search

porscheinformatik / sonarqube-licensecheck

SonarQube Licensecheck Plugin
Apache License 2.0
156 stars 58 forks source link

Misleading mapping LGPL to Apache 2 license #405

Closed len-ro closed 7 months ago

len-ro commented 9 months ago

Hello,

While using the plugin to analyse the licenses of a java project (via the jk1 plugin) I found out a very misleading results. The hibernate-core license:

        {
            "moduleName": "org.hibernate:hibernate-core",
            "moduleVersion": "3.5.6-Final",
            "moduleLicenses": [
                {
                    "moduleLicense": "GNU LESSER GENERAL PUBLIC LICENSE, Version 2.1",
                    "moduleLicenseUrl": "https://www.gnu.org/licenses/lgpl-2.1"
                }
            ]
        },

was reported as apache 2

20231207-160512

After a lot of research I found the issue to be due to the following line in the default mapping:

{ "regex": ".*AL.*2.*", "license": "Apache-2.0" },

the string "GNU LESSER GENERAL PUBLIC LICENSE, Version 2.1" matches the regexp :)

Thanks

Janpopan commented 9 months ago

@derkoe is this "(?i)Apache License? Version.?2.0" a better regex in this case?

len-ro commented 9 months ago

I do not know what was the case which this regexp was trying to solve but indeed having the "Apache License" part will surely not match the LGPL license text.

derkoe commented 9 months ago

Default mappings are gone already, so you are on your own there.