search

aboutcode-org / scancode-toolkit

:mag: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!
https://github.com/aboutcode-org/scancode-toolkit/releases/
2.11k stars 546 forks source link

False positive detecton of proprietary-license from proprietary-license_276.RULE #3355

Open DennisClark opened 1 year ago

DennisClark commented 1 year ago

Recent scans of pdfbox-2.0.24-sources.jar and pdfbox-2.0.24.jar returned a detection of proprietary-license from files DecodeOptions.java and DecodeOptions$FinalDecodeOptions.class on the string "may not be modified" which triggered the proprietary-license_276.RULE

That detection is much too aggressive, because in the context of the code, it was simply the generation of an error message (possibly when someone/something is trying to change a pdf). Here is one case in the code:

throw new UnsupportedOperationException(“This instance may not be modified.“)

I am not exactly sure what the approach should be to address this, but I think it generally means that finding "may not be modified" probably means proprietary only in the context of a Notice file or code Comments, but it should not be triggered when that text appears in actual code.

DennisClark commented 1 year ago

You can find the scanned code here https://mvnrepository.com/artifact/org.apache.pdfbox/pdfbox/2.0.24