Create THIRD-PARTY-NOTICES

[rajapandi1234]

Summary by CodeRabbit

• Documentation
  • Added comprehensive THIRD-PARTY-NOTICES document listing all third-party packages, versions, licenses, and attribution information with links to project homepages.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds a THIRD-PARTY-NOTICES document that catalogs third-party dependencies used in the project. The document lists multiple packages including Lombok, Jackson, Spring Framework, MOSIP Kernel Libraries, ActiveMQ, Keycloak, Hibernate, and iText, with their respective versions, licenses, and homepage URLs. It directs readers to the repository's license directory for full license texts.

Changes

Cohort / File(s)	Summary
Licensing Documentation THIRD-PARTY-NOTICES	New document enumerating third-party packages with versions, licenses, and source URLs; includes module listings and directs to license directory

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 A notice so grand, of packages dear,
With licenses listed, both far and near,
From Lombok to Keycloak, all accounted with care,
Third-party respects, shown with flair! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'Create THIRD-PARTY-NOTICES' directly and concisely describes the main change, which is adding a new THIRD-PARTY-NOTICES document to the repository.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6a09d66 and 81eabba.

📒 Files selected for processing (1)

• THIRD-PARTY-NOTICES

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: build-maven-authentication-demo-service / maven-build
• GitHub Check: build-maven-apitest-commons / maven-build
• GitHub Check: Analyze (java-kotlin)

🔇 Additional comments (3)

THIRD-PARTY-NOTICES (3)

343-343: Verify that the referenced license/ directory exists and is current.

The document directs readers to "the license/ directory of this repository" for full license texts but provides no context about its existence or maintenance status. Confirm that this directory exists, contains all referenced license files, and is kept in sync with dependency updates.

---

1-343: The THIRD-PARTY-NOTICES file's inferred license claims for Project Lombok (MIT), SLF4J (MIT), PostgreSQL JDBC Driver (BSD-2-Clause), and Hibernate Core (LGPL-2.1) are accurate and match official source declarations. No corrections are needed.

---

289-300: iText AGPL licensing requires no action for this test project.

The project's MPL 2.0 license explicitly permits combining AGPL-3.0 dependencies through Section 3.3 compatibility provisions. iText's usage in test utilities (AdminTestUtil.java) does not trigger AGPL's network-disclosure obligations, which apply only when modified AGPL code is exposed as a remote network service. This is standard practice in open-source test suites.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, find the THIRD-PARTY-NOTICES file and examine its content
find . -name "THIRD-PARTY-NOTICES" -type f 2>/dev/null | head -5

Repository: mosip/mosip-functional-tests

Length of output: 93

---

🏁 Script executed:

# Also search for pom.xml files to locate dependency manifests
find . -name "pom.xml" -type f 2>/dev/null | head -10

Repository: mosip/mosip-functional-tests

Length of output: 145

---

🏁 Script executed:

# Read the THIRD-PARTY-NOTICES file to verify the "Not specified" versions
cat -n ./THIRD-PARTY-NOTICES

Repository: mosip/mosip-functional-tests

Length of output: 16881

---

🏁 Script executed:

# Read the main pom.xml to extract dependency versions
cat -n ./pom.xml

Repository: mosip/mosip-functional-tests

Length of output: 13624

---

🏁 Script executed:

# Read the apitest-commons pom.xml to find dependency versions
cat -n ./apitest-commons/pom.xml

Repository: mosip/mosip-functional-tests

Length of output: 27923

---

🏁 Script executed:

# Check the authentication-demo-service pom.xml to see if it has more explicit versions
cat -n ./authentication-demo-service/pom.xml | head -100

Repository: mosip/mosip-functional-tests

Length of output: 3906

---

Add version information for packages listed in THIRD-PARTY-NOTICES.

Ten packages currently show "Not specified" versions (Project Lombok, Jackson, Spring Framework, SLF4J, Swagger Annotations, PostgreSQL, JSON.simple, Gson, Rest-Assured, org.json). While these versions are resolved through inherited dependencies and imported BOMs (particularly kernel-bom v1.3.0-beta.1), they should be explicitly documented in THIRD-PARTY-NOTICES to improve reproducibility and traceability. Extract the resolved versions from your dependency tree or dependency management and update each entry accordingly.

🤖 Prompt for AI Agents

In THIRD-PARTY-NOTICES around line 7, several package entries list "Version: Not
specified"; update each of those entries (Project Lombok, Jackson, Spring
Framework, SLF4J, Swagger Annotations, PostgreSQL, JSON.simple, Gson,
Rest-Assured, org.json) by extracting their resolved versions from the project's
dependency tree or dependencyManagement/BOM (e.g., run mvn dependency:tree or
inspect kernel-bom v1.3.0-beta.1) and replace "Not specified" with the exact
resolved version strings so the notice file explicitly documents the concrete
versions used.