Allow license rules to require the presence of certain defining keywords #2773

mrombout · 2021-11-30T16:45:05Z

Fixes #2637

This PR depends on 97a1a57, contained in #2765. I have cherry-picked that commit into this PR as 2428723.

Tasks

Reviewed contribution guidelines
PR is descriptively titled 📑 and links the original issue above 🔗
Tests pass -- look for a green checkbox ✔️ a few minutes after opening your PR
Run tests locally to check for errors.
Commits are in uniquely-named feature branch and has no merge conflicts 📁

src/licensedcode/data/rules/false-positive_ansible_2.RULE

tests/licensedcode/test_match.py

tests/licensedcode/data/datadriven/lic1/boto-boto3-cw-example-creating-alarm.txt.yml

pombredanne

Thanks!
See a few comments in line.

AUTHORS.rst

CHANGELOG.rst

src/licensedcode/data/rules/false-positive_ansible_2.RULE

tests/licensedcode/data/datadriven/lic1/boto-boto3-cw-example-creating-alarm.txt.yml

pombredanne

This is overall awesome!
I'd like to check if the impact on indexing is not too bad... but this is not a critical process anymore.

pombredanne · 2021-12-02T23:44:25Z

src/licensedcode/match.py

+    """
+    Return a filtered list of kept LicenseMatch matches and a list of
+    discardable matches by removing all matches that do not contain all key
+    phrases required by the rule.


What if there is only one match and this does not contain the keyphrases?
Would you discard it, therefore leaving no matches?

If the only match does not contain the key phrase wouldn't that indicate a high chance of being a false positive? If so, for my use-case I would rather have no results, but maybe that's not in-line with Scancode philosophy(e.g. not having false negatives)?

If the only match does not contain the key phrase wouldn't that indicate a high chance of being a false positive?

yes in the general case, but let's take a practical example:

in query I have licensed under the AGPL 3.0 and in rule1 I have AGPL 3.0

in rule2 I have licensed under the {{AGPL 3.0 license}}

the query will initially match both rules

the match to rule1 may be discarded as contained in the rule2 match

the match to rule2 may be discarded as missing a key phrase

I am left with no matches yet licensed under the AGPL 3.0 was very clearly a license notice.

On the other hand if the match to rule2 is discarded as missing a key phrase early and before the containment filter, then we are at least left with the match to rule1?

Okay, that makes sense. But unfortunately I was unable to recreate this scenario in a unit test.

Instead I experimented and moved the key phrase filter up (before the containment filter) and 5 of the datadriven tests I've added broke. Looking into that now. E.g. tests/licensedcode/test_detection_datadriven1.py::TestLicenseDataDriven1::test_detection_datadriven_lic1_alexa_skills_kit_sdk_for_java_txt now detects [apache-2.0, apache-2.0, unknown-license-reference] as opposed to only apache-2.0.

Also, are you suggesting to skip if there's only one rule like some of the other filters?

if len(matches) < 2: return matches

pombredanne

I added some more comments for your review.

pombredanne · 2021-12-02T23:47:32Z

src/licensedcode/match.py

@@ -1485,6 +1540,10 @@ def _log(_matches, _discarded, msg):
        all_discarded.extend(discarded)
        _log(matches, discarded, 'HIGH ENOUGH SCORE')

+    matches, discarded = filter_key_phrase_spans(matches)


I think this filter should be positioned much earlier in the process otherwise here is the risk:

there was a smalller match that was contained

it is filtered because of containment in a larger match

the larger is discarded because of not having keyphrases

there is no match left for this region and we now have a false negative

I've moved the key phrase filter up in 2c377b3, to right before the first containment filter. I was unable to reproduce this scenario exactly, but some datadriven tests at least demonstrated the effectiveness (tests/licensedcode/test_detection_datadriven1.py::TestLicenseDataDriven1::test_detection_datadriven_lic1_alexa_skills_kit_sdk_for_java_txt)

@pombredanne Would the above suffice?

tests/licensedcode/data/datadriven/lic1/alexa-skills-kit-sdk-for-java.txt.yml

A key phrase can be defined in a rule by surrounding one or more words (tokens) with the `{{` and `}}` characters. Key phrases are words that **must** be present in order to successfully match. The key phrases are parsed for each rule during indexing. Then after matching using the standard matching algorithm a filter removes all matches that do not have the key phrases present. --- At the moment sometimes the `ispan` alone can not be relied upon to determine if key phrases are present. At one case stopwords and unknown tokens made it appear as if the `ispan` was more expansive than it should be. This has been solved by checking if the `qspan` corresponding with the `ispan` intersect with any unknown tokens or stopwords. Another problem that is not solved is with the example boto3 example which should match with `cc-by-nc-sa-4.0` but it now matching with several other CC licenses. For some reason `Creative Commons Attribution 4.0 International License` is considered to be matching in the ispan, and not intersecting with any unknown tokens or stopwords (citation needed). Signed-off-by: Mike Rombout <mike.rombout@elastisys.com>

License cc-by-sa-4.0 was detected as cc-by-4.0. Signed-off-by: Mike Rombout <mike.rombout@elastisys.com>

License mit was detected as gpl-2.0. Signed-off-by: Mike Rombout <mike.rombout@elastisys.com>

Non-license text is detected as bsd-simplified AND gpl-2.0. Signed-off-by: Mike Rombout <mike.rombout@elastisys.com>

Non-license text was detected as apache-2.0 AND cc-by-sa-4.0. Signed-off-by: Mike Rombout <mike.rombout@elastisys.com>

License mit was detected as ruby. Signed-off-by: Mike Rombout <mike.rombout@elastisys.com>

License mpl-2.0 was detected as apache-2.0. Signed-off-by: Mike Rombout <mike.rombout@elastisys.com>

License mit was detected as apache-2.0 OR epl-2.0. Signed-off-by: Mike Rombout <mike.rombout@elastisys.com>

License Bouncy Castyle License (mit) is detected as apache-2.0 OR gpl-2.0-plus WITH classpath-exception-2.0. Signed-off-by: Mike Rombout <mike.rombout@elastisys.com>

License erlangpl-1.1 was detected as mpl-1.1. Signed-off-by: Mike Rombout <mike.rombout@elastisys.com>

License mit was detected as cddl-1.0. Signed-off-by: Mike Rombout <mike.rombout@elastisys.com>

License apache-2.0 was detected as mit. Signed-off-by: Mike Rombout <mike.rombout@elastisys.com>

License apache-2.0 was detected as imagemagick. Signed-off-by: Mike Rombout <mike.rombout@elastisys.com>