Dependencies

build.gradle

@@ -18,14 +18,15 @@ buildscript {
 }
 
 plugins {
+    id "com.simonharrer.modernizer" version '1.5.0-1'
+    id "de.sebastianboegl.shadow.transformer.log4j" version "2.1.1"
+    id 'com.github.ben-manes.versions' version '0.17.0'
+    id 'com.github.johnrengelman.shadow' version '2.0.2'
     id 'com.gradle.build-scan' version '1.11'
     id 'com.install4j.gradle' version '7.0.3'
-    id 'com.github.johnrengelman.shadow' version '2.0.2'
-    id "de.sebastianboegl.shadow.transformer.log4j" version "2.1.1"
-    id "com.simonharrer.modernizer" version '1.5.0-1'
+    id 'com.github.jk1.dependency-license-report' version '0.7'
     id 'me.champeau.gradle.jmh' version '0.4.3'
     id 'net.ltgt.errorprone' version '0.0.13'
-    id 'com.github.ben-manes.versions' version '0.17.0'
 }
 
 // use the gradle build scan feature: https://scans.gradle.com/get-started
@@ -34,14 +35,14 @@ buildScan {
     licenseAgree = 'yes'
 }
 
-apply plugin: 'java'
 apply plugin: 'application'
-apply plugin: 'project-report'
-apply plugin: 'jacoco'
+apply plugin: 'checkstyle'
 apply plugin: 'install4j'
+apply plugin: 'jacoco'
+apply plugin: 'java'
 apply plugin: 'me.champeau.gradle.jmh'
-apply plugin: 'checkstyle'
 apply plugin: 'org.junit.platform.gradle.plugin'
+apply plugin: 'project-report'
 
 apply from: 'eclipse.gradle'
 apply from: 'localization.gradle'
@@ -85,91 +86,75 @@ configurations {
 }
 
 dependencies {
+    // legacy dependencies [apple, customjfx, spin]
     compile fileTree(dir: 'lib', includes: ['*.jar'])
 
-    compile 'com.jgoodies:jgoodies-common:1.8.1'
-    compile 'com.jgoodies:jgoodies-forms:1.9.0'
-
-    compile 'org.apache.pdfbox:pdfbox:2.0.9'
-    compile 'org.apache.pdfbox:fontbox:2.0.9'
-    compile 'org.apache.pdfbox:xmpbox:2.0.9'
-
-    // required for reading write-protected PDFs - see https://github.com/JabRef/jabref/pull/942#issuecomment-209252635
-    compile 'org.bouncycastle:bcprov-jdk15on:1.59'
-
-    compile 'commons-cli:commons-cli:1.4'
-
-    compile "org.libreoffice:juh:5.4.2"
-    compile "org.libreoffice:jurt:5.4.2"
-    compile "org.libreoffice:ridl:5.4.2"
-    compile "org.libreoffice:unoil:5.4.2"
-
-    compile 'com.github.bkromhout:java-diff-utils:2.1.1'
-    compile 'info.debatty:java-string-similarity:1.1.0'
-
     antlr3 'org.antlr:antlr:3.5.2'
-    compile 'org.antlr:antlr-runtime:3.5.2'
-
     antlr4 'org.antlr:antlr4:4.7.1'
+    compile 'org.antlr:antlr-runtime:3.5.2'
     compile 'org.antlr:antlr4-runtime:4.7.1'
 
-    // VersionEye states that 6.0.5 is the most recent version, but http://dev.mysql.com/downloads/connector/j/ shows that as "Development Release"
+    compile 'com.github.bkromhout:java-diff-utils:2.1.1'
+    compile 'com.github.tomtung:latex2unicode_2.12:0.2.2'
+    compile 'com.google.guava:guava:24.1-jre'
+    compile 'com.impossibl.pgjdbc-ng:pgjdbc-ng:0.7.1' // postgres jdbc
+    compile 'com.jgoodies:jgoodies-common:1.8.1'
+    compile 'com.jgoodies:jgoodies-forms:1.9.0'
+    compile 'com.mashape.unirest:unirest-java:1.4.9'
+    compile 'com.microsoft.azure:applicationinsights-core:2.0.2'
+    compile 'com.microsoft.azure:applicationinsights-logging-log4j2:2.0.2'
+    compile 'commons-cli:commons-cli:1.4'
+    compile 'info.debatty:java-string-similarity:1.1.0'
     compile 'mysql:mysql-connector-java:5.1.46'
-
-    compile 'com.impossibl.pgjdbc-ng:pgjdbc-ng:0.7.1'
-
     compile 'net.java.dev.glazedlists:glazedlists_java15:1.9.1'
+    compile 'org.apache.pdfbox:fontbox:2.0.9'
+    compile 'org.apache.pdfbox:pdfbox:2.0.9'
+    compile 'org.apache.pdfbox:xmpbox:2.0.9'
+    compile 'org.bouncycastle:bcprov-jdk15on:1.59' // write-protected pdfs
+    compile 'org.jsoup:jsoup:1.11.2'
+    compile 'org.libreoffice:juh:5.4.2'
+    compile 'org.libreoffice:jurt:5.4.2'
+    compile 'org.libreoffice:ridl:5.4.2'
+    compile 'org.libreoffice:unoil:5.4.2'
 
-    compile 'com.google.guava:guava:24.1-jre'
-
-    // JavaFX stuff
+    // JavaFX
     compile 'com.airhacks:afterburner.fx:1.7.0'
     compile 'de.codecentric.centerdevice:javafxsvg:1.3.0'
     compile 'de.jensd:fontawesomefx-materialdesignfont:1.7.22-4'
     compile 'de.saxsys:mvvmfx-validation:1.7.0'
+    compile 'org.controlsfx:controlsfx:8.40.15-SNAPSHOT' // Cannot be updated to 9.*.* until Jabref works with Java 9
     compile 'org.fxmisc.easybind:easybind:1.0.3'
     compile 'org.fxmisc.flowless:flowless:0.6'
     compile 'org.fxmisc.richtext:richtextfx:0.8.2'
 
-    // Cannot be updated to 9.*.* until Jabref works with Java 9
-    compile 'org.controlsfx:controlsfx:8.40.15-SNAPSHOT'
-
-    compile 'org.jsoup:jsoup:1.11.2'
-    compile 'com.mashape.unirest:unirest-java:1.4.9'
-
-    // >1.8.0-beta is required for java 9 compatibility
-    compile 'org.slf4j:slf4j-api:1.8.0-beta2'
-    compile 'org.apache.logging.log4j:log4j-slf4j-impl:2.11.0'
-    compile 'org.apache.logging.log4j:log4j-jcl:2.11.0'
+    // logging
     compile 'org.apache.logging.log4j:log4j-api:2.11.0'
     compile 'org.apache.logging.log4j:log4j-core:2.11.0'
+    compile 'org.apache.logging.log4j:log4j-jcl:2.11.0'
+    compile 'org.apache.logging.log4j:log4j-slf4j-impl:2.11.0'
+    compile 'org.slf4j:slf4j-api:1.8.0-beta2'
 
     // need to use snapshots as the stable version is from 2013 and doesn't support v1.0.1 CitationStyles
     compile 'org.citationstyles:styles:1.0.1-SNAPSHOT'
     compile 'org.citationstyles:locales:1.0.1-SNAPSHOT'
     compile 'de.undercouch:citeproc-java:1.0.1'
 
-    compile 'com.github.tomtung:latex2unicode_2.12:0.2.2'
-
-    compile group: 'com.microsoft.azure', name: 'applicationinsights-core', version: '2.0.2'
-    compile group: 'com.microsoft.azure', name: 'applicationinsights-logging-log4j2', version: '2.0.2'
-
+    testCompile "org.testfx:testfx-core:4.0.+"
+    testCompile "org.testfx:testfx-junit:4.0.+"
+    testCompile 'com.github.tomakehurst:wiremock:2.16.0'
+    testCompile 'com.tngtech.archunit:archunit-junit:0.5.0'
+    testCompile 'org.assertj:assertj-swing-junit:3.8.0'
     testCompile 'org.junit.jupiter:junit-jupiter-api:5.1.0'
     testCompile 'org.junit.jupiter:junit-jupiter-params:5.1.0'
-    testRuntime 'org.junit.jupiter:junit-jupiter-engine:5.1.0'
-    testRuntime 'org.junit.vintage:junit-vintage-engine:5.1.0'
     testCompile 'org.junit.platform:junit-platform-launcher:1.1.0'
-    testRuntime 'org.apache.logging.log4j:log4j-core:2.11.0'
-    testRuntime 'org.apache.logging.log4j:log4j-jul:2.11.0'
     testCompile 'org.mockito:mockito-core:2.17.0'
-    testCompile 'com.github.tomakehurst:wiremock:2.16.0'
-    testCompile 'org.assertj:assertj-swing-junit:3.8.0'
     testCompile 'org.reflections:reflections:0.9.11'
     testCompile 'org.xmlunit:xmlunit-core:2.5.1'
     testCompile 'org.xmlunit:xmlunit-matchers:2.5.1'
-    testCompile 'com.tngtech.archunit:archunit-junit:0.5.0'
-    testCompile "org.testfx:testfx-core:4.0.+"
-    testCompile "org.testfx:testfx-junit:4.0.+"
+    testRuntime 'org.apache.logging.log4j:log4j-core:2.11.0'
+    testRuntime 'org.apache.logging.log4j:log4j-jul:2.11.0'
+    testRuntime 'org.junit.jupiter:junit-jupiter-engine:5.1.0'
+    testRuntime 'org.junit.vintage:junit-vintage-engine:5.1.0'
 
     checkstyle 'com.puppycrawl.tools:checkstyle:8.8'
 }
@@ -499,3 +484,7 @@ jmh {
     iterations = 10
     fork = 2
 }
+
+licenseReport {
+     renderers = [new com.github.jk1.license.render.TextReportRenderer(), new com.github.jk1.license.render.SimpleHtmlReportRenderer()]
+}

docs/adr/0003-use-external-libraries.txt-for-tracking-dependencies.md

@@ -0,0 +1,37 @@
+# Use external-libraries.txt for tracking dependencies
+
+Technical Story: https://github.com/JabRef/jabref/pull/3906#issuecomment-377597588 and https://github.com/JabRef/jabref/issues/3897
+
+## Context and Problem Statement
+
+External libraries need to be tracked, because Linux distributions have a demand on tracking down the dependencies to ensure proper licensing.
+For instance, see [The main archive area of Debian](https://www.debian.org/doc/debian-policy/#the-main-archive-area) and [Dependencies](https://www.debian.org/doc/debian-policy/#dependencies).
+
+## Decision Drivers
+
+* Correct statements only
+* Complete
+* Only used libraries, not the removed ones
+* Easy to maintain
+* High automation
+
+## Considered Options
+
+* No list maintenance
+* Maintain `external-libraries.txt` manually
+* Use [Gradle-License-Report plugin](https://github.com/jk1/Gradle-License-Report)
+
+## Decision Outcome
+
+Chosen option: "Maintain `external-libraries.txt` manually", because 
+
+- Dependencies not tracked in `build.gradle` can also be tracked
+- Comments can be added
+- Additional information such as the project repository can be added
+- Not all libraries have complete POMs (license statement, project homepage, project repository)
+
+Positive Consequences:
+* Simple text file can be distributed
+
+Negative consequences:
+* Manual effort required to keep consistency to `build.gradle`

docs/adr/index.md

@@ -7,6 +7,7 @@ This log lists the architectural decisions for JabRef.
 - [ADR-0000](0000-use-markdown-architectural-decision-records.md) - Use Markdown Architectural Decision Records
 - [ADR-0001](0001-use-crowdin-for-translations.md) - Use Crowdin for translations
 - [ADR-0002](0002-use-slf4j-for-logging.md) - Use slf4j together with log4j2 for logging
+- [ADR-0003](0003-use-external-libraries.txt-for-tracking-dependencies.md) - Use external-libraries.txt for tracking dependencies
 
 <!-- adrlogstop -->
 

external-libraries.txt

@@ -1,20 +1,29 @@
-This document lists the fonts, icons, and libraries used by JabRef.
-This file is manually kept in sync with build.gradle and the binary jars contained in the lib/ directory.
+# External dependencies of JabRef
 
-One can list all depdencies by using Gradle task `depdencyReport`.
+This file lists the fonts, icons, and libraries used by JabRef.
+This file is manually kept in sync with `build.gradle` and the binary jars contained in the `lib/` directory.
+
+One can list all dependencies by using Gradle task `depdencyReport`.
 It generated the file [build/reports/project/dependencies.txt](build/reports/project/dependencies.txt).
 
-# Legend
+See [ADR-0003](docs/adr/0003-use-external-libraries.txt-for-tracking-dependencies.md) for a reasoning, why we maintain this file manually.
 
-## License
+## Howto
 
 We follow the [SPDX license identifiers](https://spdx.org/licenses/).
 In case you add a library, please use these identifiers.
 For instance, "BSD" is not exact enough, there are numerous variants out there: BSD-2-Clause, BSD-3-Clause-No-Nuclear-Warranty, ...
 Note that the SPDX license identifiers are different from the ones used by debian. See https://wiki.debian.org/Proposals/CopyrightFormat for more information.
 
+You can create a license report by using the [Gradle-License-Report plugin](https://github.com/jk1/Gradle-License-Report) by executing following command:
+
+    ./gradlew generateLicenseReport
+
+You will have `build/reports/depdendency-license/index.html` and `build/reports/depdendency-license/THIRD-PARTY-NOTICES.txt`.
+The licenses stated there are not as complete as here.
+Nevertheless, you should the output for a cross-check
 
-# Fonts and Icons
+## Fonts and Icons
 
 The loading animation during loading of recommendations from Mr. DLib is created by <http://loading.io/> and is free of use under licence CC0 1.0.
 
@@ -26,7 +35,7 @@ License: SIL Open Font License, Version 1.1
 Note:    It is important to include v1.5.54 or later as v1.5.54 is the first version offering fixed code points. Do not confuse with http://zavoloklom.github.io/material-design-iconic-font/
 
 
-# Libraries
+## Libraries
 
 (Sorted alphabetically by Id)
 
@@ -50,6 +59,11 @@ Project: latex2unicode
 URL:     https://github.com/tomtung/latex2unicode
 License: Apache 2.0
 
+Id:      com.google.guava
+Project: Google Guava
+URL:     https://github.com/google/guava
+License: Apache-2.0
+
 Id:      com.impossibl.pgjdbc-ng:pgjdbc-ng
 Project: pgjdbc-ng
 URL:     http://impossibl.github.io/pgjdbc-ng
@@ -85,11 +99,6 @@ Project: Apache Commons CLI
 URL:     http://commons.apache.org/cli/
 License: Apache-2.0
 
-Id:      commons-logging:commons-logging
-Project: Apache Commons Logging
-URL:     http://commons.apache.org/logging/
-License: Apache-2.0
-
 Id:      de.codecentric.centerdevice
 Project: javafxsvg
 URL:     https://github.com/codecentric/javafxsvg
@@ -135,11 +144,6 @@ Project: ANTLR 4
 URL:     http://www.antlr.org/
 License: BSD
 
-Id:      org.apache.commons:commons-lang3
-Project: Apache Commons Lang
-URL:     https://commons.apache.org/proper/commons-lang/
-License: Apache-2.0
-
 Id:      org.apache.logging.log4j
 Project: Apache Log2j 2
 URL:     http://logging.apache.org/log4j/2.x/
@@ -200,24 +204,24 @@ Project: jsoup
 URL:     https://github.com/jhy/jsoup/
 License: MIT
 
-Id:      org.openoffice:juh
-Project: OpenOffice.org
-URL:     http://www.openoffice.org/api/SDK
+Id:      org.libreoffice:juh
+Project: LibreOffice
+URL:
 License: LGPL 3.0
 
-Id:      org.openoffice:jurt
-Project: OpenOffice.org
-URL:     http://www.openoffice.org/api/SDK
+Id:      org.libreoffice:jurt
+Project: LibreOffice
+URL:
 License: Apache-2.0
 
-Id:      org.openoffice:ridl
-Project: OpenOffice.org
-URL:     http://www.openoffice.org/api/SDK
+Id:      org.libreoffice:ridl
+Project: LibreOffice
+URL:
 License: Apache-2.0
 
-Id:      org.openoffice:unoil
-Project: OpenOffice.org
-URL:     http://www.openoffice.org/api/SDK
+Id:      org.libreoffice:unoil
+Project: LibreOffice
+URL:
 License: Apache-2.0
 
 Id:      org.xmlunit:xmlunit-core
@@ -235,5 +239,3 @@ Path:    lib/spin.jar
 Project: Spin
 URL:     http://spin.sourceforge.net/
 License: LGPL-2.1+
-
-The last entry has to end with an empty line. Otherwise the entry is not present in About.html.