Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect detection of license per file #486

Open
kikofernandez opened this issue Oct 24, 2024 · 0 comments
Open

Incorrect detection of license per file #486

kikofernandez opened this issue Oct 24, 2024 · 0 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. sig/release Categorizes an issue or PR as relevant to SIG Release.

Comments

@kikofernandez
Copy link

What happened:

I run bom generate -erlang-otp.spdx . over the Erlang/OTP programming language repository.
It generates a source SBOM as expected, but the license included in each *.erl file is not detected correctly.

What you expected to happen:

As an example, the file in otp/lib/stdlib/src/lists.erl starts as follows:

%%
%% %CopyrightBegin%
%%
%% Copyright Ericsson AB 1996-2024. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%%     http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%
%% %CopyrightEnd%
%%

I expected bom to detect the license, but it does not, as follows from the bom output:

Relationship: SPDXRef-Package-otp CONTAINS SPDXRef-File-otp-lib-stdlib-src-pool.erl
FileName: lib/stdlib/src/lists.erl
SPDXID: SPDXRef-File-otp-lib-stdlib-src-lists.erl
FileChecksum: SHA1: ed83acc4dbe57afadfa6fdd9a89bf48b4a949d00
FileChecksum: SHA256: 41e25e2bb15f88ee6f68e90d1d0b9751fac0b3781af0b43682b5b565220c4a20
FileChecksum: SHA512: a52aa62c5acba64562d642f2d628d222d948961ff1f9fb1d37ec9efc90dd76f8621a9574448782f30e7cadbb78a393b7b70fa203586dc53e6160113cf66c08d1
FileType: OTHER
LicenseConcluded: MIT
LicenseInfoInFile: NONE
FileCopyrightText: NOASSERTION

How to reproduce it (as minimally and precisely as possible):

git clone [email protected]:erlang/otp.git
cd otp
bom generate -erlang-otp.spdx .

The file lib/stdlib/src/lists.erl contains a license,
but the generated output does not show that, instead shows MIT and field LicenseInfoInFile: NONE.

Anything else we need to know?:

Thanks for this product.

Environment:

  • OS: Ubuntu 22.04.5 LTS
  • Kernel: Linux XXX 6.8.0-45-generic #45~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Sep 11 15:25:05 UTC 2 x86_64 GNU/Linux
@kikofernandez kikofernandez added kind/bug Categorizes issue or PR as related to a bug. sig/release Categorizes an issue or PR as relevant to SIG Release. labels Oct 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. sig/release Categorizes an issue or PR as relevant to SIG Release.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kikofernandez