Closed tsteenbe closed 4 years ago
Maybe we'd want something simpler, something like "scanner curations" to remove false-positives from the list of detected licenses instead of actually specifying the valid licenses.
Was this solved meanwhile by
No, this field was there before this issue was created and is only used for resolving errors, but unrelated to license findings.
This is implemented for license findings in the project's source code in: https://github.com/heremaps/oss-review-toolkit/pull/1846
The missing part is implementing support for using LicenseFindingCuration
s for external dependencies.
License findings curations and path excludes are now also supported for packages (dependencies) in addition to projects via package configurations. Implementation is spread across several PRs, for starting points see e.g. #2503, #2528.
Note: The WebApp still lacks support for path excludes on finding granularity level which is planned to be added soon.
Closing the ticket as false positive scanner matches can now either be (1) excluded if applicable or (2) curated on finding granularity level or broader.
Whatever license scanner you use there also will be false-positives which I would subdivide in:
We should offer ORT user a way to resolve these scanner false-positives. Proposal add mechanism to ORT that understand below to .ort.yml or global configuration specification and then ignore the license in the Evaluator and displays comment why this is a false-positive license match in the reports
https://github.com/google/qrisp/blob/master/google/protobuf/conformance/third_party/jsoncpp/json.h https://github.com/google/qrisp/blob/master/google/protobuf/conformance/third_party/jsoncpp/jsoncpp.cpp