Bug: Build report doesn't show the declared licenses

[joshuawilson]

From @luebken on June 7, 2017 14:5

In the stack report the dependencies should report the licenses declared by the project.

Associated test-cases:

• Test-1704E469-02

  • io.vertx/vertx-core/3.4.1 should report Apache 2.0, EPL 1.0

• Test-1704E469-03

  • io.vertx/vertx-web/3.4.1 should report Apache 2.0, EPL 1.0

• Test-1704E469-04

  • org.springframework/spring-core/4.3.3.RELEASE should report Apache 2.0

Associated experience:

• Experience 1704E469 [P0] – License information

Copied from original issue: openshiftio/openshift.io#205

[joshuawilson]

This issue was moved to fabric8-ui/fabric8-recommender#241

[jpopelka]

io.vertx/vertx-core/3.4.1 should report Apache 2.0, EPL 1.0

We report ASL 2.0, MITNFA:

• Apache 2.0 - ASL 2.0 is correct short name for this license
• MITNFA - should be removed from the output once Increase OSLC_TRESHOLD a bit #10 is merged
• EPL 1.0 - is really missing, needs more investigation

io.vertx/vertx-web/3.4.1 should report Apache 2.0, EPL 1.0

We report ASL 2.0:

• missing EPL 1.0 needs more investigation

org.springframework/spring-core/4.3.3.RELEASE should report Apache 2.0

We report ASL 2.0, LBNL BSD:

• Apache 2.0 is the same as ASL 2.0
• LBNL BSD - there really are some files under this license

[luebken]

@jpopelka Is this in production? The last time I tested I got different results: https://docs.google.com/spreadsheets/d/1ULvQzG1YZk1TwU3KaqiMXiD4FBGpmOLO0jqybE6Y7tk/edit#gid=0

[jpopelka]

@luebken It was for some time, yes.

Now there's the version with news scanner, but we haven't rescheduled old scans yet so S3 still contains the old results.

[miteshvp]

@luebken - In order to get the results out, we need to re-scan packages for licenses and synced to OLTP Graph. Once done, you should see expected licenses

[luebken]

I just re-run the test. Test-1704E469-03 and Test-1704E469-04 are fixed. Great!

Currently just Test-1704E469-02 is open.

To close of this issue I would also need some documentation on how we scan. The readme wasn't helpful. What tools are we using? Including upstream link. How are these tools operating.

[jpopelka]

Currently just Test-1704E469-02 is open.

There really is MIT license file in io.vertx/vertx-core/3.4.1, which is why I've already filled eclipse-vertx/vert.x#2023 upstream.

To close of this issue I would also need some documentation on how we scan. The readme wasn't helpful. What tools are we using? Including upstream link. How are these tools operating.

Where do you think would be the best place for such documentation ?
In fabric8-analytics-worker/docs ?

[luebken]

There really is MIT license file in io.vertx/vertx-core/3.4.1, which is why I've already filled eclipse-vertx/vert.x#2023 upstream.

Interesting.

Where do you think would be the best place for such documentation ?
In fabric8-analytics-worker/docs ?

I don't have a strong opinion on this as we will by copying that documentation somewhere into the product. I would put it into the readme of this repo.

[jpopelka]

We also have this document: Currently used data sources and task types in Fabric8-analytics

[msrb]

@luebken could you please try rerunning the tests again?

[luebken]

@msrb The tests should be part of https://github.com/fabric8io/fabric8-test/ maybe you can sync with Len on creating & expanding them. I am happy to review them.

[jpopelka]

@luebken could you please try rerunning the tests again?

They've already been rerun and 2/3 are green now. The one that fails is the case of detected licenses in io.vertx/vertx-core/3.4.1 being different from declared licenses (upstream eclipse-vertx/vert.x#2043).

The tests should be part of https://github.com/fabric8io/fabric8-test/

Looking at the tests they claim to check 'declared license information', while actually checking 'detected license information'.

[msrb]

Looking at the tests they claim to check 'declared license information', while actually checking 'detected license information'.

PDD actually specifically talks about declared licenses. Not a word about detected licenses there. So we are probably exposing wrong data via our API.

[luebken]

Just re-run my manual test 'Test-1704E469-02' and it's still open.

$ curl -sH "Authorization: Bearer $OSIO_TOKEN" https://recommender.api.openshift.io/api/v1/component-analyses/maven/io.vertx:vertx-core/3.4.1 \| jq .result.data[0].version.licenses

doesn't return any results.

[msrb]

@luebken could you please confirm that declared licenses is really what we want here? fabric8-analytics is correct about the MIT license in vertx project, upstream just failed to mention it in the manifest file.

The question for me is: is it OK to modify the test to also expect MIT to be reported, or do we want to rework API?

Thanks 😉

[GeorgeActon]

@msrb @luebken Do we have an answer on this question?

[msrb]

I can see that Experience 1704E530 (source license information) has been added to the PDD. But we still don't show detected licenses (also in PDD). @samuzzal-choudhury any thoughts around this?

[samuzzal-choudhury]

@harjinder-hari is the best person ATM to answer this.

[jpopelka]

See also upstream's reply about why the MIT is not in pom.xml.