Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

license determination fails for dependency with version-embedding package import path #79

Closed
thediveo opened this issue Sep 29, 2021 · 2 comments
Closed

license determination fails for dependency with version-embedding package import path #79

thediveo opened this issue Sep 29, 2021 · 2 comments

Comments

@thediveo
Copy link

Using the beta 2 of cyclonedx-gomod on my public lxkns Github project seems to show a problem with license determination when the package import path contains version information. Of course, I might be mistaken here and this might not be a problem of cyclonedx-gomod but instead of the license checking dependency.

When running cyclonedx-gomod app -json -output ../lxkns-bom.json -main cmd/lxkns/ -licenses -std -verbose . on the checked-out lxkns repository, the bom entry for cenkalti's backoff module catches my eye:

{
      "bom-ref": "pkg:golang/github.com/cenkalti/backoff/[email protected]",
      "type": "library",
      "name": "github.com/cenkalti/backoff/v4",
      "version": "v4.1.1",
      "scope": "required",
      "hashes": [
        {
          "alg": "SHA-256",
          "content": "1b61c07c09af9bf19c29a9f6a0e42905739ddad4f61b9ed99d91966b53f13c14"
        }
      ],
      "purl": "pkg:golang/github.com/cenkalti/backoff/[email protected]",
      "externalReferences": [
        {
          "url": "https:/cenkalti/backoff",
          "type": "vcs"
        }
      ]
    },

A check with the repository shows a LICENSE file for branch v4: MIT license.

Is this just a detection problem or instead a versioned import path issue?
@nscuro nscuro mentioned this issue Sep 30, 2021
Merged
@nscuro
Copy link
Member

nscuro commented Sep 30, 2021

Versions being part of the import path is indeed not an issue.

It's that go-license-detector reports the MIT license for github.com/cenkalti/backoff/v4 with a confidence of 0.86.
cyclonedx-gomod has set the minimum confidence to 0.9, detections below that will be discarded. Basically, if we aren't super sure about the license, we don't include it at all.

I reduced the threshold to 0.85 and tested against a few other large projects. There are quite a few correct detections in the 0.85-0.9 range that we'd miss with a threshold of 0.9. I'll keep this change.

I also added a log message in DEBUG level which now indicates when the "best" detection candidate doesn't meet the threshold of 0.85, for example:

DBG detection confidence for license is too low confidence=0.8474458 license=LGPL-3.0-only minConfidence=0.85 module=github.com/juju/[email protected]
WRN no license detected module=github.com/juju/[email protected]

I'm not pushing a new release for this, but if you want, you can try it with

$ go install github.com/CycloneDX/cyclonedx-gomod@main

@nscuro
Copy link
Member

nscuro commented Sep 30, 2021

@thediveo The change has been released with v1.0.0. Feel free to reopen this issue or raise another one if you run into similar problems. Thanks for your help!

@nscuro nscuro closed this as completed Sep 30, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nscuro @thediveo