feat: decrease min license detection confidence to 0.85 (#80)

* decrease min license detection confidence to 0.85

also log a debug message when the "best" license match doesn't meet this threshold

Signed-off-by: nscuro <[email protected]>

* regenerate example sboms

Signed-off-by: nscuro <[email protected]>

* update changelog

Signed-off-by: nscuro <[email protected]>

CHANGELOG.md

@@ -15,7 +15,9 @@
 * Use [license evidence](https://cyclonedx.org/news/cyclonedx-v1.3-released/#copyright-and-license-evidence) for detected licenses ([#40](https:/CycloneDX/cyclonedx-gomod/issues/40) via [#49](https:/CycloneDX/cyclonedx-gomod/pull/49))
 * Build with and test against Go 1.17 (via [#54](https:/CycloneDX/cyclonedx-gomod/pull/54))
 * Introduce improved logging (via [#46](https:/CycloneDX/cyclonedx-gomod/pull/46))
-* Add indication for which application the SBOM was generated for ([#67](https:/CycloneDX/cyclonedx-gomod/pull/67) via [#71](https:/CycloneDX/cyclonedx-gomod/pull/71))
+* Add indication for which application the SBOM was generated for ([#67](https:/CycloneDX/cyclonedx-gomod/issues/67) via [#71](https:/CycloneDX/cyclonedx-gomod/pull/71))
+* Slightly reduce threshold for license detection confidence, and log a debug message if this threshold isn't met ([#79](https:/CycloneDX/cyclonedx-gomod/issues/79) via [#80](https:/CycloneDX/cyclonedx-gomod/pull/80))
+ * Thanks [TheDiveO](https:/TheDiveO) for reporting!
 
 ### Fixes
 

examples/app_minikube-v1.23.1.bom.json

@@ -1,35 +1,35 @@
 {
  "bomFormat": "CycloneDX",
  "specVersion": "1.3",
- "serialNumber": "urn:uuid:9a4f199c-bff6-4fa1-a34d-4b7586617568",
+ "serialNumber": "urn:uuid:698aca07-202b-42d2-9e3d-7d0abe9fe7fa",
  "version": 1,
  "metadata": {
- "timestamp": "2021-09-29T18:02:11Z",
+ "timestamp": "2021-09-30T07:52:43Z",
  "tools": [
  {
  "vendor": "CycloneDX",
  "name": "cyclonedx-gomod",
- "version": "v0.0.0-20210929195822-2add6b416eb9",
+ "version": "v0.0.0-20210930095151-e031937c7ae0",
  "hashes": [
  {
  "alg": "MD5",
- "content": "b6ccbe5ff272355fed1803c4c17ff161"
+ "content": "cb71e9cbfe0407c554e9e892dd4266e5"
  },
  {
  "alg": "SHA-1",
- "content": "2232bdbfd4ef618303a59c9d42f81ccfd2fa4e8a"
+ "content": "e4c32a430cfc8e9d8618351e723e9ccc8bd3e5da"
  },
  {
  "alg": "SHA-256",
- "content": "69f0bce5fd9cdae1e3bd65b6abddd5bc966d4842dd69e33e8433783ee069c23c"
+ "content": "3c485ca91d6e61ffbb410993d0305868f2dfda861da5d6b80377f5ae9f2608f2"
  },
  {
  "alg": "SHA-384",
- "content": "a310e367777f74d68b822c78f3d6a72aa888daae18d967be614f666a7b5916c9d1c86dbda0adc91f3c92309ddb5489d4"
+ "content": "733a3ddbe8727d0ff4d1c4b0dd0a055151f5c2fd79fbcd46abcc6fb0e085f2af7e5daef5189f2031460da79182ee9920"
  },
  {
  "alg": "SHA-512",
- "content": "8924da342ab6da849631f2f5eb875b40eb62c54a6573e37e31e5ed5ac0f1f576d6eb266038695fec6514fe8973cc980ef7d8d7fb1ea5488fe7ec98a6ed848553"
+ "content": "9a822588ce991e978c1ac8f928028f24917b27540493495450a770dc913935c03eb9bdbc4bf3e78706fb66d01795255bab5b57531dfd8b7b7581dc82af55412d"
  }
  ]
  }
@@ -418,7 +418,16 @@
  "url": "https:/alonyb/spinner",
  "type": "vcs"
  }
- ]
+ ],
+ "evidence": {
+ "licenses": [
+ {
+ "license": {
+ "id": "Apache-2.0"
+ }
+ }
+ ]
+ }
  },
  {
  "bom-ref": "pkg:golang/github.com/cenkalti/backoff/[email protected]",
@@ -438,7 +447,16 @@
  "url": "https:/cenkalti/backoff",
  "type": "vcs"
  }
- ]
+ ],
+ "evidence": {
+ "licenses": [
+ {
+ "license": {
+ "id": "MIT"
+ }
+ }
+ ]
+ }
  },
  {
  "bom-ref": "pkg:golang/github.com/cheggaaa/pb/[email protected]",
@@ -835,7 +853,16 @@
  "url": "https:/fatih/color",
  "type": "vcs"
  }
- ]
+ ],
+ "evidence": {
+ "licenses": [
+ {
+ "license": {
+ "id": "MIT"
+ }
+ }
+ ]
+ }
  },
  {
  "bom-ref": "pkg:golang/github.com/fsnotify/[email protected]",
@@ -1232,7 +1259,16 @@
  "url": "https:/gookit/color",
  "type": "vcs"
  }
- ]
+ ],
+ "evidence": {
+ "licenses": [
+ {
+ "license": {
+ "id": "MIT"
+ }
+ }
+ ]
+ }
  },
  {
  "bom-ref": "pkg:golang/github.com/hashicorp/[email protected]",
@@ -2347,7 +2383,16 @@
  "url": "https:/pelletier/go-toml",
  "type": "vcs"
  }
- ]
+ ],
+ "evidence": {
+ "licenses": [
+ {
+ "license": {
+ "id": "Apache-2.0"
+ }
+ }
+ ]
+ }
  },
  {
  "bom-ref": "pkg:golang/github.com/phayes/[email protected]",
@@ -2628,7 +2673,16 @@
  "url": "https:/spf13/afero",
  "type": "vcs"
  }
- ]
+ ],
+ "evidence": {
+ "licenses": [
+ {
+ "license": {
+ "id": "Apache-2.0"
+ }
+ }
+ ]
+ }
  },
  {
  "bom-ref": "pkg:golang/github.com/spf13/[email protected]",
@@ -2677,7 +2731,16 @@
  "url": "https:/spf13/cobra",
  "type": "vcs"
  }
- ]
+ ],
+ "evidence": {
+ "licenses": [
+ {
+ "license": {
+ "id": "Apache-2.0"
+ }
+ }
+ ]
+ }
  },
  {
  "bom-ref": "pkg:golang/github.com/spf13/[email protected]",

examples/bin_minikube-v1.23.1.bom.json

@@ -1,35 +1,35 @@
 {
  "bomFormat": "CycloneDX",
  "specVersion": "1.3",
- "serialNumber": "urn:uuid:2eadc368-815b-420c-8886-f9ad4730fdc7",
+ "serialNumber": "urn:uuid:2601795f-2c11-4d9f-a14f-25bfd6d1ddd6",
  "version": 1,
  "metadata": {
- "timestamp": "2021-09-29T18:02:39Z",
+ "timestamp": "2021-09-30T07:53:17Z",
  "tools": [
  {
  "vendor": "CycloneDX",
  "name": "cyclonedx-gomod",
- "version": "v0.0.0-20210929195822-2add6b416eb9",
+ "version": "v0.0.0-20210930095151-e031937c7ae0",
  "hashes": [
  {
  "alg": "MD5",
- "content": "b6ccbe5ff272355fed1803c4c17ff161"
+ "content": "cb71e9cbfe0407c554e9e892dd4266e5"
  },
  {
  "alg": "SHA-1",
- "content": "2232bdbfd4ef618303a59c9d42f81ccfd2fa4e8a"
+ "content": "e4c32a430cfc8e9d8618351e723e9ccc8bd3e5da"
  },
  {
  "alg": "SHA-256",
- "content": "69f0bce5fd9cdae1e3bd65b6abddd5bc966d4842dd69e33e8433783ee069c23c"
+ "content": "3c485ca91d6e61ffbb410993d0305868f2dfda861da5d6b80377f5ae9f2608f2"
  },
  {
  "alg": "SHA-384",
- "content": "a310e367777f74d68b822c78f3d6a72aa888daae18d967be614f666a7b5916c9d1c86dbda0adc91f3c92309ddb5489d4"
+ "content": "733a3ddbe8727d0ff4d1c4b0dd0a055151f5c2fd79fbcd46abcc6fb0e085f2af7e5daef5189f2031460da79182ee9920"
  },
  {
  "alg": "SHA-512",
- "content": "8924da342ab6da849631f2f5eb875b40eb62c54a6573e37e31e5ed5ac0f1f576d6eb266038695fec6514fe8973cc980ef7d8d7fb1ea5488fe7ec98a6ed848553"
+ "content": "9a822588ce991e978c1ac8f928028f24917b27540493495450a770dc913935c03eb9bdbc4bf3e78706fb66d01795255bab5b57531dfd8b7b7581dc82af55412d"
  }
  ]
  }
@@ -426,7 +426,16 @@
  "url": "https:/alonyb/spinner",
  "type": "vcs"
  }
- ]
+ ],
+ "evidence": {
+ "licenses": [
+ {
+ "license": {
+ "id": "Apache-2.0"
+ }
+ }
+ ]
+ }
  },
  {
  "bom-ref": "pkg:golang/github.com/cenkalti/backoff/[email protected]",
@@ -446,7 +455,16 @@
  "url": "https:/cenkalti/backoff",
  "type": "vcs"
  }
- ]
+ ],
+ "evidence": {
+ "licenses": [
+ {
+ "license": {
+ "id": "MIT"
+ }
+ }
+ ]
+ }
  },
  {
  "bom-ref": "pkg:golang/github.com/cheggaaa/pb/[email protected]",
@@ -843,7 +861,16 @@
  "url": "https:/fatih/color",
  "type": "vcs"
  }
- ]
+ ],
+ "evidence": {
+ "licenses": [
+ {
+ "license": {
+ "id": "MIT"
+ }
+ }
+ ]
+ }
  },
  {
  "bom-ref": "pkg:golang/github.com/fsnotify/[email protected]",
@@ -1240,7 +1267,16 @@
  "url": "https:/gookit/color",
  "type": "vcs"
  }
- ]
+ ],
+ "evidence": {
+ "licenses": [
+ {
+ "license": {
+ "id": "MIT"
+ }
+ }
+ ]
+ }
  },
  {
  "bom-ref": "pkg:golang/github.com/hashicorp/[email protected]",
@@ -2355,7 +2391,16 @@
  "url": "https:/pelletier/go-toml",
  "type": "vcs"
  }
- ]
+ ],
+ "evidence": {
+ "licenses": [
+ {
+ "license": {
+ "id": "Apache-2.0"
+ }
+ }
+ ]
+ }
  },
  {
  "bom-ref": "pkg:golang/github.com/phayes/[email protected]",
@@ -2636,7 +2681,16 @@
  "url": "https:/spf13/afero",
  "type": "vcs"
  }
- ]
+ ],
+ "evidence": {
+ "licenses": [
+ {
+ "license": {
+ "id": "Apache-2.0"
+ }
+ }
+ ]
+ }
  },
  {
  "bom-ref": "pkg:golang/github.com/spf13/[email protected]",
@@ -2685,7 +2739,16 @@
  "url": "https:/spf13/cobra",
  "type": "vcs"
  }
- ]
+ ],
+ "evidence": {
+ "licenses": [
+ {
+ "license": {
+ "id": "Apache-2.0"
+ }
+ }
+ ]
+ }
  },
  {
  "bom-ref": "pkg:golang/github.com/spf13/[email protected]",