Look at license file for license?
phillip-haydon opened this issue Β· comments
Some licenses seem to not be able to be determined, i.e
Packages using the legacy NuGet license structure
License Expression: Unable to determine
+-- There are 11 occurances of Unable to determine
+-- Conformance:
Β¦ +-- Is OSI Approved: false
Β¦ +-- Is FSF Free/Libre: false
Β¦ +-- Included deprecated IDs: false
+-- Packages:
+-- AWSSDK.CloudFront@3.3.101.136 (http://aws.amazon.com/apache2.0/)
+-- AWSSDK.CloudSearchDomain@3.3.100.169 (http://aws.amazon.com/apache2.0/)
+-- AWSSDK.Core@3.3.106.14 (http://aws.amazon.com/apache2.0/)
+-- AWSSDK.S3@3.3.110.60 (http://aws.amazon.com/apache2.0/)
+-- AWSSDK.SQS@3.3.102.101 (http://aws.amazon.com/apache2.0/)
+-- AWSSDK.SecurityToken@3.3.104.68 (http://aws.amazon.com/apache2.0/)
+-- Castle.Core@4.4.0 (http://www.apache.org/licenses/LICENSE-2.0.html)
+-- Castle.Windsor@5.0.1 (http://www.apache.org/licenses/LICENSE-2.0.html)
+-- Microsoft.NETFramework.ReferenceAssemblies.net48@1.0.0 (https://github.com/Microsoft/dotnet/blob/master/LICENSE)
+-- Mindscape.Raygun4Net@5.10.2 (https://raw.github.com/MindscapeHQ/raygun4net/master/LICENSE)
+-- NVelocity@1.2.0 (http://www.apache.org/licenses/LICENSE-2.0.html)
So for the AWS ones from the URL they appear to be apache 2.0. And opening up the Microsoft / Raygun ones they are MIT. Castle / NVelocity are Apache 2.0.
So would it be possible to look for keywords in the URL, or even look up the URL itself to determine the license?
I guess it would be slow to lookup all the URLs but that could be behind a flag.
I thought --check-license-content would do that for me but It only narrowed it down to:
Packages using the legacy NuGet license structure
License Expression: Unable to determine
βββ There are 9 occurances of Unable to determine
βββ¬ Conformance:
β βββ Is OSI Approved: false
β βββ Is FSF Free/Libre: false
β βββ Included deprecated IDs: false
βββ¬ Packages:
βββ AWSSDK.CloudFront@3.3.101.136 (http://aws.amazon.com/apache2.0/)
βββ AWSSDK.CloudSearchDomain@3.3.100.169 (http://aws.amazon.com/apache2.0/)
βββ AWSSDK.Core@3.3.106.14 (http://aws.amazon.com/apache2.0/)
βββ AWSSDK.S3@3.3.110.60 (http://aws.amazon.com/apache2.0/)
βββ AWSSDK.SQS@3.3.102.101 (http://aws.amazon.com/apache2.0/)
βββ AWSSDK.SecurityToken@3.3.104.68 (http://aws.amazon.com/apache2.0/)
βββ Castle.Core@4.4.0 (http://www.apache.org/licenses/LICENSE-2.0.html)
βββ Castle.Windsor@5.0.1 (http://www.apache.org/licenses/LICENSE-2.0.html)
βββ NVelocity@1.2.0 (http://www.apache.org/licenses/LICENSE-2.0.html)
As these were not on github.
This is to be expected, as I note on the readme there was a change in the nuspec file which would contain the explicitly stated license.
So that's where --check-license-content comes into play, it will do a web request to the URL and then compare the raw content to known license. Now, this works when the URL returns just the content of the license, but if it returns something else, like a whole lot of HTML, it'll likely fail.
Ideally, the NuGet package would be updated to use the correct nuspec format. An easier stop-gap is to add the packages to the internally mapping list: https://github.com/aaronpowell/dotnet-delice/blob/master/src/DotNetDelice.Licensing/LicenseCache.fs#L13
Ah ok! I understand now.
I'll work-around it for now then if I get some time I might go to those projects and hassle them to update the nuspec :D
Thanks.
Feel free to send a PR to add explicit mappings for the AWS license link so it can be an embedded fallback.