scancode-toolkit icon indicating copy to clipboard operation
scancode-toolkit copied to clipboard
verified publisher icon nexB

False positive: Extra licenses detected for CKEditor 5 (augmentation.d.ts)

Open JustinWonjaePark opened this issue 2 months ago • 1 comments

Description

When scanning the package @ckeditor/[email protected] using ScanCode Toolkit, the file package/dist/augmentation.d.ts is detected with the following license expression:

(gpl-2.0-plus AND (gpl-2.0-plus OR lgpl-2.1-plus OR mpl-1.1)) OR commercial-license

This detection is triggered by https://github.com/aboutcode-org/scancode-toolkit/blob/develop/src/licensedcode/data/rules/gpl-2.0-plus_and_gpl-2.0-plus_or_lgpl-2.1-plus_or_mpl-1.1_or_commercial-license_1.RULE, which matches the text:

'For licensing, see LICENSE.md or https://ckeditor.com/legal/ckeditor-oss-license'

However, the linked URL currently describes licensing terms for CKEditor 4 and CKEditor 5 CKEditor 4 includes MPL-1.1 and other licenses. For CKEditor 5 (including version 43.0.0), the license is GPL-2.0-plus, so the detection result is incorrect and includes unnecessary licenses (e.g., MPL-1.1, LGPL-2.1-plus).

How To Reproduce

npm pack @ckeditor/[email protected] tar -xvf ckeditor-ckeditor5-special-characters-43.0.0.tgz scancode --license --json-pp scancode.json package

Check the scancode.json output for package/dist/augmentation.d.ts and note the license expression.

System configuration

OS: macOS 15.6.1 (x86_64) ScanCode Toolkit version: 32.4.1 Installation method: pip

JustinWonjaePark avatar Oct 14 '25 01:10 JustinWonjaePark

Thank you for the detailed bug report! You've identified a legitimate issue with the ScanCode license detection for CKEditor 5 packages.

Confirming the Issue

You're absolutely correct that the detection rule is producing an overly broad license expression. The rule gpl-2.0-plus_and_gpl-2.0-plus_or_lgpl-2.1-plus_or_mpl-1.1_or_commercial-license_1.RULE was designed to handle the historical tri-license model that CKEditor 4 used (GPL/LGPL/MPL), but CKEditor 5 has always used a simpler dual-license model: GPL-2.0-or-later OR commercial.

The inclusion of lgpl-2.1-plus and mpl-1.1 in the detection for CKEditor 5 packages is indeed incorrect.

Workaround

Until ScanCode updates the rule, you can manually correct the license expression in your scan results to:

(gpl-2.0-plus) OR commercial-license

Verification

You can verify the correct license in the package:

  • Check `package.json`: should show `"license": "GPL-2.0-or-later"`
  • Review the actual `LICENSE.md` in the package
  • Reference: https://ckeditor.com/docs/ckeditor5/latest/support/license-and-legal.html

Thanks for taking the time to document this issue so thoroughly!

karthiknew07 avatar Oct 15 '25 08:10 karthiknew07