search

aboutcode-org / scancode-toolkit

:mag: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!
https://github.com/aboutcode-org/scancode-toolkit/releases/
2.11k stars 546 forks source link

Nuget issue /question Reported on Gitter channel #2989

Open pombredanne opened 2 years ago

pombredanne commented 2 years ago

Hi guys, I'm looking for a tool that can scan licences and ScanCode looks good for this task but I faced one challenge. In my codebase, for instance, there is a Dapper library - https://www.nuget.org/packages/Dapper/ with the Apache 2.0 licence but ScanCode didn't recognize this licence. I'm wondering if the ScanCode supports Nuget packages because the scan report contains "No Value Detected - 741" and only 2 MIT libraries. Is there any special configuration for Nuget packages?

pombredanne commented 2 years ago

I ran this using the latest beta version of scancode (actually I use the head of the develop branch... but this should be essentially the same):

wget -O dapper.2.0.123.nupkg https://www.nuget.org/api/v2/package/Dapper/2.0.123
extractcode dapper.2.0.123.nupkg
scancode --yaml dapper.yml.txt --json dapper.json.txt  --license --license-text --licenses-reference --package --classify --summary --info --copyright --processes 5 dapper.2.0.123.nupkg-extract/

And I have attached the results (in YAML and JSON) dapper.json.txt dapper.yml.txt

The important parts are towards the top:

packages:
    -   type: nuget
        namespace:
        name: Dapper
        version: 2.0.123
        qualifiers: {}
        subpath:
        primary_language:
        description: A high performance Micro-ORM supporting SQL Server, MySQL, Sqlite, SqlCE,
            Firebird etc..
        release_date:
        parties:
            -   type:
                role: author
                name: Sam Saffron,Marc Gravell,Nick Craver
                email:
                url:
            -   type:
                role: owner
                name: Sam Saffron,Marc Gravell,Nick Craver
                email:
                url:
        keywords: []
        homepage_url: https://github.com/DapperLib/Dapper
        download_url:
        size:
        sha1:
        md5:
        sha256:
        sha512:
        bug_tracking_url:
        code_view_url:
        vcs_url: git+https://github.com/DapperLib/Dapper
        copyright: 2019 Stack Exchange, Inc.
        license_expression: apache-2.0
        declared_license: https://licenses.nuget.org/Apache-2.0
        notice_text:
        source_packages: []
        extra_data: {}
        repository_homepage_url: https://www.nuget.org/packages/Dapper/2.0.123
        repository_download_url: https://www.nuget.org/api/v2/package/Dapper/2.0.123
        api_data_url: https://api.nuget.org/v3/registration3/dapper/2.0.123.json
        package_uid: pkg:nuget/Dapper@2.0.123?uuid=815c04fc-0d54-4ba0-87ef-458ab0391d7d
        datafile_paths:
            - dapper.2.0.123.nupkg-extract/Dapper.nuspec
        datasource_ids:
            - nuget_nupsec
        purl: pkg:nuget/Dapper@2.0.123
summary:
    declared_license_expression: apache-2.0
    license_clarity_score:
        score: 80
        declared_license: yes
        identification_precision: yes
        has_license_text: no
        declared_copyrights: no
        conflicting_license_categories: no
        ambiguous_compound_licensing: no
    declared_holder: Sam Saffron,Marc Gravell,Nick Craver
    primary_language: Java Server Page
    other_license_expressions: []
    other_holders:
        -   value:
            count: 11
        -   value: VeriSign, Inc.
            count: 3
    other_languages: []

Some issues along the way:

pombredanne commented 2 years ago

@adrtarnowski FYI ^