Inconsistent licenses detected by GitHub Dependency Graph

[scordio]

When looking at the jimfs-junit-jupiter dependency graph, which uses JUnit 6.0.1, I noticed that the licenses of the JUnit modules are inconsistent:

• junit-jupiter-engine and junit-platform-testkit are reported as NOASSERTION
• junit-jupiter-params and junit-platform-engine are reported as MIT AND LicenseRef-scancode-unknown-license-reference AND EPL-2.0
• The remaining modules don't have a license

The situation is slightly different when looking at the junit-converters dependency graph, which uses JUnit 5.14.1.

I don't know whether it's something JUnit could solve or a bug in the GitHub dependency graph/dependency submission. Nevertheless, I wanted to raise awareness, as consuming projects might rely on the SBOM that GitHub provides.

[mpkorstanje]

Downloading the SBOM for jimfs-junit-jupiter I see:

    {
      "name": "org.junit.jupiter:junit-jupiter-params",
      "SPDXID": "SPDXRef-maven-org.junit.jupiter-junit-jupiter-params-6.0.1-9f4a34",
      "versionInfo": "6.0.1",
      "downloadLocation": "NOASSERTION",
      "filesAnalyzed": false,
      "licenseConcluded": "MIT AND LicenseRef-scancode-unknown-license-reference AND EPL-2.0",
      "copyrightText": "Copyright (c) 2014-2025 Oliver Siegmar",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.junit.jupiter/junit-jupiter-params@6.0.1?type=jar"
        }
      ]
    },

The licenseConcluded looks correct. Extracting junit-jupiter-params-6.0.1.jar shows:

$ tree junit-jupiter-params-6.0.1/META-INF/
junit-jupiter-params-6.0.1/META-INF/
├── junit-jupiter-params.shadow.kotlin_module
├── LICENSE-fastcsv
├── LICENSE.md
├── LICENSE-notice.md
└── MANIFEST.MF

LICENSE.md is EPL-2.0, LICENSE-fastcsv is MIT, and LICENSE-notice.md explains that this product may include a number of subcomponents with separate copyright notices and license terms. Which is correctly classed as LicenseRef-scancode-unknown-license-reference.

The copyrightText references Oliver Siegmar who authored FastCSV, which is shadowed into JUnit Jupiter Params. This looks a bit odd because he is not the sole author of JUnit, but technically this is correct because this is the only author mentioned in any of the license files.

    {
      "name": "org.junit.jupiter:junit-jupiter-engine",
      "SPDXID": "SPDXRef-maven-org.junit.jupiter-junit-jupiter-engine-6.0.1-1f6176",
      "versionInfo": "6.0.1",
      "downloadLocation": "NOASSERTION",
      "filesAnalyzed": false,
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.junit.jupiter/junit-jupiter-engine@6.0.1?type=jar"
        }
      ]
    },

Furthermore there is a NOASSERTION made about the download location of junit-jupiter-engine. How and why that shows up as the label for a license is a question you should address to Github.

The licenses are included:

$ tree junit-jupiter-engine-6.0.1/META-INF/
junit-jupiter-engine-6.0.1/META-INF/
├── LICENSE.md
├── LICENSE-notice.md
├── MANIFEST.MF
└── services
    └── org.junit.platform.engine.TestEngine

I don't know whether it's something JUnit could solve or a bug in the GitHub dependency graph/dependency submission. Nevertheless, I wanted to raise awareness, as consuming projects might rely on the SBOM that GitHub provides.

I think it would be good if you can report this issue to at Github Community and leave a reference to that discussion here. But as at the moment there doesn't seem to be anything that is actionable for the JUnit team, I'll close this issue.

[github-actions]

Please assign a status label to this issue.

[github-actions]

Please assign a status label to this issue.

[github-actions]

Please assign a status label to this issue.