Add resolutions for false-positive scanner matches

[tsteenbe]

Whatever license scanner you use there also will be false-positives which I would subdivide in:

• Correct match but the license found is not applicable
• Incorrect match e.g. cases where “version 2.0” results in a LGPL-2.1 match

We should offer ORT user a way to resolve these scanner false-positives. Proposal add mechanism to ORT that understand below to .ort.yml or global configuration specification and then ignore the license in the Evaluator and displays comment why this is a false-positive license match in the reports

  - id: “Maven:com.google.protobuf:protobuf-java:*"
    matches:
       path: "conformance/third_party/jsoncpp/json.h"
       license: (GPL-1.0 OR GPL-2.0 OR GPL-3.0)
       reason: "FALSE_POSITIVE"
       comment: "Matches on ‘The MIT license is compatible with both the GPL and commercial software’"

https://github.com/google/qrisp/blob/master/google/protobuf/conformance/third_party/jsoncpp/json.h https://github.com/google/qrisp/blob/master/google/protobuf/conformance/third_party/jsoncpp/jsoncpp.cpp

[sschuberth]

Maybe we'd want something simpler, something like "scanner curations" to remove false-positives from the list of detected licenses instead of actually specifying the valid licenses.

[sschuberth]

Was this solved meanwhile by https://github.com/heremaps/oss-review-toolkit/blob/ff0645eb1e8774801b6d93bf5c8a4456aacf9410/model/src/main/kotlin/config/ErrorResolutionReason.kt#L36?

[mnonnenmacher]

Was this solved meanwhile by

https://github.com/heremaps/oss-review-toolkit/blob/ff0645eb1e8774801b6d93bf5c8a4456aacf9410/model/src/main/kotlin/config/ErrorResolutionReason.kt#L36 ?

No, this field was there before this issue was created and is only used for resolving errors, but unrelated to license findings.

[mnonnenmacher]

This is implemented for license findings in the project's source code in: https://github.com/heremaps/oss-review-toolkit/pull/1846

The missing part is implementing support for using LicenseFindingCurations for external dependencies.

[fviernau]

License findings curations and path excludes are now also supported for packages (dependencies) in addition to projects via package configurations. Implementation is spread across several PRs, for starting points see e.g. #2503, #2528.

Note: The WebApp still lacks support for path excludes on finding granularity level which is planned to be added soon.

[fviernau]

Closing the ticket as false positive scanner matches can now either be (1) excluded if applicable or (2) curated on finding granularity level or broader.