Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BUG: License LGPL-2.1-only not discovered #3869

Closed
berndgassmann opened this issue Feb 9, 2024 · 5 comments
Closed

BUG: License LGPL-2.1-only not discovered #3869

berndgassmann opened this issue Feb 9, 2024 · 5 comments
Labels
check/License good first issue Good for newcomers kind/bug Something isn't working

Comments

@berndgassmann
Copy link

berndgassmann commented Feb 9, 2024

Describe the bug
The license of our project LGPL-2.1-only seems not be recognized correctly; neither as FSF nor OSI.

Reproduction steps
see:
https://github.com/intel/ad-rss-lib/security/code-scanning/76

also a renaming of LICENSE file into LICENSE-LGPL-2.1-only didn't work
intel/ad-rss-lib@1ffcf5a

nor adding the SPDX-License-Identifier: LGPL-2.1-only into the file:
intel/ad-rss-lib@7258946

Expected behavior
License score of 10 is expected instead of 9.

Additional context
Maybe your current setup only recognizes the LGPL-2.1, but LGPL-2.1-only as well as LGPL-2.1-or-later should both be detected as well.

@berndgassmann berndgassmann added the kind/bug Something isn't working label Feb 9, 2024
@spencerschrock
Copy link
Member

We currently rely on GitHub for license detection, and they don't seem to recognize it.

https://api.github.com/repos/intel/ad-rss-lib

  "license": {
    "key": "other",
    "name": "Other",
    "spdx_id": "NOASSERTION",
    "url": null,
    "node_id": "MDc6TGljZW5zZTA="
  },

Although it should be within our ability to parse SPDX IDs, if present. Assuming that gets fixed (either on GitHub or our end), we'd need to update our list of FSF or OSI licenses. As LGPL-2.1-only should be on the list according to https://spdx.org/licenses

var fsfOsiApprovedLicenseMap = map[string]fsfOsiLicenseType{
"0BSD": {Name: "BSD Zero Clause License"},

Or, on the Scorecard Action side, we really shouldn't be complaining about that last 1 point:
https://github.com/ossf/scorecard-action/blob/0ae0fb3a2ca18a43d6dea9c07cfb9bd01d17eae1/policies/template.yml#L29-L31
This value would be better set to 6 or 9, depending on what we want to enforce.

@berndgassmann
Copy link
Author

berndgassmann commented Feb 12, 2024

Hi,
thanks for the details here. If I understand it correctly, Github uses this one https://github.com/licensee/licensee to detect the license:
licensee/licensee#631
And they actually do not yet support -or-later/-only suffixes.

@mlinksva
Copy link

@berndgassmann unrelated to licensee/licensee#631. The reason https://github.com/intel/ad-rss-lib/blob/98991d6e5e51823c90b3d37a2fbb08cab360b37b/LICENSE can't be identified as LGPL-2.1 is due to differences in the text there (at a glance, prepended text and removal of the preamble) and the expected license text.

@berndgassmann
Copy link
Author

@mlinksva Thank you very much for the support. The SPDX I had added recently in the hope that this will work out. Now I've copied the license code including preamble and now it's detected as valid license.
Very much appreciated.

@pombredanne
Copy link

pombredanne commented Mar 22, 2024

You should consider using a proper license detection tool, like scancode. But here the text was seriously damaged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
check/License good first issue Good for newcomers kind/bug Something isn't working
Projects
None yet
Development

No branches or pull requests

4 participants