scancode.io icon indicating copy to clipboard operation
scancode.io copied to clipboard
verified publisher icon aboutcode-org

Allow policies by license expression

Open pombredanne opened this issue 4 years ago • 4 comments

gpl-2.0 WITH oracle-openjdk-classpath-exception-2.0 is reported as a warning if gpl-2.0 if set to report warning. In such as case I would like to set a policy to state that gpl-2.0 WITH oracle-openjdk-classpath-exception-2.0 is OK and not warning and I am not sure I can do this.

pombredanne avatar Apr 28 '21 09:04 pombredanne

Both the policy file and the database implementation of the feature are based on license key at the moment.

We will have to rethink those implementations to support license expression:

  • Policy file:
-   license_key: mpl-2.0
    label: Restricted License
    compliance_alert: warning
  • Policy in the CodebaseResource model:
for license_data in codebase_resource.licenses:
    key = license_data.get("key")
    license_data["policy"] = policies_index.get(key, None)

tdruez avatar Apr 29 '21 06:04 tdruez

How should policies by license expression work? Should they be defined in different manner in policies.yaml? Example:

       license_expression_policies:
       -   license_expr: bsd-simplified AND gpl-2.0
           label: Restricted License
           compliance_alert: warning

and then be matched 1:1?

aalexanderr avatar Jun 08 '21 14:06 aalexanderr

In the case of going for a perfect 1:1, one would have to define both bsd-simplified AND gpl-2.0 and gpl-2.0 AND bsd-simplified in the policies file. This could get messy after 3 or more license keys expression.

The current implementation is based on the compliance_alert and is computed from each license key policies in the code. In your example bsd-simplified AND gpl-2.0, let's assume the following policies:

-  license_key: bsd-simplified
    compliance_alert: ok
-  license_key: gpl-2.0
    compliance_alert: error

The code will compute ok AND error and return error for the current resource/package, see https://github.com/nexB/scancode.io/blob/main/scanpipe/models.py#L1065 and https://github.com/nexB/scancode.io/blob/main/scanpipe/models.py#L1085 for more on that logic.

@pombredanne what's your take on the expression support in policies file, outside of WITH exceptions?

tdruez avatar Jun 08 '21 15:06 tdruez

Sorry for not being clear: by 1:1 matching I meant https://github.com/nexB/license-expression/blob/master/src/license_expression/init.py#L213 Yet it would mean that for each CodeBaseResource.license_expression we would iterate through all expression policies to compare them...

From what I've checked there is no nice way to normalize license_expressions so we could compare them 1:1, but I might be wrong?

Do I understand initial issue content correctly? If we find a single license_expression_policy to be equivalent to license_expression, alerts for single licenses should be cleared?

aalexanderr avatar Jun 08 '21 19:06 aalexanderr