Open sschuberth opened 2 years ago
@sschuberth what you are saying is that https://github.com/bytecodealliance/wasi/blob/9ec04a7d8ebb1bbb9e3291503425cee1ec38a560/LICENSE-Apache-2.0_WITH_LLVM-exception should be detected as an Apache-2.0 WITH LLVM-exception
which makes sense. As for always reporting an exception with a license, it does make sense in general, but the difficulty lies in the specifics. Some exceptions exist for several different licenses and IMHO this is not a license matching issue, but rather something that should come as part of the new "detection" approach to combine license matches in higher level detections. You can do this is ORT alright, but it may be better to do it in ScanCode unless you keep all the detections details in ORT, but last I checked details (like the matched text and scores and more) were not kept. If you do0 not have these details, there is a risk to reach some conclusion without having all the data to support it (or not support it).
Some exceptions exist for several different licenses
Correct. That's why in ORT we now have https://github.com/oss-review-toolkit/ort/blob/main/utils/spdx/src/main/resources/exception-mapping.yml.
may be better to do it in ScanCode
Absolutely!
last I checked details (like the matched text and scores and more) were not kept.
We do maintain the score as of https://github.com/oss-review-toolkit/ort/pull/5131.
:+1: Thanks!
Description
ScanCode translates its own license
key
"llvm-exception" tospdx_license_key
"LLVM-exception". However, as exceptions in SPDX expressions always have to come together with a license followed by theWITH
keyword, and as the LLVM exception always applies to Apache-2.0 only (AFAIK), thespdx_license_key
should be "Apache-2.0 WITH LLVM-exception" instead.Edit: I just realized that the
spdx_license_key
is probably not supposed to contain full SPDX expressions for historic reasons, but instead thelicense_expressions
should be used, which currently gets set toThere are two problems in here:
How To Reproduce
Download e.g. https://crates.io/api/v1/crates/wasi/0.10.2+wasi-snapshot-preview1/download and unpack the tarball. Scan it with
scancode --license --json-pp scancode.json .
which givesSystem configuration