-
-
Notifications
You must be signed in to change notification settings - Fork 562
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False-positive proprietary-license
finding in Guava source code
#2865
Comments
@sschuberth Thanks... yes the matched rule is: https://github.com/nexB/scancode-toolkit/blob/develop/src/licensedcode/data/rules/proprietary-license_276.RULE |
Reference: #2865 Reported-by: Patrick Kutter @PatteSI Reported-by: Sebastian Schuberth @sschuberth Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>
@sschuberth @PatteSI : there you go : dade204 :) |
Thank you for the quick fix @pombredanne! I believe @PatteSI has a few more of similarly obvious cases, and will eventually report them as separate issues. |
Excellent! The more the better! @PatteSI I could also show you to fix these if you like! |
@pombredanne Thank you for the quick "fix". If you do not agree with my suggestions maybe you or @sschuberth have an idea how we could could provide you with a list of all our globally curated false positives. I believe it would be possible to create ScanCode rule expections from the global curation file that our curation team is building up. Still I think the other mentioned options would be the better way to go forward here. |
Nevermind I think you were already aware of the problematic "unknown" license detection behavior: #1675 I guess this covers my point 2. Not sure how helpful point 1 and 3 would be. However the issue with false "unknown" detection still seems to be big. |
@PatteSI @sschuberth I am putting together a the outline of a "False" plan at #2878 |
@PatteSI and I had forgotten to thank you for the detailed suggestions. |
@PatteSI re:
gentle ping... have you looked into providing me the data you have about curations so that we can fix detection in ScanCode for everyone? |
hello @pombredanne . It's been a while. Anyways I again asked our team here at Bosch if we can provide a list of our global curations that contain many false positives but I doubt this will happen soon (or at all) due to compliance issues. |
Description
Scanning https://github.com/google/guava/blob/v31.0.1/guava/src/com/google/common/graph/StandardValueGraph.java#L36 results in a false-positive license finding of
proprietary-license
, although no licenses declaration is present at all. (Thanks to @PatteSI for finding this.)The matched text just says
I guess the "modified by the user" words are what triggers the finding. However, what's a bit disturbing is that the license score is 100.0 for this match... so ScanCode is ultimatively confident that this is a license match, and we can't get rid of it by adjusting the
--license-score
.How To Reproduce
System configuration
Ubuntu Linux 18.04
The text was updated successfully, but these errors were encountered: