fossa-cli icon indicating copy to clipboard operation
fossa-cli copied to clipboard
verified publisher icon fossas

Fossa cannot detect some of the licenses in META-INF directory

Open ShengYanMei opened this issue 3 years ago • 4 comments

about the binary-discovery doc, I'm using enable binary discovery to find license inside aar file. aar file's META-INF structure as below shows, we have pom.xml in maven directory, and license in the root of META-INF. image I have several such kind of aar file, but the weird thing is, some of the aar licenses could be detected as I expect, however, some others doesn't. Debug log attached here for analysis. fossa.debug.json.gz Ping me if you have an update on this. I'm using fossa v3.0.16

ShengYanMei avatar Mar 10 '22 10:03 ShengYanMei

also tried with latest version 3.1.3, still failed to detect license from some specific aar file

ShengYanMei avatar Mar 10 '22 10:03 ShengYanMei

Hi @ShengYanMei,

For --experimental-enable-binary-discovery flag, when fossa encounters .jar or .aar file, we first unarchive them, and try to analyze them in following order:

1) Analyze pom.xml under META-INF directory

From the pom.xml we read:

  • project.groupId and project.artifactId are combined to make the dependency description.
  • project.version is used for the dependency version.
  • Entries in project.licenses are extracted for their name field, which are concatenated and used as the dependency license.

2) We try to read MANIFEST.MF under META-INF

From that file we read:

  • Bundle-SymbolicName, if present, is used for the dependency description. If Bundle-SymbolicName is not present, we fallback to Implementation-Title.
  • Implementation-Version is used for the dependency version.

Noticeably, we do not read declared licence files such as LICENCE.txt, LICENCE, MIT.txt or etc within .jar, or .aar file, we look for declared licence in project.licenses per POM specification.

I see that you are also already using vendor-dependencies functionalities.

If you want to analyze .jar/.aar file with declared licence file (as opposed to analyzing only licence name declared in pom file), I recommend that you use vendor-dependencies as workaround for now.

I have added this as feature request in our internal ticket board, we do have plan to release native cli licence scanning in coming months.

meghfossa avatar Mar 13 '22 17:03 meghfossa

@meghfossa - First, thank for your reply. And for your suggestions,

  1. Fossa scan policy for pom.xml and MANIFEST.MF, I checked in fossa doc, so I know that if I have pom, then manifest.mf is not that necessary. so I build with pom only.
  2. tag project.licenses, I've tried, it works for license web link only?
  3. Yes, I'm using vendor dependency, and hopefully, fossa could detect android-sdk license in vendor dependency, but fossa doesn't, that's my question. So is android-sdk license detectable for fossa?

ShengYanMei avatar Mar 14 '22 02:03 ShengYanMei

Hi @ShengYanMei, I have a few follow up questions

So is android-sdk license detectable for fossa? Yes, the android-sdk license is detectable by fossa

it works for license web link only? Can you share what this URL looks like? I suspect this is the issue we are running into. I don't think we support URLs here just yet.

zlav avatar May 20 '22 19:05 zlav