This is a channel focused on ScanCode support and not as noisy as the main discuss channel
the JSP apis are a known mess, license-wise
you could look alternative versions of the same APIs and defs from Apache Tomcat instead (and may be also Jetty) with a different license
So this detection is not a bug after all IMHO
Do not shoot the messenger :P
@tdruez ^
@S3j5b0 I think this warrants a ticket :P though in my knowledge no, we are far from from adding something that would throw back errors in case of license policy incompatibilities. There's a license ploicy plugin that might interest you -> https://scancode-toolkit.readthedocs.io/en/latest/plugins/licence_policy_plugin.html but due to the somewhat complex nature of license policy incompatibilities there isn't a ready CI automation solution available at present.
@S3j5b0 incompatibilities is something that's not universal and is depends on the usage context and a policy of both the author/distributor of a product and its customer/user.
You could have a policy that prohibits Apache-2.0-licensed code and mine would mandate its use.
policies, modifications, linking style are not things that can be easily determined. (Yet I wish we could do so... we are working on it ;) )
Even things that look like context-free facts are not that easy to deal. For instance the FSF states that the GPL-2.0 is incompatible with the Apache-2.0 license, but the GPL-3.0 is compatible.
Yet, say that some Apache-licensed code uses a GPL-2.0-licensed tool unmodified and in spawned its own independent process. In this case the FSF may say this is OK and that there may not be a compatibility issue.
I wish things would be simpler... but they are not :P
Hi, I am trying to add a plug-in for a new output format, it used to work in the previous versions (v3.2.1rc2) but with the latest released version, it is giving me a "Missing output option(s): at least one output option is required to save scan results." error. Is there any specific change in the latest version that i might have to look into?
there have been quite a few changes since 3.2.1rc2:
https://github.com/nexB/scancode-toolkit/compare/v3.2.1rc2...develop
like over 1000 commits
Showing 25,888 changed files with 281,590 additions and 385,844 deletions.
@balakrishna-mukundaraj May I suggest that you review the changes in one plugin such as:
https://github.com/nexB/scancode-toolkit/blob/develop/src/formattedcode/output_json.py
and
https://github.com/nexB/scancode-toolkit/blob/v3.2.1rc2/src/formattedcode/output_json.py
@balakrishna-mukundaraj that said the key change seems to be
@output_impl
class JsonPrettyOutput(OutputPlugin):
options = [
CommandLineOption(('--json-pp', 'output_json_pp',),
type=FileOptionType(mode=mode, lazy=True),
metavar='FILE',
help='Write scan output as pretty-printed JSON to FILE.',
help_group=OUTPUT_GROUP,
sort_order=10),
]which becomes now:
@output_impl
class JsonPrettyOutput(OutputPlugin):
options = [
PluggableCommandLineOption(('--json-pp', 'output_json_pp',),
type=FileOptionType(mode='w', encoding='utf-8', lazy=True),
metavar='FILE',
help='Write scan output as pretty-printed JSON to FILE.',
help_group=OUTPUT_GROUP,
sort_order=10),
]
Hi, I have a very basic query, does scan code detects license files in the source code or it generates the license files by looking at the libraries used in the code, for example, I am building something in JAVA and I have multiple opensource libraries, now if I scan my code with scancode then would it provide me the list of the libraries used and the licenses associated to them?
@guddutopper yes and no.
So the --package option will detect the packages and report dependencies (say in a pom.xml). So you will get the list in this way, at elast the list of direct dependencies.
It will not (yet) resolve nor fetch the dependencies tree to analyze them.
They would have to be in the scanned dir to be analyzed.
They would likely need to be extracted first with extractcode too, at least for now.
So if you scan your built and as-deployed app, you should have them all normally
@pombredanne I had 120 JAR files, I extracted them all using extractcode, now when I run the scancode command, it is stuck since 3 hours.
@guddutopper how many --processes ?
-n4.... :|
you may want to start with a
scancode --package -n4 and no -cl yet?
I am worried otherwise as to why a scan of 120 jars would take so long
I believe @guddutopper is referring to the HTML report. This was a problem for me as well since the file information table in the HTML report is massive in medium-large sized projects. MS Edge would constantly crash for me because there was just so much to render. I finally created a script to remove all lines pertaining to the file information table in the html file as a workaround.
@Thomshan @guddutopper ok, the HTML report is always going to be limited. The volume of data really means the JSON is more appropriate as an input to the workbench.
alternatively we could get a plugin to help filter things out. In all cases, having an issue is much welcomed :P
alternatively we could get a plugin to help filter things out. In all cases, having an issue is much welcomed :P
I have a question with regard to scanning ".class" files. If I'm not wrong, ".class" files do not retain any comments in them (so there won't be any license text). I used scancode to run a scan on a jar (jaxen-1.1.3.jar) and scancode reported the presence of a proprietary license in one of the .class files of this jar (jaxen-1.1.3.jar-extract/org/jaxen/dom/NamespaceNode.class). I used an IDE to investigate and couldn't find anything at the line number reported by scancode. Any idea how/why this could have happened?