List of Libraries used by OFBiz
Deprecated Document
Note that this document was used to collect the information when OFBiz was in the Apache Incubator. It has been maintained for a long period (about end of 2009) but is not maintained anymore. So it's now deprecated and the official source of information are the LICENCE ans NOTICE files (see links below)
This is the list of the libraries distributed with OFBiz, needed to build and run OFBiz in the default configuration.
However, in order to run OFBiz in a different configuration (for example a different database) or in order to activate some specialized plugins (for example the JasperReport plugin) you may need additional jar files in your classpath. Some of them are delivered with licenses not compatible with the OFBiz license, the ASL2.0, and (also) for this reason they are not distributed with OFBiz. You can find some of them here. For details see the OPTIONAL_LIBRARIES file in the ofbiz directory from svn.
The official OFBiz license files, included in the trunk, are the following ones:
Some notes on licenses
We can use and include libraries licensed with any BSD/MIT like license including Apache, etc. We can also change and redistribute these libraries.
We can use and include libraries licensed with SPL (Sun), MPL (Mozilla), and similar licenses. We cannot change these and redistribute the changes though. These are a combination of the GPL and BSD licenses and make a distinction between "Covered Code" and "Larger Works". If we change the code the changes must be SPL/MPL/whatever licensed, but we can use the libraries unmodified just fine.
We can use, but can not include, libraries licensed with LGPL. The licensing quirk here is that we can write code that uses the libraries but can't include (distribute) the libraries themselves. This means that we have to have the build.xml files out of the box with exclusions for these source files. For each one we should document which jar files are needed, where they can be obtained, and which build.xml file(s) need to be changed to compile the Java files that depend on them.
We cannot use nor include libraries licensed with the GPL. The use and distribution restrictions are simply too tight and there is no way around them.
To have a more complete view on licences compatibilty please use this ASF policy : ASF Legal Previously Asked Questions
File Name |
URL |
License |
Notice |
Runtime Dependencies |
Notes |
|
---|---|---|---|---|---|---|
base |
|
|
|
|
|
|
commons/ commons-beanutils-1.7.0.jar |
Apache 2.0 |
ASF Only |
|
updated |
||
commons/ commons-cli-1.0.jar |
Apache 2.0 |
ASF Only |
|
updated |
||
commons/ commons-codec-1.3.jar |
Apache 2.0 |
ASF Only |
|
updated |
||
commons/ commons-collections-3.2.jar |
Apache 2.0 |
ASF Only |
|
updated |
||
commons/ commons-digester-1.8.jar |
Apache 2.0 |
ASF Only |
|
updated |
||
commons/ commons-discovery-0.4.jar |
Apache 2.0 |
ASF Only |
|
updated |
||
commons/ commons-el-1.0.jar |
Apache 2.0 |
ASF Only |
|
updated |
||
commons/ commons-fileupload-1.2.jar |
Apache 2.0 |
ASF Only |
|
updated |
||
commons/ commons-io-1.3.1.jar |
Apache 2.0 |
ASF Only |
|
updated |
||
commons/ commons-lang-2.3.jar |
Apache 2.0 |
ASF Only |
|
updated |
||
commons/ commons-logging-1.1.jar |
Apache 2.0 |
ASF Only |
|
updated |
||
commons/ commons-modeler-2.0.jar |
Apache 2.0 |
ASF Only |
|
updated |
||
commons/ commons-pool-1.3.jar |
Apache 2.0 |
ASF Only |
|
updated |
||
commons/ commons-primitives-1.0.jar |
Apache 2.0 |
ASF Only |
|
updated |
||
commons/ commons-validator-1.3.1.jar |
Apache 2.0 |
ASF Only |
|
updated |
||
commons/ commons-vfs-1.0.jar |
Apache 2.0 |
ASF Only |
|
updated |
||
scripting/ antlr-2.7.6.jar |
BSD |
|
|
updated |
||
scripting/ asm-2.2.jar, asm-analysis-2.2.jar, asm-tree-2.2.jar, asm-util-2.2.jar |
BSD |
|
|
updated |
||
scripting/ bsf-2.4.0.jar |
Apache 2.0 |
ASF Only |
|
updated |
||
scripting/ bsh-2.0b4.jar |
License notice only for SPL |
|
updated |
|||
scripting/ groovy-1.5.6.jar |
Apache 2.0 |
|
|
updated |
||
scripting/ jython-nooro.jar |
None |
|
|
|||
scripting/ jakarta-oro-2.0.8.jar |
Apache 2.0 |
ASF Only |
|
updated |
||
Tidy.jar |
W3C License |
License notice only for W3C |
|
Not used? |
||
ant-1.7.0.jar |
Apache 2.0 |
Has ASF plus additional notices |
|
updated |
||
ant-launcher-1.7.0.jar |
Apache 2.0 |
Has ASF plus additional notices |
ant-1.7.0.jar |
updated |
||
ant-junit-1.7.0.jar |
Apache 2.0 |
Has ASF plus additional notices |
ant-1.7.0.jar |
updated |
||
avalon-framework-4.2.0.jar |
Apache 2.0 |
Has ASF plus additional notices (here) |
|
|
||
avalon-util-exception-1.0.0.jar |
Apache 2.0 |
Has ASF plus additional notices |
|
|
||
freemarker-2.3.15.jar |
BSD |
License notice for BSD plus additional notice |
|
updated |
||
j2eespecs/ geronimo-activation_1.0.2_spec-1.0.jar |
Apache 2.0 |
Has ASF plus additional notices (here) |
|
|
||
j2eespecs/ geronimo-j2ee-connector_1.5_spec-1.0.jar |
Apache 2.0 |
Has ASF plus additional notices |
|
|
||
j2eespecs/ geronimo-jaxr_1.0_spec-1.0.jar |
Apache 2.0 |
Has ASF plus additional notices |
|
|
||
j2eespecs/ geronimo-jaxrpc_1.1_spec-1.0.jar |
Apache 2.0 |
Has ASF plus additional notices |
|
|
||
j2eespecs/ geronimo-jms_1.1_spec-1.0.jar |
Apache 2.0 |
Has ASF plus additional notices |
|
|
||
j2eespecs/ geronimo-jsp_2.0_spec-1.0.jar |
Apache 2.0 |
Has ASF plus additional notices |
|
|
||
j2eespecs/ geronimo-jta_1.1_spec-1.1.1.jar |
Apache 2.0 |
Has ASF plus additional notices |
|
|
||
j2eespecs/ geronimo-qname_1.1_spec-1.0.jar |
Apache 2.0 |
Has ASF plus additional notices |
|
|
||
j2eespecs/ geronimo-saaj_1.1_spec-1.0.jar |
Apache 2.0 |
Has ASF plus additional notices |
|
|
||
j2eespecs/ geronimo-servlet_2.4_spec-1.0.jar |
Apache 2.0 |
Has ASF plus additional notices |
|
|
||
httpunit.jar |
BSD license |
License notice only for BSD |
|
|
||
icu4j_3_6.jar |
License notice only for MIT/X |
|
updated |
|||
jakarta-regexp-1.5.jar |
Apache 2.0 |
ASF Only |
|
updated |
||
javacc.jar |
3-Clause BSD |
|
|
|
||
javolution-5.2.3.jar |
BSD license |
License notice only for BSD |
|
updated |
||
jdbm-1.0.jar |
BSD (JDBM LICENSE v1.00) |
5. Due credit should be given to the JDBM Project |
|
updated; however, this comment by Peter Goron is worth of consideration: "Jdbm doesn't seem to be an active project anymore. Maybe we must start thinking about another project to manage ofbiz cache stuff to avoid to have to maintain this stuff ourself. I've heard some interesting features from ehcache project (ehcache.sourceforge.net) like distributed caches and scalability." |
||
junit.jar |
License notice only for CPL |
|
|
|||
junitperf.jar |
License notice only for BSD |
|
|
|||
log4j-1.2.15.jar |
Apache 2.0 |
Has ASF plus additional notices |
|
updated |
||
mail.jar |
|
|
javax.mail.* and com.sun.mail.* |
|||
mx4j-3.0.1.jar |
|
Apache 2.0 |
Found something that looks like a notice in the license file here |
|
|
|
mx4j-remote-3.0.1.jar |
|
Apache 2.0 |
Found something that looks like a notice in the license file |
|
|
|
owasp-esapi-full-java-1.4.jar |
BSD |
|
|
|
||
resolver-2.8.1.jar |
Distributed with Xerces |
Apache 2.0 |
Has ASF plus additional notices |
|
|
|
xercesImpl-2.8.1.jar |
|
Apache 2.0 |
Has ASF plus additional notices |
resolver-2.8.1.jar |
|
|
xml-apis-2.8.1.jar |
Distributed with Xerces |
Apache 2.0 |
Has ASF plus additional notices |
|
|
|
catalina |
|
|
|
|
|
|
catalina.jar |
|
Apache 2.0 |
ASF Only |
|
5.5.23 |
|
catalina-cluster.jar |
|
Apache 2.0 |
ASF Only |
|
5.5.23 |
|
catalina-optional.jar |
|
Apache 2.0 |
ASF Only |
|
5.5.23 |
|
jasper-compiler.jar |
|
Apache |
No notice file - ASF Only |
|
5.5.23 |
|
jasper-compiler-jdt.jar |
|
Apache |
No notice file - ASF Only |
|
5.5.23 |
|
jasper-runtime.jar |
|
Apache |
No notice file - ASF Only |
|
5.5.23 |
|
naming-factory.jar |
|
|
No notice |
|
5.5.23 |
|
naming-resources.jar |
|
|
No notice |
|
5.5.23 |
|
servlets-default.jar |
|
Apache 2.0 |
ASF Only |
|
5.5.23 |
|
tomcat-ajp.jar |
|
Apache 2.0 |
ASF Only |
|
5.5.23 |
|
tomcat-coyote.jar |
|
Apache 2.0 |
ASF Only |
|
5.5.23 |
|
tomcat-http.jar |
|
Apache 2.0 |
ASF Only |
|
5.5.23 |
|
tomcat-util.jar |
|
Apache 2.0 |
ASF Only |
|
5.5.23 |
|
content |
|
|
|
|
|
|
lucene-2.2.0.jar |
Apache 2.0 |
ASF and additional notice |
|
updated |
||
poi-3.2-FINAL-20081019.jar |
Apache 2.0 |
ASF Only |
|
|
||
entity |
|
|
|
|
|
|
commons-dbcp-1.3-20091113-r835956.jar |
Apache 2.0 |
ASF Only |
|
Built using DBCP trunk |
||
ofbiz-minerva.jar |
|
X license |
License notice only for MIT/X |
|
|
|
jdbc/ derby-10.4.2.0.jar |
Apache |
Has ASF plus additional notices |
|
updated |
||
geronimo |
|
|
|
|
|
|
geronimo-transaction-2.1.1.jar |
Apache 2.0 |
Has ASF plus additional notices |
geronimo-jta_1.1_spec-1.1.1.jar, geronimo-connector-2.1.1.jar |
|
||
geronimo-connector-2.1.1.jar |
Apache 2.0 |
Doesn't appear to have any notice |
geronimo-jta_1.1_spec-1.1.1.jar |
|
||
guiapp |
|
|
|
|
|
|
XuiCoreSwing-v3.2rc2b.jar |
MPL 1.1 |
License notice only for MPL |
|
It's now XPL but we don't have to worry it's a clone of MPL see here |
||
images |
|
|
|
|
|
|
dojo |
BSD |
License notice only for BSD |
|
|
||
prototype |
MIT |
License notice only for MIT |
|
prototype 1.6 |
|
|
Scriptalous |
MIT |
MIT plus additional notice |
|
scriptaculous 1.8 |
|
|
calendar_date_select.js |
MIT |
License notice only for MIT |
prototype 1.6 |
Version 1.10.5 |
||
control.progress_bar.js |
MIT |
License notice only for MIT |
|
progress_bar 1.0.1 |
|
|
progress_bar.css |
MIT |
License notice only for MIT |
|
progress_bar 1.0.1 |
|
|
WhizzyWig.js |
MIT |
MIT plus additional notice |
|
whizzywig_v55i.js |
|
|
jetty |
|
|
|
|
|
|
ant.jar |
|
Apache 2.0 |
Has ASF plus additional notices |
|
|
|
jasper-compiler.jar |
|
Apache |
No notice file - ASF Only |
|
|
|
jasper-runtime.jar |
|
Apache |
No notice file - ASF Only |
|
|
|
org.mortbay.jetty.jar |
Apache 2.0 |
Has custom notice file |
|
Not needed? |
||
org.mortbay.jmx.jar |
Apache 2.0 |
Has custom notice file |
|
Not needed? |
||
service |
|
|
|
|
|
|
axis.jar |
Apache |
Axis 2 has a NOTICE file, but not Axis; appears to be ASF only |
|
|
||
axis-ant.jar |
Apache |
Axis 2 has a NOTICE file, but not Axis; appears to be ASF only |
|
|
||
wsdl4j.jar |
CPL |
License notice only for CPL |
|
|
||
webapp |
|
|
|
|
|
|
DataVision-1.0.0.jar |
Apache 1.1 |
License notice for Icons |
bsf (2.3.0) |
In order to run some reports the following runtime dependencies may exist: |
||
barcode4j-fop-ext-complete-2.0.jar |
Apache 2.0 |
Has notice with ASF, Krysalis, and JDOM |
fop-0.95.jar |
|||
batik-all-1.7.jar |
Apache 2.0 |
Has ASF plus additional notices |
|
|
||
ezmorph-0.9.1.jar |
Apache 2.0 |
No notice found |
|
|
||
fop-0.95.jar |
Apache 2.0 |
Has ASF plus additional notices |
avalon-framework-4.2.0.jar |
The following (optional) jars, included in the FOP distribution, have not been included in OFBiz: commons-logging-1.0.4.jar (because we already have commons-logging-1.1.jar), xercesImpl-2.7.1.jar (because we already have xercesImpl-2.8.1.jar), xml-apis-1.3.02.jar (because we already have xml-apis-2.8.1.jar) |
||
xalan-2.7.0.jar |
Apache 2.0 |
ASF plus additional notice |
serializer-2.7.0.jar |
This jar is only required by fop because there is a bug in the 0.94 release |
||
serializer-2.7.0.jar |
Apache 2.0 |
ASF plus additional notice |
|
This jar is only required by fop because there is a bug in the 0.94 release |
||
itext-2.0.1.jar |
MPL 1.1 |
License notice only for MPL |
|
updated |
||
jdom-1.1.jar |
Modified Apache |
No notice found |
|
|
||
json-lib-2.2.3-jdk15.jar |
Apache 2.0 |
ASF plus additional notice |
|
|
||
rome-0.9.jar |
Apache 2.0 |
No notice found |
|
|
||
velocity-1.5.jar |
Apache 2.0 |
ASF Only |
commons-collections |
updated |
||
ws-commons-java5-1.0.1.jar |
Apache 2.0 |
ASF Only |
|
|
||
ws-commons-util-1.0.1.jar |
Apache 2.0 |
ASF Only |
|
|
||
xmlgraphics-commons-1.2.jar |
Apache 2.0 |
|
|
|
||
xmlrpc-client-3.0.jar |
Apache 2.0 |
ASF Only |
xmlrpc-common-3.0.jar |
|
||
xmlrpc-common-3.0.jar |
Apache 2.0 |
ASF Only |
|
|
||
xmlprc-server-3.0.jar |
Apache 2.0 |
ASF Only |
xmlrpc-common-3.0.jar |
|
||
ldap |
|
|
|
|
|
|
cas-server-core-3.3.jar |
BSD |
License notice only for BSD |
|
CAS (Central Authentification Service) provide a trusted way for an application to authenticate a user |
||
pos |
|
|
|
|
|
|
jcl.jar |
License notice only for CPL |
|
Configuration and loading of device services developed to the JavaPOS architecture and standard |
|||
jpos18-controls.jar |
CPL |
License notice only for CPL |
|
Latest version is now 1.10 and the licence is CPL which is an OSS Apache-like license. The complete license here |
||
looks-2.0.2.jar |
BSD |
License notice only for BSD |
|
JGoodies look&feels make your Swing applications and applets look better |
||
googlecheckout |
|
|
|
|
|
|
checkout-sdk-0.8.8.jar |
Apache 2.0 |
ASF plus additional notice |
|
|
8 Comments
Pierre Smits
Shouldn't this document reside under the technical section?
Jacques Le Roux
As it's said at top it's deprecated anyway, and this for a long time now. So no.
Michael Brohl
I suggest to remove this page from the Wiki. It is of no use when not maintained. Moved to Trash for now.
Jacques Le Roux
Agreed, the reference is now the main build.gradle file
Pierre Smits
In stead of maintain in the list here (and the changes from released version to released version), It would be better to have this page reference the revision (link to viewvc, or similar) per released version.
Jacques Le Roux
Pierre,
You mean something like
http://svn.apache.org/viewvc/ofbiz/branches/release16.11/build.gradle?view=co&content-type=text%2Fplain
http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/build.gradle?view=co&content-type=text%2Fplain
with some explanations ? If yes then I agree, we just miss the explanations
Pierre Smits
Yes Jacques,
That way you can reference a single confluence doc in the sets per release while at the same time keeping the maintenance to a minimum. But I wouldn't do this against the release branches. Instead I would do this against releases. We don't want to confuse our adopters with links to sources that don't reflect the release they implemented, right?
And I would disentangle the dependencies from the build.gradle file into a separate dependencies.gradle file so that adopters (and their developers) don't get confused by the overload of commands and comments in that file.
So you would get something like:
And for the older releases (prior to the releases with gradle) we could have a link to old confluence confluence pages (if there are any).
Jacques Le Roux
Pierre, you said
I agree we could have to change a library version between freezing the branch and releasing it (several times), because of a possible CVE in a library (only case I found). So a link to the branch is not enough.
A separate dependencies.gradle file (included in the main build.gradle using apply from) would be a good idea. But I still see no universal way to show, using a browser, the content of the dependencies.gradle file from inside the the released packages. We could though reference the dependencies.gradle file from the svn release tag...
All: Other ideas?