We distribute a number of third-party jars with our product.
Is there any way I can analyse or perform a lookup on each jar in order to determine its license - e.g. CDDL v1.0, Apache License Version 2.0?
I thought maven might provide an answer, but a quick search of the repositories shows that many projects do not provide their license information (e.g. ant, lucene).
How do others ensure they comply with the various licenses of third-party jars they distribute?
You could list them in the docuemntationa.
An example I have seen of this is konakart
It is a partially open source, they list how to find the licensing in their jar files.
Unfortunately there is no defined format for accomplishing this task.
Most licenses require that a copy of the license is distributed and I would expect a JAR to contain said licensing information. Exactly where or in what format is, somewhat unfortunately, not define over JAR files in general.
Personally, when I use external JAR files I include a corresponding "jarxyx-license.txt" corresponding to each JAR in lib/ (or wherever they may be). I often find/extracted this license file from elsewhere. This approach may not work so well for an automated tool like maven.