search

aboutcode-org / scancode-toolkit

:mag: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!
https://aboutcode.org/scancode/
2.12k stars 547 forks source link

False positives in Eclipse Hawkbit #2550

Open hanna-modica opened 3 years ago

hanna-modica commented 3 years ago

Description

ScanCode reports BSD 3 Clause in multiple Eclipse Hawkbit classes, although it states Eclipse Public License v1.0.

Examples:

and many more

How To Reproduce

Scan https://github.com/eclipse/hawkbit with ScanCode

System configuration

The scan was done on Linux with the OSS Review Toolkit https://github.com/oss-review-toolkit/ort/ using ScanCode as the scanner.

pombredanne commented 3 years ago

Thanks! The culprit is a rule edl-1.0_or_epl-1.0.RULE and edl-1.0_or_epl-1.0.yml that should be detected only if there is more of it detected using the "minimum_coverage" attribute likely to about 90%

{
          "key": "bsd-new",
          "score": 56.45,
          "name": "BSD-3-Clause",
          "short_name": "BSD-3-Clause",
          "category": "Permissive",
          "is_exception": false,
          "owner": "Regents of the University of California",
          "homepage_url": "http://www.opensource.org/licenses/BSD-3-Clause",
          "text_url": "http://www.opensource.org/licenses/BSD-3-Clause",
          "reference_url": "https://scancode-licensedb.aboutcode.org/bsd-new",
          "scancode_text_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/bsd-new.LICENSE",
          "scancode_data_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/bsd-new.yml",
          "spdx_license_key": "BSD-3-Clause",
          "spdx_url": "https://spdx.org/licenses/BSD-3-Clause",
          "start_line": 4,
          "end_line": 15,
          "matched_rule": {
            "identifier": "edl-1.0_or_epl-1.0.RULE",
            "license_expression": "epl-1.0 OR bsd-new",
            "licenses": [
              "epl-1.0",
              "bsd-new"
            ],
            "is_license_text": false,
            "is_license_notice": true,
            "is_license_reference": false,
            "is_license_tag": false,
            "is_license_intro": false,
            "matcher": "3-seq",
            "rule_length": 62,
            "matched_length": 35,
            "match_coverage": 56.45,
            "rule_relevance": 100
          },
          "matched_text": "This program and the accompanying materials\n * are made available under the terms of the Eclipse Public License v1.0\n * which accompanies this distribution, [and] is available at\n * http://www.eclipse.org/legal/epl-v10.html\n */\n[package] [org].[eclipse].[hawkbit].[ui].[common].[event];\n\n/**\n * [Enum] [constants] [for] [filter] [type]\n */\n[public] [enum] [FilterType] {\n    [SEARCH], [TYPE], [TAG], [NO]_[TAG], [STATUS], [OVERDUE], [QUERY], DISTRIBUTION,"
        }