License is not being detected #3997

cgi-ricardo · 2024-11-22T11:30:57Z

Describe the bug
Running scancode for the following github package (https://github.com/stleary/JSON-java/tree/20230227), it doesn't detect the license inside the pom.xml file (https://github.com/stleary/JSON-java/blob/20230227/pom.xml)

System configuration

Which version of ScanCode.io are you running? 32.2.1
Are you running the app using Docker? yes

Expected behavior
Expect to detect the Public Domain license.

AyanSinhaMahapatra · 2024-11-22T12:40:42Z

@cgi-ricardo thanks for the report, this is a bug indeed.

Note that we are able to detect the license correctly in the context of a package, where we extract license statements in the specific context of the package manifest and then scan that statement for licenses.

But we also scan the package manfiest files (here the pom.xml) with a license scanner without using the context, as a whole file, and there we are getting false positives:

    "license_clues": [
      {
        "license_expression": "cc0-1.0",
        "license_expression_spdx": "CC0-1.0",
        "from_file": "JSON-java-20230227/pom.xml",
        "start_line": 36,
        "end_line": 42,
        "matcher": "3-seq",
        "score": 59.09,
        "matched_length": 13,
        "match_coverage": 59.09,
        "rule_relevance": 100,
        "rule_identifier": "cc0-1.0_200.RULE",
        "rule_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/rules/cc0-1.0_200.RULE",
        "matched_text": "    <licenses>\n        <license>\n            <name>Public Domain</name>\n            <url>https://github.com/stleary/JSON-java/blob/master/LICENSE</url>\n            <distribution>repo</distribution>\n        </license>\n    </licenses>",
        "matched_text_diagnostics": "licenses>\n        <license>\n            <name>Public Domain</name>\n            <url>[https]://[github].[com]/[stleary]/[JSON]-[java]/[blob]/[master]/[LICENSE]</url>\n            <distribution>repo</distribution>\n        </license>\n    </licenses>"
      }
    ],

Note that we are also detecting that there is something wrong with the match and hence considering this as a clue instead of a detection, and so not reporting this in the resource license_expression too.

But we can do better:

Add specific rules to detect this as a public-domain license
Do more to combine file and package license detections to remove ambiguity in these cases.

This detection issue is actually present in scancode-toolkit, so moving it there. Also attaching the scancode-toolkit scan results.

JSON-java.json

Reference: aboutcode-org#3997

Reference: aboutcode-org#3997 Signed-off-by: Alok Kumar <[email protected]>

cgi-ricardo added the bug label Nov 22, 2024

AyanSinhaMahapatra transferred this issue from aboutcode-org/scancode.io Nov 22, 2024

alok1304 added a commit to alok1304/scancode-toolkit that referenced this issue Feb 2, 2025

Add new rule for public domain license

92d6b35

Reference: aboutcode-org#3997

alok1304 linked a pull request Feb 2, 2025 that will close this issue

Add new rule for public domain license #4127

Open

6 tasks

alok1304 added a commit to alok1304/scancode-toolkit that referenced this issue Feb 2, 2025

Add new rule for public domain license

af36c8d

Reference: aboutcode-org#3997 Signed-off-by: Alok Kumar <[email protected]>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

License is not being detected #3997

License is not being detected #3997

cgi-ricardo commented Nov 22, 2024

AyanSinhaMahapatra commented Nov 22, 2024

License is not being detected #3997

License is not being detected #3997

Comments

cgi-ricardo commented Nov 22, 2024

AyanSinhaMahapatra commented Nov 22, 2024