Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • 03:29
    ninad365 edited #3234
  • 03:10
    ninad365 edited #3234
  • 03:10
    ninad365 edited #3234
  • 03:10
    ninad365 edited #3234
  • 03:10
    ninad365 edited #3226
  • 03:08
    ninad365 closed #3226
  • 03:08
    ninad365 commented #3226
  • 03:04
    ninad365 synchronize #3234
  • 03:01
    ninad365 opened #3234
  • 02:48
    ninad365 edited #3226
  • 02:19
    ninad365 synchronize #3226
  • 02:13
    ninad365 synchronize #3226
  • Jan 30 23:58
    ninad365 synchronize #3226
  • Jan 30 23:05
    ninad365 synchronize #3226
  • Jan 30 23:04
    ninad365 synchronize #3226
  • Jan 30 22:27
    ninad365 synchronize #3226
  • Jan 30 22:15
    ninad365 synchronize #3226
  • Jan 30 19:39
    AyanSinhaMahapatra commented #3232
  • Jan 30 19:37
    AyanSinhaMahapatra commented #3232
  • Jan 30 19:13
    AyanSinhaMahapatra synchronize #3232
Roshan Thomas
@Thomshan
Any idea how I can suppress these false positives?
Roshan Thomas
@Thomshan
false_p.JPG
Philippe Ombredanne
@pombredanne
@Thomshan this could be a bug alright! can you enter a ticket?
@Thomshan though from a quick look at your image (text would be easier to reproduce) this really looks like a clear proprietary license from SUN and not a false positive at all
Philippe Ombredanne
@pombredanne

@Thomshan this is proprietary alright : https://repo1.maven.org/maven2/javax/servlet/jsp/jsp-api/2.1/ the jsp_2_0.xsd file ins there has this license:

Copyright 2003 Sun Microsystems, Inc., 901 San Antonio Road, Palo Alto, California 94303, U.S.A. All rights reserved. Sun Microsystems, Inc. has intellectual property rights relating to technology described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.sun.com/patents and one or more additional patents or pending patent applications in the U.S. and other countries. This document and the technology which it describes are distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of Sun and its licensors, if any. Third-party software, including font technology, is copyrighted and licensed from Sun suppliers. Sun, Sun Microsystems, the Sun logo, Solaris, Java, J2EE, JavaServer Pages, Enterprise JavaBeans and the Java Coffee Cup logo are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Federal Acquisitions: Commercial Software - Government Users Subject to Standard License Terms and Conditions.

And there is 100% no ambiguities that this is 100% proprietary
This document and the technology which it describes are distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of Sun and its licensors, if any.
is very clear.
the JSP apis are a known mess, license-wise
you could look alternative versions of the same APIs and defs from Apache Tomcat instead (and may be also Jetty) with a different license
So this detection is not a bug after all IMHO
Philippe Ombredanne
@pombredanne
Do not shoot the messenger :P
Roshan Thomas
@Thomshan
Thanks for the clarification @pombredanne ! At first glance it seemed like a non-proprietary copyright to me. Sorry for the trouble :)
Philippe Ombredanne
@pombredanne
@Thomshan that's no trouble! that was a useful excercise :) come back at any time with any question :)
Ansh Srivastava
@anshsrtv

I got the following error while running make dev in ubuntu 18 terminal:

ERROR: Could not find a version that satisfies the requirement psycopg2==2.8.6
ERROR: No matching distribution found for psycopg2==2.8.6

What's the workaround or is this an issue to be solved?

Philippe Ombredanne
@pombredanne
@anshsrtv Is this on Windows WSL? do you have enough to compile otherwise? is this on X86_64 architecture?
@tdruez ^
Ashwin Raj
@ashwinraj-in
Hi Everyone. I am planning to contribute on improve PyPI package license detection results. Can someone give me a headstart for the approach that I shall take on this.
Philippe Ombredanne
@pombredanne
Hi :) so the primary approach would be to drive that from data, lots of them, e.g. start with starts on all the PyPI packages declared license data. Then based on that, work out detection tests, identify issues and possibly create new rules, code and mappings
Ashwin Raj
@ashwinraj-in
@pombredanne Is there any scope for NLP techniques that we can apply to improve the results
S3j5b0
@S3j5b0
Hi, ive been asked to implement the tool as part of a CI chain with github actions, is it possible to not necessarily output a file, but somehow indicate that license incompatibilities have been detected, and throw back an error or something? :D
Ayan Sinha Mahapatra
@AyanSinhaMahapatra
@S3j5b0 I think this warrants a ticket :P though in my knowledge no, we are far from from adding something that would throw back errors in case of license policy incompatibilities. There's a license ploicy plugin that might interest you -> https://scancode-toolkit.readthedocs.io/en/latest/plugins/licence_policy_plugin.html but due to the somewhat complex nature of license policy incompatibilities there isn't a ready CI automation solution available at present.
Philippe Ombredanne
@pombredanne
@AyanSinhaMahapatra good point!
@S3j5b0 incompatibilities is something that's not universal and is depends on the usage context and a policy of both the author/distributor of a product and its customer/user.
You could have a policy that prohibits Apache-2.0-licensed code and mine would mandate its use.
Philippe Ombredanne
@pombredanne
And another could state that using LGPL-licensed code is OK only if unmodified and linking dynamically.
policies, modifications, linking style are not things that can be easily determined. (Yet I wish we could do so... we are working on it ;) )
Even things that look like context-free facts are not that easy to deal. For instance the FSF states that the GPL-2.0 is incompatible with the Apache-2.0 license, but the GPL-3.0 is compatible.
Yet, say that some Apache-licensed code uses a GPL-2.0-licensed tool unmodified and in spawned its own independent process. In this case the FSF may say this is OK and that there may not be a compatibility issue.
Philippe Ombredanne
@pombredanne
e.g he same code when used differently may trigger compat issues or not.
I wish things would be simpler... but they are not :P
balakrishna-mukundaraj
@balakrishna-mukundaraj
Hi, I am trying to add a plug-in for a new output format, it used to work in the previous versions (v3.2.1rc2) but with the latest released version, it is giving me a "Missing output option(s): at least one output option is required to save scan results." error. Is there any specific change in the latest version that i might have to look into?
Philippe Ombredanne
@pombredanne
@balakrishna-mukundaraj hum... is this public code?

there have been quite a few changes since 3.2.1rc2:
https://github.com/nexB/scancode-toolkit/compare/v3.2.1rc2...develop
like over 1000 commits

Showing 25,888 changed files with 281,590 additions and 385,844 deletions.

Philippe Ombredanne
@pombredanne

@balakrishna-mukundaraj that said the key change seems to be


@output_impl
class JsonPrettyOutput(OutputPlugin):

    options = [
        CommandLineOption(('--json-pp', 'output_json_pp',),
            type=FileOptionType(mode=mode, lazy=True),
            metavar='FILE',
            help='Write scan output as pretty-printed JSON to FILE.',
            help_group=OUTPUT_GROUP,
            sort_order=10),
    ]

which becomes now:

@output_impl
class JsonPrettyOutput(OutputPlugin):

    options = [
        PluggableCommandLineOption(('--json-pp', 'output_json_pp',),
            type=FileOptionType(mode='w', encoding='utf-8', lazy=True),
            metavar='FILE',
            help='Write scan output as pretty-printed JSON to FILE.',
            help_group=OUTPUT_GROUP,
            sort_order=10),
    ]
ak-iitb
@ak-iitb
Hi, I have a very basic query, does scan code detects license files in the source code or it generates the license files by looking at the libraries used in the code, for example, I am building something in JAVA and I have multiple opensource libraries, now if I scan my code with scancode then would it provide me the list of the libraries used and the licenses associated to them?
Philippe Ombredanne
@pombredanne

@guddutopper yes and no.
So the --package option will detect the packages and report dependencies (say in a pom.xml). So you will get the list in this way, at elast the list of direct dependencies.

It will not (yet) resolve nor fetch the dependencies tree to analyze them.
They would have to be in the scanned dir to be analyzed.
They would likely need to be extracted first with extractcode too, at least for now.

So if you scan your built and as-deployed app, you should have them all normally
ak-iitb
@ak-iitb
@pombredanne yes I have to extract the JAR files using the extractcode command and then it is able to generate a report for the licenses and copyright. However it gives a combined report, could it provide the license and copyright report per JAR file?
Philippe Ombredanne
@pombredanne
@guddutopper that's a great idea for an issue for a new feature.
ak-iitb
@ak-iitb
image.png
@pombredanne I had 120 JAR files, I extracted them all using extractcode, now when I run the scancode command, it is stuck since 3 hours.
Philippe Ombredanne
@pombredanne
:|
@guddutopper how many --processes ?
-n4.... :|
you may want to start with a scancode --package -n4 and no -cl yet?
ak-iitb
@ak-iitb
@pombredanne I did not understand, I should not use the -cl option? I just want to scan the extracted jar files(say 100) to get the license and copyright info. I dont need any other details such as class/filetype/filename etc. What should be the command for that
Philippe Ombredanne
@pombredanne
@guddutopper I was asking if you could try first with scancode --package -n4 --json-pp <your scan file name>.json for a start, to focus on the package manifests
ak-iitb
@ak-iitb
@pombredanne so this JSON file would be used as an input when I run the scancode next time with -cl option to fasten the process?