False positive `gpl-1.0-plus` license reported for `node-forge`

[lumaxis]

Description

When running the current version of scancode-toolkit on https://www.npmjs.com/package/node-forge, it will report a declared license expression in the summary of (bsd-new AND gpl-2.0 AND gpl-1.0-plus) AND (bsd-new AND gpl-2.0). The inclusion of gpl-1.0-plus here is wrong.

I believe this is due to a lax text matching in the gpl-1.0-plus_351.RULE. The LICENSE file of node-forge includes a preamble by the package author explaining the licenses:

... If the GPL suits your project better you are also free to use Forge under that license. …

From the ScanCode result, it appears that it's simply matching on "the GPL" in the above sentence which triggers this license detection:

{
  "score": 85,
  "start_line": 8,
  "end_line": 8,
  "matched_length": 2,
  "match_coverage": 100,
  "matcher": "2-aho",
  "license_expression": "gpl-1.0-plus",
  "rule_identifier": "gpl-1.0-plus_351.RULE",
  "rule_relevance": 85,
  "rule_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/rules/gpl-1.0-plus_351.RULE",
  "matched_text": "the GPL"
}

Perhaps the required matched text needs to be expanded?

[pombredanne]

Thanks for the report!

[pombredanne]

There are a few more issues in https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz:

• in https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz the license in flash/package.json is detected incorrectly
• in https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz flash/package.json is not detected as a manifest
• There some small inaccuracies in these too
  • package/lib/jsbn.js
  • package/lib/ssh.js
  • package/LICENSE
  • package/package.json
  • package/README.md