search

aboutcode-org / scancode-toolkit

:mag: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!
https://github.com/aboutcode-org/scancode-toolkit/releases/
2.07k stars 536 forks source link

False positive: GPL instead of LGPL #2641

Closed hesa closed 3 years ago

hesa commented 3 years ago

Description

Scancode reports: 

      "license_expressions": [
        "lgpl-2.0",
        "lgpl-2.1",
        "gpl-2.0",
        "lgpl-2.1",
        "lgpl-3.0",
        "gpl-3.0-plus"
      ],

Source code file states: 

This program is free software: you can redistribute it and/or modify it 
under the terms of either or both of the following licenses:

1) the GNU Lesser General Public License version 3, as published by the 
Free Software Foundation; and/or
2) the GNU Lesser General Public License version 2.1, as published by 
the Free Software Foundation.

The source code file is released under: LGPLv3 and/or LGPLv2.1 But Scancode reports: lgpl-2.0, lgpl-2.1, gpl-2.0, lgpl-2.1, lgpl-3.0, gpl-3.0-plus

Disclaimer: I may be totally wrong (but I'm a Dancin' fool - Frank Zappa)

How To Reproduce

PKG=libdbusmenu-16.04.0
PKG_FILE=${PKG}.tar.gz
FILE=libdbusmenu-16.04.0/libdbusmenu-gtk/menuitem.c

curl -LJO https://launchpad.net/libdbusmenu/16.04/16.04.0/+download/libdbusmenu-16.04.0.tar.gz
tar zxvf ${PKG_FILE} $FILE
rm ${PKG_FILE} 
scancode -clipe --license-text --license-text-diagnostics --classify --license-clarity-score --summary --summary-key-files --summary-with-details  ${PKG} --json-pp $(basename $FILE)-scan.json

System configuration

My system:

File header

/*
A library to take the object model made consistent by libdbusmenu-glib
and visualize it in GTK.

Copyright 2009 Canonical Ltd.

Authors:
    Ted Gould <ted@canonical.com>

This program is free software: you can redistribute it and/or modify it 
under the terms of either or both of the following licenses:

1) the GNU Lesser General Public License version 3, as published by the 
Free Software Foundation; and/or
2) the GNU Lesser General Public License version 2.1, as published by 
the Free Software Foundation.

This program is distributed in the hope that it will be useful, but 
WITHOUT ANY WARRANTY; without even the implied warranties of 
MERCHANTABILITY, SATISFACTORY QUALITY or FITNESS FOR A PARTICULAR 
PURPOSE.  See the applicable version of the GNU Lesser General Public 
License for more details.

You should have received a copy of both the GNU Lesser General Public 
License version 3 and version 2.1 along with this program.  If not, see 
<http://www.gnu.org/licenses/>
*/

Scancode report (parts of it)

$ cat  menuitem.c-scan.json  | jq -r '.files[] | select(.path|test("libdbusmenu-16.04.0/libdbusmenu-gtk/menuitem.c"))' 
{
  "path": "libdbusmenu-16.04.0/libdbusmenu-gtk/menuitem.c",
  "type": "file",
  "name": "menuitem.c",
  "base_name": "menuitem",
  "extension": ".c",
  "size": 10078,
  "date": "2016-02-27",
  "sha1": "121ded4ec9133d765aa252f1ba751b20a95149e0",
  "md5": "16773326b5f0b52abf39773eb8ebd380",
  "sha256": "e0198d42f5293270c5a4f5cf729ac362feb6ef2669a5d92e955d15776cfff7f8",
  "mime_type": "text/x-c",
  "file_type": "C source, ASCII text",
  "programming_language": "C",
  "is_binary": false,
  "is_text": true,
  "is_archive": false,
  "is_media": false,
  "is_source": true,
  "is_script": false,
  "licenses": [
    {
      "key": "lgpl-2.0",
      "score": 91.8,
      "name": "GNU Library General Public License 2.0",
      "short_name": "LGPL 2.0",
      "category": "Copyleft Limited",
      "is_exception": false,
      "owner": "Free Software Foundation (FSF)",
      "homepage_url": "http://www.gnu.org/licenses/old-licenses/lgpl-2.0.html",
      "text_url": "http://www.gnu.org/licenses/lgpl-2.0.html",
      "reference_url": "https://scancode-licensedb.aboutcode.org/lgpl-2.0",
      "scancode_text_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/lgpl-2.0.LICENSE",
      "scancode_data_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/lgpl-2.0.yml",
      "spdx_license_key": "LGPL-2.0-only",
      "spdx_url": "https://spdx.org/licenses/LGPL-2.0-only",
      "start_line": 10,
      "end_line": 21,
      "matched_rule": {
        "identifier": "lgpl-2.0_30.RULE",
        "license_expression": "lgpl-2.0",
        "licenses": [
          "lgpl-2.0"
        ],
        "is_license_text": false,
        "is_license_notice": true,
        "is_license_reference": false,
        "is_license_tag": false,
        "is_license_intro": false,
        "matcher": "3-seq",
        "rule_length": 61,
        "matched_length": 56,
        "match_coverage": 91.8,
        "rule_relevance": 100
      },
      "matched_text": "This program is free software: you can redistribute it and/or modify it \nunder the terms of [either] [or] [both] [of] [the] [following] [licenses]:\n\n[1]) the GNU Lesser General Public License [version] [3], as published by the \nFree Software Foundation; [and]/[or]\n[2]) [the] [GNU] [Lesser] [General] [Public] [License] [version] [2].[1], [as] [published] [by] \n[the] [Free] [Software] [Foundation].\n\nThis program is distributed in the hope that it [will] be useful, but \nWITHOUT ANY WARRANTY; without even the implied [warranties] of \nMERCHANTABILITY, [SATISFACTORY] [QUALITY] or FITNESS FOR A PARTICULAR \nPURPOSE."
    },
    {
      "key": "lgpl-2.1",
      "score": 48.48,
      "name": "GNU Lesser General Public License 2.1",
      "short_name": "LGPL 2.1",
      "category": "Copyleft Limited",
      "is_exception": false,
      "owner": "Free Software Foundation (FSF)",
      "homepage_url": "http://www.gnu.org/licenses/lgpl-2.1.html",
      "text_url": "http://www.gnu.org/licenses/lgpl-2.1.txt",
      "reference_url": "https://scancode-licensedb.aboutcode.org/lgpl-2.1",
      "scancode_text_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/lgpl-2.1.LICENSE",
      "scancode_data_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/lgpl-2.1.yml",
      "spdx_license_key": "LGPL-2.1-only",
      "spdx_url": "https://spdx.org/licenses/LGPL-2.1-only",
      "start_line": 15,
      "end_line": 16,
      "matched_rule": {
        "identifier": "lgpl-2.1_22.RULE",
        "license_expression": "lgpl-2.1",
        "licenses": [
          "lgpl-2.1"
        ],
        "is_license_text": false,
        "is_license_notice": true,
        "is_license_reference": false,
        "is_license_tag": false,
        "is_license_intro": false,
        "matcher": "3-seq",
        "rule_length": 33,
        "matched_length": 16,
        "match_coverage": 48.48,
        "rule_relevance": 100
      },
      "matched_text": "the GNU Lesser General Public License version 2.1, as published by \nthe Free Software Foundation."
    },
    {
      "key": "gpl-2.0",
      "score": 51.7,
      "name": "GNU General Public License 2.0",
      "short_name": "GPL 2.0",
      "category": "Copyleft",
      "is_exception": false,
      "owner": "Free Software Foundation (FSF)",
      "homepage_url": "http://www.gnu.org/licenses/gpl-2.0.html",
      "text_url": "http://www.gnu.org/licenses/gpl-2.0.txt",
      "reference_url": "https://scancode-licensedb.aboutcode.org/gpl-2.0",
      "scancode_text_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/gpl-2.0.LICENSE",
      "scancode_data_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/gpl-2.0.yml",
      "spdx_license_key": "GPL-2.0-only",
      "spdx_url": "https://spdx.org/licenses/GPL-2.0-only",
      "start_line": 18,
      "end_line": 25,
      "matched_rule": {
        "identifier": "gpl-2.0_953.RULE",
        "license_expression": "gpl-2.0",
        "licenses": [
          "gpl-2.0"
        ],
        "is_license_text": false,
        "is_license_notice": true,
        "is_license_reference": false,
        "is_license_tag": false,
        "is_license_intro": false,
        "matcher": "3-seq",
        "rule_length": 90,
        "matched_length": 47,
        "match_coverage": 52.22,
        "rule_relevance": 99
      },
      "matched_text": "This program is distributed in the hope that it will be useful, but \nWITHOUT ANY WARRANTY; without even the implied [warranties] of \nMERCHANTABILITY, [SATISFACTORY] [QUALITY] or FITNESS FOR A PARTICULAR \nPURPOSE.  See the [applicable] [version] [of] [the] GNU [Lesser] General Public \nLicense for more details.\n\nYou should have received a copy of [both] the GNU [Lesser] General Public \nLicense"
    },
    {
      "key": "lgpl-2.1",
      "score": 21.21,
      "name": "GNU Lesser General Public License 2.1",
      "short_name": "LGPL 2.1",
      "category": "Copyleft Limited",
      "is_exception": false,
      "owner": "Free Software Foundation (FSF)",
      "homepage_url": "http://www.gnu.org/licenses/lgpl-2.1.html",
      "text_url": "http://www.gnu.org/licenses/lgpl-2.1.txt",
      "reference_url": "https://scancode-licensedb.aboutcode.org/lgpl-2.1",
      "scancode_text_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/lgpl-2.1.LICENSE",
      "scancode_data_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/lgpl-2.1.yml",
      "spdx_license_key": "LGPL-2.1-only",
      "spdx_url": "https://spdx.org/licenses/LGPL-2.1-only",
      "start_line": 21,
      "end_line": 22,
      "matched_rule": {
        "identifier": "lgpl-2.1_22.RULE",
        "license_expression": "lgpl-2.1",
        "licenses": [
          "lgpl-2.1"
        ],
        "is_license_text": false,
        "is_license_notice": true,
        "is_license_reference": false,
        "is_license_tag": false,
        "is_license_intro": false,
        "matcher": "3-seq",
        "rule_length": 33,
        "matched_length": 7,
        "match_coverage": 21.21,
        "rule_relevance": 100
      },
      "matched_text": "of the GNU Lesser General Public \nLicense"
    },
    {
      "key": "lgpl-3.0",
      "score": 100,
      "name": "GNU Lesser General Public License 3.0",
      "short_name": "LGPL 3.0",
      "category": "Copyleft Limited",
      "is_exception": false,
      "owner": "Free Software Foundation (FSF)",
      "homepage_url": "http://www.gnu.org/licenses/lgpl-3.0.html",
      "text_url": "http://www.gnu.org/licenses/lgpl-3.0-standalone.html",
      "reference_url": "https://scancode-licensedb.aboutcode.org/lgpl-3.0",
      "scancode_text_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/lgpl-3.0.LICENSE",
      "scancode_data_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/lgpl-3.0.yml",
      "spdx_license_key": "LGPL-3.0-only",
      "spdx_url": "https://spdx.org/licenses/LGPL-3.0-only",
      "start_line": 24,
      "end_line": 25,
      "matched_rule": {
        "identifier": "lgpl-3.0_51.RULE",
        "license_expression": "lgpl-3.0",
        "licenses": [
          "lgpl-3.0"
        ],
        "is_license_text": false,
        "is_license_notice": false,
        "is_license_reference": true,
        "is_license_tag": false,
        "is_license_intro": false,
        "matcher": "2-aho",
        "rule_length": 7,
        "matched_length": 7,
        "match_coverage": 100,
        "rule_relevance": 100
      },
      "matched_text": "GNU Lesser General Public \nLicense version 3"
    },
    {
      "key": "gpl-3.0-plus",
      "score": 26.32,
      "name": "GNU General Public License 3.0 or later",
      "short_name": "GPL 3.0 or later",
      "category": "Copyleft",
      "is_exception": false,
      "owner": "Free Software Foundation (FSF)",
      "homepage_url": "http://www.gnu.org/licenses/gpl-3.0-standalone.html",
      "text_url": "http://www.gnu.org/licenses/gpl-3.0-standalone.html",
      "reference_url": "https://scancode-licensedb.aboutcode.org/gpl-3.0-plus",
      "scancode_text_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/gpl-3.0-plus.LICENSE",
      "scancode_data_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/gpl-3.0-plus.yml",
      "spdx_license_key": "GPL-3.0-or-later",
      "spdx_url": "https://spdx.org/licenses/GPL-3.0-or-later",
      "start_line": 24,
      "end_line": 26,
      "matched_rule": {
        "identifier": "gpl-3.0-plus_187.RULE",
        "license_expression": "gpl-3.0-plus",
        "licenses": [
          "gpl-3.0-plus"
        ],
        "is_license_text": false,
        "is_license_notice": true,
        "is_license_reference": false,
        "is_license_tag": false,
        "is_license_intro": false,
        "matcher": "3-seq",
        "rule_length": 38,
        "matched_length": 10,
        "match_coverage": 26.32,
        "rule_relevance": 100
      },
      "matched_text": "General Public \nLicense version 3 [and] [version] [2].[1] [along] [with] [this] [program].  [If] [not], see \n<http://www.gnu.org/"
    }
  ],
  "license_expressions": [
    "lgpl-2.0",
    "lgpl-2.1",
    "gpl-2.0",
    "lgpl-2.1",
    "lgpl-3.0",
    "gpl-3.0-plus"
  ],
  "percentage_of_license_text": 7.51,
  "copyrights": [
    {
      "value": "Copyright 2009 Canonical Ltd.",
      "start_line": 5,
      "end_line": 5
    }
  ],
  "holders": [
    {
      "value": "Canonical Ltd.",
      "start_line": 5,
      "end_line": 5
    }
  ],
  "authors": [
    {
      "value": "Ted Gould <ted@canonical.com>",
      "start_line": 7,
      "end_line": 8
    }
  ],
  "packages": [],
  "emails": [
    {
      "email": "ted@canonical.com",
      "start_line": 8,
      "end_line": 8
    }
  ],
  "is_legal": false,
  "is_manifest": false,
  "is_readme": false,
  "is_top_level": true,
  "is_key_file": false,
  "summary": {
    "license_expressions": [
      {
        "value": "lgpl-2.1",
        "count": 2
      },
      {
        "value": "gpl-2.0",
        "count": 1
      },
      {
        "value": "gpl-3.0-plus",
        "count": 1
      },
      {
        "value": "lgpl-2.0",
        "count": 1
      },
      {
        "value": "lgpl-3.0",
        "count": 1
      }
    ],
    "copyrights": [
      {
        "value": "Copyright Canonical Ltd.",
        "count": 1
      }
    ],
    "holders": [
      {
        "value": "Canonical Ltd.",
        "count": 1
      }
    ],
    "authors": [
      {
        "value": "Ted Gould <ted@canonical.com>",
        "count": 1
      }
    ],
    "programming_language": [
      {
        "value": "C",
        "count": 1
      }
    ]
  },
  "files_count": 0,
  "dirs_count": 0,
  "size_count": 0,
  "scan_errors": []
}
pombredanne commented 3 years ago

@hesa Hey :wave: Thank you ++ for this detailed report!

pombredanne commented 3 years ago

I ran a test on the whole https://launchpad.net/libdbusmenu/16.04/16.04.0/+download/libdbusmenu-16.04.0.tar.gz and the latest code and this is detected correctly. It looks like this was fixed with https://github.com/nexB/scancode-toolkit/pull/2505 ... merged in April and available in these releases v21.8.4, v21.7.30 and v21.6.7. You should try to update to the latest scancode.

hesa commented 3 years ago

Will do. I'll update the docker image and report back.

mille grazie

hesa commented 3 years ago

@pombredanne .... thanks for super fast response. I can confirm this is indeed fixed in the release 21.8.4. Sorry to bug you - I should have checked latest release before reporting.

You're awesome and thanks for all your hard work on Scancode

/h

Added the new 21.8.4 release of scancode to: https://github.com/vinland-technology/compliance-tool-collection/releases/tag/0.5.2

hesa commented 3 years ago

... this issue can be closed.