LICENSE and LICENSE.doc causes go-license-detector to see only evidence of CC-BY-SA-4.0

[thediveo]

When scanning Go module dependencies to create BOMs with tools like cyclonedx-gomod the setup of this repository/Go module with both LICENSE and LICENSE.doc causes the go-license-detector to see only evidence of CC-BY-SA-4.0. go-license-detector does not detect the presence of the Apache-2.0 license in LICENSE, or this evidence gets thrown under the bus in the process of creating the BOM by tools using go-license-detector.

Would it be possible to clean up the LICENSE and LICENSE.doc files with preferably only a single LICENSE file that tools like go-license-detector can correctly handle?

[vbatts]

interesting. It is a common pattern for projects that carry multiple licenses for all their components. Even if we fix for this project, that is a bug in the scanner and should be fixed there.

[thediveo]

What I've seen so far in other projects are declarations like (BSD-3-Clause OR GPL-2.0) or (MIT AND BSD-3-Clause) in their single license. For instance, https://github.com/crypto-browserify/sha.js/blob/master/LICENSE contains both licenses in a single LICENSE file; here, go-license-detector identifies the LICENSE contents as "(MIT AND BSD-3-Clause)".

[caniszczyk]

putting things in a single license files breaks the auto detection in GitHub as far as I can tell: https://github.com/crypto-browserify/sha.js

[image: Screen Shot 2021-10-05 at 4.25.00 PM.png]

On Tue, Oct 5, 2021 at 4:17 PM TheDiveO @.***> wrote:

What I've seen so far in other projects are declarations like (BSD-3-Clause OR GPL-2.0) or (MIT AND BSD-3-Clause) in their single license. For instance, https://github.com/crypto-browserify/sha.js/blob/master/LICENSE contains both licenses in a single LICENSE file; here, go-license-detector identifies the LICENSE contents as "(MIT AND BSD-3-Clause)".

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/opencontainers/go-digest/issues/68#issuecomment-934503787, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAPSIIPBFPW4EHMLWVBDALUFMJG5ANCNFSM5FLZ42SA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

-- Cheers,

Chris Aniszczyk https://aniszczyk.org

[thediveo]

Ah, good to know!

[thediveo]

A look into go-license-detector reveals that it scans (beyond others) files named "license" with certain extensions, but not .doc. So Im closing this issue and file an issue with the detector project. Thank you for your help!

[thediveo]

Is there a reason for using a .docs extension instead of .doc?