Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

License discovery issue #465

Closed
halostatue opened this issue Mar 5, 2018 · 2 comments
Closed

License discovery issue #465

halostatue opened this issue Mar 5, 2018 · 2 comments

Comments

@halostatue
Copy link

Using license finder with an Elixir project, I am seeing a number of dependencies that report as undefined license. When I use licensir, many of these same dependencies report the correct license (but many do not).

Here’s the output of license_finder (reformatted for easier comparison):

absinthe 1.4.7            => unknown
absinthe_plug 1.4.2       => unknown
absinthe_relay 1.4.2      => unknown
authorize 0.3.1           => unknown
barlix 0.3.3              => unknown
bcrypt_elixir 1.0.6       => unknown
certifi 2.0.0             => "New BSD"
comeonin 4.1.0            => unknown
cors_plug 1.5.0           => unknown
db_connection 1.1.3       => unknown
decimal 1.4.1             => unknown
dialyxir 0.5.1            => unknown
earmark 1.2.4             => unknown
ecto 2.2.8                => unknown
ecto_enum 1.1.0           => unknown
elixir_make 0.4.0         => unknown
faker 0.9.0               => unknown
file_system 0.2.4         => unknown
gen_smtp 0.12.0           => unknown
gettext 0.15.0            => unknown
hackney 1.11.0            => unknown
metrics 1.0.1             => "New BSD"
mime 1.2.0                => unknown
phoenix_live_reload 1.1.3 => unknown
plug 1.4.5                => unknown
png 0.1.1                 => "New BSD"
postgrex 0.13.5           => unknown
private 0.1.1             => unknown
scrivener 2.5.0           => unknown
scrivener_ecto 1.3.0      => unknown
trans 2.0.2               => unknown
unicode_util_compat 0.3.1 => "New BSD"

Here is the matching output of licensir:

absinthe 1.4.7            => MIT
absinthe_plug 1.4.2       => MIT
absinthe_relay 1.4.2      => MIT
authorize 0.3.1           => MIT
barlix 0.3.3              => MIT
bcrypt_elixir 1.0.6       => BSD
certifi 2.0.0             => License is undefined
comeonin 4.1.0            => BSD
cors_plug 1.5.0           => Apache 2.0
db_connection 1.1.3       => Apache 2.0
decimal 1.4.1             => Apache 2.0
dialyxir 0.5.1            => Apache 2.0
earmark 1.2.4             => Apache 2 (see the file LICENSE for details)
ecto 2.2.8                => Apache 2.0
ecto_enum 1.1.0           => MIT
elixir_make 0.4.0         => Apache 2
faker 0.9.0               => MIT
file_system 0.2.4         => WTFPL
gen_smtp 0.12.0           => License is undefined
gettext 0.15.0            => Apache 2.0
hackney 1.11.0            => License is undefined
metrics 1.0.1             => License is undefined
mime 1.2.0                => Apache 2
phoenix_live_reload 1.1.3 => MIT
plug 1.4.5                => Apache 2
png 0.1.1                 => License is undefined
postgrex 0.13.5           => Apache 2.0
private 0.1.1             => Apache 2.0
scrivener 2.5.0           => MIT
scrivener_ecto 1.3.0      => MIT
trans 2.0.2               => MIT
unicode_util_compat 0.3.1 => License is undefined
@halostatue halostatue mentioned this issue Mar 5, 2018
Closed
@kdykeman
Copy link
Contributor

kdykeman commented Mar 7, 2018
edited
Loading

Thanks @halostatue... LicenseFinder's initial support for mix is just parsing the output from mix deps which doesn't include the license information. Ironically, with a quick bit of googling for "mix deps license", it looks like the author of licensir was originally proposing that the licensir functionality be implemented in mix.

We'll keep this issue open until LicenseFinder's support for mix can be enhanced.

@dideler
Copy link

dideler commented Jan 4, 2019

Ran LicenseFinder against an Elixir codebase, and found a couple more scenarios that would be useful to include as test cases.

One thing these packages have in common is that they are Erlang packages. Note that both Elixir and Erlang packages can be distributed with Hex.pm, and Erlang packages can also be dependencies in an Elixir project.

couchbeam_amuino

https://hex.pm/packages/couchbeam_amuino

Licensed under MIT.

LicenseFinder reports MIT, New BSD.

Possibly finding "New BSD" by looking at the built dependency, which includes rebar3_hex which is licensed under BSD-3-Clause. Given a mix project with compiled dependencies, it would be at deps/couchbeam_amuino/_build/default/plugins/rebar3_hex.

erlpop

https://hex.pm/packages/erlpop

Licensed under Apache 2.0.

LicenseFinder reports New BSD.

Similar to couchbeam_amuino, this could be because of rebar3_hex, which would be located at deps/erlpop/_build/default/plugins/rebar3_hex once the erlpop dependency has been compiled.

epipe

https://hex.pm/packages/epipe

This is a dependency of erlpop.

Licensed under Apache 2.0.

LicenseFinder reports Apache 2.0, New BSD.

Also has deps/epipe/_build/default/plugins/rebar3_hex once compiled.

idna

https://hex.pm/packages/idna

Licensed under MIT (LICENSE file) and BSD (Hex metadata and app.src file).

LicenseFinder reports MIT.

@ericsullivan ericsullivan mentioned this issue Feb 12, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@halostatue @dideler @kdykeman @xtreme-shane-lattanzio