2.1-only) Logback Classic Module (ch.qos.logback:logback-classic:1.2.13 - http://logback.qos.ch/logback-classic)
     (EPL-1.0) (LGPL-2.1-only) Logback Core Module (ch.qos.logback:logback-core:1.2.13 - http://logback.qos.ch/logback-core)
     (BSD-3-Clause) MinLog (com.esotericsoftware:minlog:1.3.1 - https://github.com/EsotericSoftware/minlog)
     (Apache-2.0) Jackson-annotations (com.fasterxml.jackson.core:jackson-annotations:2.21 - https://github.com/FasterXML/jackson)
     (Apache-2.0) Jackson-core (com.fasterxml.jackson.core:jackson-core:2.21.0 - https://github.com/FasterXML/jackson-core)
     (Apache-2.0) jackson-databind (com.fasterxml.jackson.core:jackson-databind:2.21.0 - https://github.com/FasterXML/jackson)
     (Apache-2.0) Jackson-dataformat-YAML (com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.21.0 - https://github.com/FasterXML/jackson-dataformats-text)
     (Apache-2.0) Jackson datatype: JSR310 (com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.21.0 - https://github.com/FasterXML/jackson-modules-java8/jackson-datatype-jsr310)
     (Apache-2.0) Jackson module: Blackbird (com.fasterxml.jackson.module:jackson-module-blackbird:2.21.0 - https://github.com/FasterXML/jackson-modules-base)
     (MIT) Package URL (com.github.package-url:packageurl-java:1.5.0 - https://github.com/package-url/packageurl-java)
     (Apache-2.0) compiler (com.github.spullara.mustache.java:compiler:0.9.6 - http://github.com/spullara/mustache.java)
     (Apache-2.0) Gson (com.google.code.gson:gson:2.9.0 - https://github.com/google/gson/gson)
     (Apache-2.0) Guava InternalFutureFailureAccess and InternalFutures (com.google.guava:failureaccess:1.0.3 - https://github.com/google/guava/failureaccess)
     (Apache-2.0) Guava: Google Core Libraries for Java (com.google.guava:guava:33.5.0-jre - https://github.com/google/guava)
     (EPL-1.0) (MPL-2.0) H2 Database Engine (com.h2database:h2:2.4.240 - https://h2database.com)
     (Apache-2.0) retirejs-core (com.h3xstream.retirejs:retirejs-core:3.0.4 - https://github.com/h3xstream/burp-retire-js/retirejs-core)
     (Apache-2.0) AhoCorasickDoubleArrayTrie (com.hankcs:aho-corasick-double-array-trie:1.2.3 - https://github.com/hankcs/AhoCorasickDoubleArrayTrie)
     (CPL-1.0) com.kichik.pecoff4j:pecoff4j (com.kichik.pecoff4j:pecoff4j:0.4.1 - https://github.com/kichik/pecoff4j)
     (MIT) toml4j (com.moandjiezana.toml:toml4j:0.7.2 - http://moandjiezana.com/toml/toml4j)
     (BSD-3-Clause) jmustache (com.samskivert:jmustache:1.16 - http://github.com/samskivert/jmustache)
     (Apache-2.0) Apache Commons CLI (commons-cli:commons-cli:1.11.0 - https://commons.apache.org/proper/commons-cli/)
     (Apache-2.0) Apache Commons Codec (commons-codec:commons-codec:1.21.0 - https://commons.apache.org/proper/commons-codec/)
     (Apache-2.0) Apache Commons IO (commons-io:commons-io:2.21.0 - https://commons.apache.org/proper/commons-io/)
     (Apache-2.0) Apache Commons Validator (commons-validator:commons-validator:1.10.1 - https://commons.apache.org/proper/commons-validator/)
     (Apache-2.0) jcs3-slf4j (io.github.jeremylong:jcs3-slf4j:1.0.5 - https://github.com/jeremylong/jcs3-slf4j/)
     (Apache-2.0) open-vulnerability-clients (io.github.jeremylong:open-vulnerability-clients:9.0.3 - https://github.com/jeremylong/open-vulnerability-clients/)
     (EPL-2.0) (GPL-2.0-only WITH Classpath-exception-2.0) javax.transaction API (jakarta.transaction:jakarta.transaction-api:1.3.3 - https://projects.eclipse.org/projects/ee4j.jta)
     (CDDL-1.1 WITH Classpath-exception-2.0) JavaBeans Activation Framework API jar (javax.activation:javax.activation-api:1.2.0 - http://java.net/all/javax.activation-api/)
     (Apache-2.0) javax.inject (javax.inject:javax.inject:1 - http://code.google.com/p/atinject/)
     (CDDL-1.1) (GPL-2.0-only WITH Classpath-exception-2.0) javax.ws.rs-api (javax.ws.rs:javax.ws.rs-api:2.0.1 - http://jax-rs-spec.java.net)
     (CDDL-1.1) (GPL-2.0-only WITH Classpath-exception-2.0) jaxb-api (javax.xml.bind:jaxb-api:2.3.1 - https://github.com/javaee/jaxb-spec/jaxb-api)
     (Apache-2.0) Joda-Time (joda-time:joda-time:2.14.0 - https://www.joda.org/joda-time/)
     (Apache-2.0) jdiagnostics (org.anarres.jdiagnostics:jdiagnostics:1.0.7 - https://github.com/shevek/jdiagnostics)
     (Apache-2.0) Apache Ant Core (org.apache.ant:ant:1.10.15 - https://ant.apache.org/)
     (Apache-2.0) Apache Commons Collections (org.apache.commons:commons-collections4:4.5.0 - https://commons.apache.org/proper/commons-collections/)
     (Apache-2.0) Apache Commons Compress (org.apache.commons:commons-compress:1.27.1 - https://commons.apache.org/proper/commons-compress/)
     (Apache-2.0) Apache Commons DBCP (org.apache.commons:commons-dbcp2:2.14.0 - https://commons.apache.org/proper/commons-dbcp/)
     (Apache-2.0) Apache Commons JCS :: Core (org.apache.commons:commons-jcs3-core:3.2.1 - http://commons.apache.org/proper/commons-jcs/commons-jcs3-core/)
     (Apache-2.0) Apache Commons Lang (org.apache.commons:commons-lang3:3.20.0 - https://commons.apache.org/proper/commons-lang/)
     (Apache-2.0) Apache Commons Pool (org.apache.commons:commons-pool2:2.13.0 - https://commons.apache.org/proper/commons-pool/)
     (Apache-2.0) Apache Commons Text (org.apache.commons:commons-text:1.15.0 - https://commons.apache.org/proper/commons-text)
     (Apache-2.0) Apache HttpClient (org.apache.httpcomponents.client5:httpclient5:5.5.1 - https://hc.apache.org/httpcomponents-client-5.5.x/5.5.1/httpclient5/)
     (Apache-2.0) Apache HttpClient Cache (org.apache.httpcomponents.client5:httpclient5-cache:5.5.1 - https://hc.apache.org/httpcomponents-client-5.5.x/5.5.1/httpclient5-cache/)
     (Apache-2.0) Apache HttpComponents Core HTTP/1.1 (org.apache.httpcomponents.core5:httpcore5:5.3.6 - https://hc.apache.org/httpcomponents-core-5.3.x/5.3.6/httpcore5/)
     (Apache-2.0) Apache HttpComponents Core HTTP/2 (org.apache.httpcomponents.core5:httpcore5-h2:5.3.6 - https://hc.apache.org/httpcomponents-core-5.3.x/5.3.6/httpcore5-h2/)
     (Apache-2.0) Apache Lucene (module: common) (org.apache.lucene:lucene-analysis-common:9.12.3 - https://lucene.apache.org/)
     (Apache-2.0) Apache Lucene (module: core) (org.apache.lucene:lucene-core:9.12.3 - https://lucene.apache.org/)
     (Apache-2.0) Apache Lucene (module: facet) (org.apache.lucene:lucene-facet:9.12.3 - https://lucene.apache.org/)
     (Apache-2.0) Apache Lucene (module: queries) (org.apache.lucene:lucene-queries:9.12.3 - https://lucene.apache.org/)
     (Apache-2.0) Apache Lucene (module: queryparser) (org.apache.lucene:lucene-queryparser:9.12.3 - https://lucene.apache.org/)
     (Apache-2.0) Apache Lucene (module: sandbox) (org.apache.lucene:lucene-sandbox:9.12.3 - https://lucene.apache.org/)
     (Apache-2.0) Apache Velocity - Engine (org.apache.velocity:velocity-engine-core:2.4.1 - http://velocity.apache.org/engine/devel/velocity-engine-core/)
     (EPL-2.0) Eclipse Packager :: Core (org.eclipse.packager:packager-core:0.21.0 - https://eclipse.org/packager/packager-core)
     (EPL-2.0) Eclipse Packager :: RPM (org.eclipse.packager:packager-rpm:0.21.0 - https://eclipse.org/packager/packager-rpm)
     (EPL-2.0) (GPL-2.0-only WITH Classpath-exception-2.0) JSON-P with Parsson Provider (org.eclipse.parsson:jakarta.json:1.1.7 - https://github.com/eclipse-ee4j/parsson/parsson-bundles/jakarta.json)
     (Public Domain) JSON in Java (org.json:json:20251224 - https://github.com/douglascrockford/JSON-java)
     (MIT) jsoup Java HTML Parser (org.jsoup:jsoup:1.22.1 - https://jsoup.org/)
     (Apache-2.0) Dependency-Check Core (org.owasp:dependency-check-core:12.2.1-SNAPSHOT - https://github.com/dependency-check/DependencyCheck.git/dependency-check-core)
     (Apache-2.0) Dependency-Check Utils (org.owasp:dependency-check-utils:12.2.1-SNAPSHOT - https://github.com/dependency-check/DependencyCheck.git/dependency-check-utils)
     (MIT) semver4j (org.semver4j:semver4j:5.8.0 - https://github.com/semver4j/semver4j)
     (Apache-2.0) JCL 1.2 implemented over SLF4J (org.slf4j:jcl-over-slf4j:1.7.36 - http://www.slf4j.org)
     (MIT) JUL to SLF4J bridge (org.slf4j:jul-to-slf4j:1.7.36 - http://www.slf4j.org)
     (MIT) SLF4J API Module (org.slf4j:slf4j-api:1.7.36 - http://www.slf4j.org)
     (Apache-2.0) org.sonatype.goodies:package-url-java (org.sonatype.goodies:package-url-java:1.2.0 - https://sonatype.github.io/package-url-java/)
     (Apache-2.0) org.sonatype.ossindex:ossindex-service-api (org.sonatype.ossindex:ossindex-service-api:1.8.2 - https://sonatype.github.io/ossindex-public/ossindex-service-api/)
     (Apache-2.0) org.sonatype.ossindex:ossindex-service-client (org.sonatype.ossindex:ossindex-service-client:1.8.2 - https://sonatype.github.io/ossindex-public/ossindex-service-client/)
     (Public Domain) XZ for Java (org.tukaani:xz:1.9 - https://tukaani.org/xz/java.html)
     (Apache-2.0) SnakeYAML (org.yaml:snakeyaml:2.4 - https://bitbucket.org/snakeyaml/snakeyaml)
     (Apache-2.0) CPE Parser (us.springett:cpe-parser:3.0.1 - https://github.com/stevespringett/CPE-Parser)

Related issues

N/A

Have test cases been added to cover the new functionality?

N/A

Questions for feedback

• It somewhat duplicates NOTICE.txt. As an alternative I could make it generate NOTICE.txt instead, and get it to include the general notes on the data sources that are currently mentioned in the NOTICE.txt?
• do we need to extract and include full license content? If so, I imagine we only actually need to do that for ant and cli since these are distributed standalone outside dependency management tooling?
• it currently doesn't include any hard-coded dependencies to refer to licenses for the javascript etc included in reports, e.g JQuery etc. If this is going a useful direction, I can add configuration to include those.
• there may be a better direction to go via cyclonedx-maven-plugin or spdx-maven-plugin or similar that will generate an SBOM of some description in addition to this. It might be better to go this direction if they can also handle licenses. Since CycloneDX is OWASP-adjacent I imagine there's a preference for that above spdx.

[chadlwilson]

After more thinking, while it's an improvement on the current state, I'm not super happy about this as there are some weird ASL things about keeping NOTICE.txt and moving straight to including an SBOM in ant/CLI/docker would be better.

I'll keep it open for comment for a bit before embarking on something more ambitious via cyclonedx-maven-plugin and see if that can handle the licenses detection/normalisation sufficiently.

[chadlwilson]

Unfortunately cyclonedx-maven-plugin can't do everything here and is a bit limited, especially if we care about retaining NOTICES for ant and cli. I'll poke around a bit more and see if we can add things into the SBOM or merge with a manual SBOM fragment.

[chadlwilson]

I'll return to this after addressing #8353 which will simplify our maven plugins setup.