Check-Licenses script can miss some incompatible dependencies #38461
Comments
mchowning
changed the title
gziolo
added
Good First Issue
|
Digging into the relevant code a bit, first up, there is (rightfully) a stern warning in the file: Would love to understand the approval process for this specific file. I think some goals for a fix, in priority order, should be:
What does a license file mean if it has more than one license in it? I don't know of a standard answer to this. There's usually descriptive text explaining why there are multiple licenses. Sometimes the code is dual licensed (i.e., "You may use this software under any of the following..."). Sometimes portions of the code are licensed with a compatible license (Apache licensed, with embedded MIT code), which is the case with the code at issue here. Sometimes specific submodules have different licenses. This may be intractable. Some investigation is required to understand if that's an actual issue. With that in mind, a proposal: If treat all licenses found in a license file as a conjunctive list ("AND"), then any license in the file which is incompatible would result in a rejection. Provided there are no implementation bugs, this would satisfy goals 1 and 3, but potentially fail with 2. This can be tested post-implementation. Any implementation bugs have the potential to fail to meet any of the goals, hence the need for strong review, tests, etc. |
Conjuctive licenses were being ignored in both the `package.json` and within various LICENSE files. In the first case, this could lead to false negatives $(e.g., 'MIT AND BSD' being treated as non-compatible). In the second case, the implementation was such that only one license was returned (whichever detected license occurred later in `licenseFileStrings`). Based on the ordering of that list, this was likely to cause a false positive, because the non-compatible 'Apache-2.0' license occurs before any of the compatible licenses. Progress on WordPress#38461.
|
Some observations, having done the above implementation:
I'm open to reworking the code to use that library, if the relevant approvers are sufficiently trusting of that library. |
|
@mchowning, can you confirm whether #46801 resolves the issue? It definitely improves a few things and adds unit tests for the revisited implementation. |
* Add support in `check-license` for conjunctive (AND) licenses. Conjuctive licenses were being ignored in both the `package.json` and within various LICENSE files. In the first case, this could lead to false negatives $(e.g., 'MIT AND BSD' being treated as non-compatible). In the second case, the implementation was such that only one license was returned (whichever detected license occurred later in `licenseFileStrings`). Based on the ordering of that list, this was likely to cause a false positive, because the non-compatible 'Apache-2.0' license occurs before any of the compatible licenses. Progress on #38461. * Add unit tests for checkAllCompatible * Update CHANGELOG * Tidy up docblock.
|
I have finally landed #46801. I will close the issue based on the previous comment from @mchowning. Feel free to reopen if you discover that something is still missing. |
By the way, this is what I see with the latest version from
|
Description
The
check-licensesscript has a couple of issues that failed to identify the incompatible license of an Apache-2.0 dependency I recently tried adding.Specifically, I tried to add Shaka-Player version 2.5.23 to the project. The check-licenses script failed due to one of Shaka-Player's dependencies (eme-encryption-scheme-polyfill) having an Apache-2.0 license, but as I dug into this, I realized that Shaka-Player itself also had an Apache-2.0 license, but it wasn't flagged by the script.
I think there are two, somewhat separate issues that allowed Shaka-Player to slip through.
1. If the package.json file specifies an incompatible license, we proceed to look for a compatible license in the license files.
In this case, Shaka-Player's package.json file identified it as having an Apache-2.0 license. Instead of this causing Shaka-Player to be identified as incompatible, the script continued searching for compatible licenses.
2. When searching other license files for a compatible license, we only check if there is a compatible license anywhere in the file
Shaka-Player's license file clearly identifies it as having an Apache-2.0 license. The script, however, checks whether there is any compatible license anywhere in the file, and the license file does have a section at the end identifying that one of its dependencies uses the MIT license:
The license-check script detects this, correctly identifies that MIT is a compatible license, and concludes that Shaka-Player is ok to include.
Is this a problem for our current dependencies?
I don't think so.
I went through and checked for any dependencies with incompatible licenses in their package.json file, and it doesn't look we have any dependencies where we are detecting a compatible license in the license file even though the license identified in the package.json file is incompatible (scenario 1 above).
I also did a check and confirmed we have no dependencies currently where the license file contains an Apache license reference but we're detecting a different license (scenario 2 above). That's certainly not a full-proof check (I only checked for Apache), but it's a pretty good indication that this isn't a major issue.
In light of that, I'm inclined to think of this as a bit of an edge case and probably not a high priority issue.
Step-by-step reproduction instructions
npm installnpm run check-licensesThe text was updated successfully, but these errors were encountered: