Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive: GPL instead of LGPL #2641

Closed
hesa opened this issue Aug 13, 2021 · 5 comments
Closed

False positive: GPL instead of LGPL #2641

hesa opened this issue Aug 13, 2021 · 5 comments
Labels
fixed pending review license scan

Comments

@hesa
Copy link

hesa commented Aug 13, 2021

Description

Scancode reports:

      "license_expressions": [
        "lgpl-2.0",
        "lgpl-2.1",
        "gpl-2.0",
        "lgpl-2.1",
        "lgpl-3.0",
        "gpl-3.0-plus"
      ],

Source code file states:

This program is free software: you can redistribute it and/or modify it 
under the terms of either or both of the following licenses:

1) the GNU Lesser General Public License version 3, as published by the 
Free Software Foundation; and/or
2) the GNU Lesser General Public License version 2.1, as published by 
the Free Software Foundation.

The source code file is released under: LGPLv3 and/or LGPLv2.1
But Scancode reports: lgpl-2.0, lgpl-2.1, gpl-2.0, lgpl-2.1, lgpl-3.0, gpl-3.0-plus

Disclaimer: I may be totally wrong (but I'm a Dancin' fool - Frank Zappa)

How To Reproduce

PKG=libdbusmenu-16.04.0
PKG_FILE=${PKG}.tar.gz
FILE=libdbusmenu-16.04.0/libdbusmenu-gtk/menuitem.c

curl -LJO https://launchpad.net/libdbusmenu/16.04/16.04.0/+download/libdbusmenu-16.04.0.tar.gz
tar zxvf ${PKG_FILE} $FILE
rm ${PKG_FILE} 
scancode -clipe --license-text --license-text-diagnostics --classify --license-clarity-score --summary --summary-key-files --summary-with-details  ${PKG} --json-pp $(basename $FILE)-scan.json

System configuration

My system:

File header

/*
A library to take the object model made consistent by libdbusmenu-glib
and visualize it in GTK.

Copyright 2009 Canonical Ltd.

Authors:
    Ted Gould <ted@canonical.com>

This program is free software: you can redistribute it and/or modify it 
under the terms of either or both of the following licenses:

1) the GNU Lesser General Public License version 3, as published by the 
Free Software Foundation; and/or
2) the GNU Lesser General Public License version 2.1, as published by 
the Free Software Foundation.

This program is distributed in the hope that it will be useful, but 
WITHOUT ANY WARRANTY; without even the implied warranties of 
MERCHANTABILITY, SATISFACTORY QUALITY or FITNESS FOR A PARTICULAR 
PURPOSE.  See the applicable version of the GNU Lesser General Public 
License for more details.

You should have received a copy of both the GNU Lesser General Public 
License version 3 and version 2.1 along with this program.  If not, see 
<http://www.gnu.org/licenses/>
*/

Scancode report (parts of it)

$ cat  menuitem.c-scan.json  | jq -r '.files[] | select(.path|test("libdbusmenu-16.04.0/libdbusmenu-gtk/menuitem.c"))' 
{
  "path": "libdbusmenu-16.04.0/libdbusmenu-gtk/menuitem.c",
  "type": "file",
  "name": "menuitem.c",
  "base_name": "menuitem",
  "extension": ".c",
  "size": 10078,
  "date": "2016-02-27",
  "sha1": "121ded4ec9133d765aa252f1ba751b20a95149e0",
  "md5": "16773326b5f0b52abf39773eb8ebd380",
  "sha256": "e0198d42f5293270c5a4f5cf729ac362feb6ef2669a5d92e955d15776cfff7f8",
  "mime_type": "text/x-c",
  "file_type": "C source, ASCII text",
  "programming_language": "C",
  "is_binary": false,
  "is_text": true,
  "is_archive": false,
  "is_media": false,
  "is_source": true,
  "is_script": false,
  "licenses": [
    {
      "key": "lgpl-2.0",
      "score": 91.8,
      "name": "GNU Library General Public License 2.0",
      "short_name": "LGPL 2.0",
      "category": "Copyleft Limited",
      "is_exception": false,
      "owner": "Free Software Foundation (FSF)",
      "homepage_url": "http://www.gnu.org/licenses/old-licenses/lgpl-2.0.html",
      "text_url": "http://www.gnu.org/licenses/lgpl-2.0.html",
      "reference_url": "https://scancode-licensedb.aboutcode.org/lgpl-2.0",
      "scancode_text_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/lgpl-2.0.LICENSE",
      "scancode_data_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/lgpl-2.0.yml",
      "spdx_license_key": "LGPL-2.0-only",
      "spdx_url": "https://spdx.org/licenses/LGPL-2.0-only",
      "start_line": 10,
      "end_line": 21,
      "matched_rule": {
        "identifier": "lgpl-2.0_30.RULE",
        "license_expression": "lgpl-2.0",
        "licenses": [
          "lgpl-2.0"
        ],
        "is_license_text": false,
        "is_license_notice": true,
        "is_license_reference": false,
        "is_license_tag": false,
        "is_license_intro": false,
        "matcher": "3-seq",
        "rule_length": 61,
        "matched_length": 56,
        "match_coverage": 91.8,
        "rule_relevance": 100
      },
      "matched_text": "This program is free software: you can redistribute it and/or modify it \nunder the terms of [either] [or] [both] [of] [the] [following] [licenses]:\n\n[1]) the GNU Lesser General Public License [version] [3], as published by the \nFree Software Foundation; [and]/[or]\n[2]) [the] [GNU] [Lesser] [General] [Public] [License] [version] [2].[1], [as] [published] [by] \n[the] [Free] [Software] [Foundation].\n\nThis program is distributed in the hope that it [will] be useful, but \nWITHOUT ANY WARRANTY; without even the implied [warranties] of \nMERCHANTABILITY, [SATISFACTORY] [QUALITY] or FITNESS FOR A PARTICULAR \nPURPOSE."
    },
    {
      "key": "lgpl-2.1",
      "score": 48.48,
      "name": "GNU Lesser General Public License 2.1",
      "short_name": "LGPL 2.1",
      "category": "Copyleft Limited",
      "is_exception": false,
      "owner": "Free Software Foundation (FSF)",
      "homepage_url": "http://www.gnu.org/licenses/lgpl-2.1.html",
      "text_url": "http://www.gnu.org/licenses/lgpl-2.1.txt",
      "reference_url": "https://scancode-licensedb.aboutcode.org/lgpl-2.1",
      "scancode_text_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/lgpl-2.1.LICENSE",
      "scancode_data_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/lgpl-2.1.yml",
      "spdx_license_key": "LGPL-2.1-only",
      "spdx_url": "https://spdx.org/licenses/LGPL-2.1-only",
      "start_line": 15,
      "end_line": 16,
      "matched_rule": {
        "identifier": "lgpl-2.1_22.RULE",
        "license_expression": "lgpl-2.1",
        "licenses": [
          "lgpl-2.1"
        ],
        "is_license_text": false,
        "is_license_notice": true,
        "is_license_reference": false,
        "is_license_tag": false,
        "is_license_intro": false,
        "matcher": "3-seq",
        "rule_length": 33,
        "matched_length": 16,
        "match_coverage": 48.48,
        "rule_relevance": 100
      },
      "matched_text": "the GNU Lesser General Public License version 2.1, as published by \nthe Free Software Foundation."
    },
    {
      "key": "gpl-2.0",
      "score": 51.7,
      "name": "GNU General Public License 2.0",
      "short_name": "GPL 2.0",
      "category": "Copyleft",
      "is_exception": false,
      "owner": "Free Software Foundation (FSF)",
      "homepage_url": "http://www.gnu.org/licenses/gpl-2.0.html",
      "text_url": "http://www.gnu.org/licenses/gpl-2.0.txt",
      "reference_url": "https://scancode-licensedb.aboutcode.org/gpl-2.0",
      "scancode_text_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/gpl-2.0.LICENSE",
      "scancode_data_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/gpl-2.0.yml",
      "spdx_license_key": "GPL-2.0-only",
      "spdx_url": "https://spdx.org/licenses/GPL-2.0-only",
      "start_line": 18,
      "end_line": 25,
      "matched_rule": {
        "identifier": "gpl-2.0_953.RULE",
        "license_expression": "gpl-2.0",
        "licenses": [
          "gpl-2.0"
        ],
        "is_license_text": false,
        "is_license_notice": true,
        "is_license_reference": false,
        "is_license_tag": false,
        "is_license_intro": false,
        "matcher": "3-seq",
        "rule_length": 90,
        "matched_length": 47,
        "match_coverage": 52.22,
        "rule_relevance": 99
      },
      "matched_text": "This program is distributed in the hope that it will be useful, but \nWITHOUT ANY WARRANTY; without even the implied [warranties] of \nMERCHANTABILITY, [SATISFACTORY] [QUALITY] or FITNESS FOR A PARTICULAR \nPURPOSE.  See the [applicable] [version] [of] [the] GNU [Lesser] General Public \nLicense for more details.\n\nYou should have received a copy of [both] the GNU [Lesser] General Public \nLicense"
    },
    {
      "key": "lgpl-2.1",
      "score": 21.21,
      "name": "GNU Lesser General Public License 2.1",
      "short_name": "LGPL 2.1",
      "category": "Copyleft Limited",
      "is_exception": false,
      "owner": "Free Software Foundation (FSF)",
      "homepage_url": "http://www.gnu.org/licenses/lgpl-2.1.html",
      "text_url": "http://www.gnu.org/licenses/lgpl-2.1.txt",
      "reference_url": "https://scancode-licensedb.aboutcode.org/lgpl-2.1",
      "scancode_text_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/lgpl-2.1.LICENSE",
      "scancode_data_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/lgpl-2.1.yml",
      "spdx_license_key": "LGPL-2.1-only",
      "spdx_url": "https://spdx.org/licenses/LGPL-2.1-only",
      "start_line": 21,
      "end_line": 22,
      "matched_rule": {
        "identifier": "lgpl-2.1_22.RULE",
        "license_expression": "lgpl-2.1",
        "licenses": [
          "lgpl-2.1"
        ],
        "is_license_text": false,
        "is_license_notice": true,
        "is_license_reference": false,
        "is_license_tag": false,
        "is_license_intro": false,
        "matcher": "3-seq",
        "rule_length": 33,
        "matched_length": 7,
        "match_coverage": 21.21,
        "rule_relevance": 100
      },
      "matched_text": "of the GNU Lesser General Public \nLicense"
    },
    {
      "key": "lgpl-3.0",
      "score": 100,
      "name": "GNU Lesser General Public License 3.0",
      "short_name": "LGPL 3.0",
      "category": "Copyleft Limited",
      "is_exception": false,
      "owner": "Free Software Foundation (FSF)",
      "homepage_url": "http://www.gnu.org/licenses/lgpl-3.0.html",
      "text_url": "http://www.gnu.org/licenses/lgpl-3.0-standalone.html",
      "reference_url": "https://scancode-licensedb.aboutcode.org/lgpl-3.0",
      "scancode_text_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/lgpl-3.0.LICENSE",
      "scancode_data_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/lgpl-3.0.yml",
      "spdx_license_key": "LGPL-3.0-only",
      "spdx_url": "https://spdx.org/licenses/LGPL-3.0-only",
      "start_line": 24,
      "end_line": 25,
      "matched_rule": {
        "identifier": "lgpl-3.0_51.RULE",
        "license_expression": "lgpl-3.0",
        "licenses": [
          "lgpl-3.0"
        ],
        "is_license_text": false,
        "is_license_notice": false,
        "is_license_reference": true,
        "is_license_tag": false,
        "is_license_intro": false,
        "matcher": "2-aho",
        "rule_length": 7,
        "matched_length": 7,
        "match_coverage": 100,
        "rule_relevance": 100
      },
      "matched_text": "GNU Lesser General Public \nLicense version 3"
    },
    {
      "key": "gpl-3.0-plus",
      "score": 26.32,
      "name": "GNU General Public License 3.0 or later",
      "short_name": "GPL 3.0 or later",
      "category": "Copyleft",
      "is_exception": false,
      "owner": "Free Software Foundation (FSF)",
      "homepage_url": "http://www.gnu.org/licenses/gpl-3.0-standalone.html",
      "text_url": "http://www.gnu.org/licenses/gpl-3.0-standalone.html",
      "reference_url": "https://scancode-licensedb.aboutcode.org/gpl-3.0-plus",
      "scancode_text_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/gpl-3.0-plus.LICENSE",
      "scancode_data_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/licenses/gpl-3.0-plus.yml",
      "spdx_license_key": "GPL-3.0-or-later",
      "spdx_url": "https://spdx.org/licenses/GPL-3.0-or-later",
      "start_line": 24,
      "end_line": 26,
      "matched_rule": {
        "identifier": "gpl-3.0-plus_187.RULE",
        "license_expression": "gpl-3.0-plus",
        "licenses": [
          "gpl-3.0-plus"
        ],
        "is_license_text": false,
        "is_license_notice": true,
        "is_license_reference": false,
        "is_license_tag": false,
        "is_license_intro": false,
        "matcher": "3-seq",
        "rule_length": 38,
        "matched_length": 10,
        "match_coverage": 26.32,
        "rule_relevance": 100
      },
      "matched_text": "General Public \nLicense version 3 [and] [version] [2].[1] [along] [with] [this] [program].  [If] [not], see \n<http://www.gnu.org/"
    }
  ],
  "license_expressions": [
    "lgpl-2.0",
    "lgpl-2.1",
    "gpl-2.0",
    "lgpl-2.1",
    "lgpl-3.0",
    "gpl-3.0-plus"
  ],
  "percentage_of_license_text": 7.51,
  "copyrights": [
    {
      "value": "Copyright 2009 Canonical Ltd.",
      "start_line": 5,
      "end_line": 5
    }
  ],
  "holders": [
    {
      "value": "Canonical Ltd.",
      "start_line": 5,
      "end_line": 5
    }
  ],
  "authors": [
    {
      "value": "Ted Gould <ted@canonical.com>",
      "start_line": 7,
      "end_line": 8
    }
  ],
  "packages": [],
  "emails": [
    {
      "email": "ted@canonical.com",
      "start_line": 8,
      "end_line": 8
    }
  ],
  "is_legal": false,
  "is_manifest": false,
  "is_readme": false,
  "is_top_level": true,
  "is_key_file": false,
  "summary": {
    "license_expressions": [
      {
        "value": "lgpl-2.1",
        "count": 2
      },
      {
        "value": "gpl-2.0",
        "count": 1
      },
      {
        "value": "gpl-3.0-plus",
        "count": 1
      },
      {
        "value": "lgpl-2.0",
        "count": 1
      },
      {
        "value": "lgpl-3.0",
        "count": 1
      }
    ],
    "copyrights": [
      {
        "value": "Copyright Canonical Ltd.",
        "count": 1
      }
    ],
    "holders": [
      {
        "value": "Canonical Ltd.",
        "count": 1
      }
    ],
    "authors": [
      {
        "value": "Ted Gould <ted@canonical.com>",
        "count": 1
      }
    ],
    "programming_language": [
      {
        "value": "C",
        "count": 1
      }
    ]
  },
  "files_count": 0,
  "dirs_count": 0,
  "size_count": 0,
  "scan_errors": []
}
@hesa hesa added the bug label Aug 13, 2021
@pombredanne
Copy link
Member

@hesa Hey 👋 Thank you ++ for this detailed report!

@pombredanne
Copy link
Member

I ran a test on the whole https://launchpad.net/libdbusmenu/16.04/16.04.0/+download/libdbusmenu-16.04.0.tar.gz and the latest code and this is detected correctly.
It looks like this was fixed with #2505 ... merged in April and available in these releases v21.8.4, v21.7.30 and v21.6.7. You should try to update to the latest scancode.

@hesa
Copy link
Author

hesa commented Aug 14, 2021

Will do. I'll update the docker image and report back.

mille grazie

@hesa
Copy link
Author

hesa commented Aug 14, 2021

@pombredanne .... thanks for super fast response. I can confirm this is indeed fixed in the release 21.8.4. Sorry to bug you - I should have checked latest release before reporting.

You're awesome and thanks for all your hard work on Scancode

/h

Added the new 21.8.4 release of scancode to: https://github.com/vinland-technology/compliance-tool-collection/releases/tag/0.5.2

@hesa
Copy link
Author

hesa commented Aug 14, 2021

... this issue can be closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fixed pending review license scan
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pombredanne @hesa