CPL and EPL 2.0 instead of EPL 1.0 detected in Eclipse Hawkbit pom.xml

[hanna-modica]

Description

ScanCode reports wrong license in Eclipse Hawkbit pom.xml file, although it states Eclipse Public License v1.0.

Examples:

• Detection of CPL in /pom.xml (line 28 - 33)
• Detection of EPL 2.0 in /pom.xml file instead of EPL 1.0 (Line 29 - 32)

How To Reproduce

Scan https://github.com/eclipse/hawkbit with ScanCode

System configuration

The scan was done on Linux with the OSS Review Toolkit https://github.com/oss-review-toolkit/ort/ using ScanCode as the scanner.

[pombredanne]

Thanks. Another rules that could benefit from a more restrictive minimum coverage of ~ 90 (e.g. 90% of the words are required to match)

        {
          "key": "epl-1.0",
          "score": 40.0,
          "name": "Eclipse Public License 1.0",
          "short_name": "EPL 1.0",
          "category": "Copyleft Limited",
          "is_exception": false,
          "owner": "Eclipse Foundation",
          "homepage_url": "http://www.eclipse.org/legal/epl-v10.html",
          "text_url": "http://www.eclipse.org/legal/epl-v10.html",
          "reference_url": "https://scancode-licensedb.aboutcode.org/epl-1.0",
          "scancode_text_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/epl-1.0.LICENSE",
          "scancode_data_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/epl-1.0.yml",
          "spdx_license_key": "EPL-1.0",
          "spdx_url": "https://spdx.org/licenses/EPL-1.0",
          "start_line": 28,
          "end_line": 31,
          "matched_rule": {
            "identifier": "epl-1.0_or_lgpl-2.1-plus_4.RULE",
            "license_expression": "epl-1.0 OR lgpl-2.1-plus",
            "licenses": [
              "epl-1.0",
              "lgpl-2.1-plus"
            ],
            "is_license_text": false,
            "is_license_notice": false,
            "is_license_reference": false,
            "is_license_tag": true,
            "is_license_intro": false,
            "matcher": "3-seq",
            "rule_length": 50,
            "matched_length": 20,
            "match_coverage": 40.0,
            "rule_relevance": 100
          },
          "matched_text": "licenses>\n      <license>\n         <name>Eclipse Public License - [Version] 1.0</name>\n         <url>http://www.eclipse.org/org/documents/epl-v10.php</url>"
        },

Note though that when using the --package option, I get a correct detection (because it is aware of the POM data structure):

      "packages": [
        {
          "type": "maven",
          "namespace": "org.eclipse.hawkbit",
          "name": "hawkbit-parent",
          "version": "0.3.0-SNAPSHOT",
          "qualifiers": {},
          "subpath": null,
          "primary_language": "Java",
          "description": "hawkBit :: Parent",
          "release_date": null,
          "parties": [
            {
              "type": "person",
              "role": "developper",
              "name": null,
              "email": "kai.zimmermann@microsoft.com",
              "url": null
            },
            {
              "type": "person",
              "role": "developper",
              "name": null,
              "email": "Jeroen.Laverman@bosch.io",
              "url": null
            },
            {
              "type": "person",
              "role": "developper",
              "name": null,
              "email": null,
              "url": null
            },
            {
              "type": "person",
              "role": "developper",
              "name": null,
              "email": "Dominic.Schabel@bosch.io",
              "url": null
            },
            {
              "type": "person",
              "role": "developper",
              "name": null,
              "email": "Stefan.Behl@bosch.io",
              "url": null
            }
          ],
          "keywords": [],
          "homepage_url": null,
          "download_url": null,
          "size": null,
          "sha1": null,
          "md5": null,
          "sha256": null,
          "sha512": null,
          "bug_tracking_url": null,
          "code_view_url": "https://github.com/eclipse/hawkbit.git",
          "vcs_url": "git+https://github.com/eclipse/hawkbit.git",
          "copyright": null,
          "license_expression": "epl-1.0",
          "declared_license": [
            {
              "name": "Eclipse Public License - Version 1.0",
              "url": "http://www.eclipse.org/org/documents/epl-v10.php",
              "comments": null,
              "distribution": null
            }
          ],
          "notice_text": null,
          "root_path": null,
          "dependencies": [
            {
              "purl": "pkg:maven/com.vaadin/vaadin-bom",
              "requirement": "8.12.3",
              "scope": "import",
              "is_runtime": true,
              "is_optional": false,
              "is_resolved": false
            },
            {
              "purl": "pkg:maven/org.springframework.cloud/spring-cloud-dependencies",
              "requirement": "Hoxton.SR7",
              "scope": "import",
              "is_runtime": true,
              "is_optional": false,
              "is_resolved": false
            }
          ],
          "contains_source_code": null,
          "source_packages": [
            "pkg:maven/org.eclipse.hawkbit/hawkbit-parent@0.3.0-SNAPSHOT?classifier=sources"
          ],
          "extra_data": {},
          "purl": "pkg:maven/org.eclipse.hawkbit/hawkbit-parent@0.3.0-SNAPSHOT",
          "repository_homepage_url": "https://repo1.maven.org/maven2/org/eclipse/hawkbit/hawkbit-parent/0.3.0-SNAPSHOT/",
          "repository_download_url": "https://repo1.maven.org/maven2/org/eclipse/hawkbit/hawkbit-parent/0.3.0-SNAPSHOT/hawkbit-parent-0.3.0-SNAPSHOT.jar",
          "api_data_url": "https://repo1.maven.org/maven2/org/eclipse/hawkbit/hawkbit-parent/0.3.0-SNAPSHOT/hawkbit-parent-0.3.0-SNAPSHOT.pom"
        }
      ]