Detect variations of the "Eclipse Public License"
Summary
Different variations of the "Eclipse Public License" are showing up in the list of detected licenses.
For example:
Steps to reproduce
Trigger a pipeline in the webgoat project.
Example Project
What is the current bug behavior?
The list of detected licenses displays each variation of the Eclipse Public License
instead of a single canonical representation.
What is the expected correct behavior?
The list should display the Eclipse Public License
once.
Relevant logs and/or screenshots
[{"name":"Apache 2.0","classification":{"id":4275,"approval_status":"approved","name":"Apache 2.0"},"dependencies":[{"name":"FastInfoset"},{"name":"HikariCP"},{"name":"accessors-smart"},{"name":"android-json"},{"name":"asciidoctorj"},{"name":"assertj-core"},{"name":"attoparser"},{"name":"bootstrap"},{"name":"byte-buddy"},{"name":"byte-buddy-agent"},{"name":"classmate"},{"name":"commons-codec"},{"name":"commons-collections4"},{"name":"commons-exec"},{"name":"commons-io"},{"name":"commons-lang"},{"name":"commons-lang3"},{"name":"groovy"},{"name":"groovy-json"},{"name":"groovy-xml"},{"name":"guava"},{"name":"handlebars"},{"name":"hibernate-validator"},{"name":"httpclient"},{"name":"httpcore"},{"name":"httpmime"},{"name":"jackson-annotations"},{"name":"jackson-core"},{"name":"jackson-databind"},{"name":"jackson-datatype-jdk8"},{"name":"jackson-datatype-jsr310"},{"name":"jackson-module-parameter-names"},{"name":"jandex"},{"name":"javassist"},{"name":"jboss-logging"},{"name":"jcommander"},{"name":"jjwt"},{"name":"json-path"},{"name":"json-smart"},{"name":"jsonassert"},{"name":"log4j-api"},{"name":"log4j-to-slf4j"},{"name":"micrometer-core"},{"name":"objenesis"},{"name":"rest-assured"},{"name":"rest-assured-common"},{"name":"snakeyaml"},{"name":"spring-aop"},{"name":"spring-aspects"},{"name":"spring-beans"},{"name":"spring-boot"},{"name":"spring-boot-actuator"},{"name":"spring-boot-actuator-autoconfigure"},{"name":"spring-boot-autoconfigure"},{"name":"spring-boot-devtools"},{"name":"spring-boot-starter"},{"name":"spring-boot-starter-actuator"},{"name":"spring-boot-starter-aop"},{"name":"spring-boot-starter-data-jpa"},{"name":"spring-boot-starter-jdbc"},{"name":"spring-boot-starter-json"},{"name":"spring-boot-starter-logging"},{"name":"spring-boot-starter-security"},{"name":"spring-boot-starter-test"},{"name":"spring-boot-starter-thymeleaf"},{"name":"spring-boot-starter-tomcat"},{"name":"spring-boot-starter-undertow"},{"name":"spring-boot-starter-web"},{"name":"spring-boot-test"},{"name":"spring-boot-test-autoconfigure"},{"name":"spring-context"},{"name":"spring-core"},{"name":"spring-data-commons"},{"name":"spring-data-jpa"},{"name":"spring-expression"},{"name":"spring-jcl"},{"name":"spring-jdbc"},{"name":"spring-orm"},{"name":"spring-security-config"},{"name":"spring-security-core"},{"name":"spring-security-test"},{"name":"spring-security-web"},{"name":"spring-test"},{"name":"spring-tx"},{"name":"spring-web"},{"name":"spring-webmvc"},{"name":"tagsoup"},{"name":"thymeleaf"},{"name":"thymeleaf-extras-java8time"},{"name":"thymeleaf-extras-springsecurity5"},{"name":"thymeleaf-spring5"},{"name":"tomcat-embed-core"},{"name":"tomcat-embed-el"},{"name":"tomcat-embed-websocket"},{"name":"unbescape"},{"name":"undertow-core"},{"name":"undertow-servlet"},{"name":"undertow-websockets-jsr"},{"name":"validation-api"},{"name":"wiremock"},{"name":"xml-path"},{"name":"xml-resolver"},{"name":"xmlunit-core"},{"name":"zjsonpatch"}],"count":104,"url":"http://www.apache.org/licenses/LICENSE-2.0.txt"},{"name":"Apache Software License - Version 2.0","classification":{"id":null,"approval_status":"unclassified","name":"Apache Software License - Version 2.0"},"dependencies":[{"name":"jetty-continuation"},{"name":"jetty-http"},{"name":"jetty-io"},{"name":"jetty-security"},{"name":"jetty-server"},{"name":"jetty-servlet"},{"name":"jetty-servlets"},{"name":"jetty-util"},{"name":"jetty-webapp"},{"name":"jetty-xml"}],"count":10,"url":""},{"name":"ASF 2.0","classification":{"id":null,"approval_status":"unclassified","name":"ASF 2.0"},"dependencies":[{"name":"cglib-nodep"}],"count":1,"url":""},{"name":"BSD","classification":{"id":null,"approval_status":"unclassified","name":"BSD"},"dependencies":[{"name":"antlr"},{"name":"antlr4-runtime"},{"name":"asm"}],"count":3,"url":"http://en.wikipedia.org/wiki/BSD_licenses#4-clause_license_.28original_.22BSD_License.22.29"},{"name":"BSD 3-clause New License","classification":{"id":null,"approval_status":"unclassified","name":"BSD 3-clause New License"},"dependencies":[{"name":"dom4j"}],"count":1,"url":""},{"name":"BSD style","classification":{"id":null,"approval_status":"unclassified","name":"BSD style"},"dependencies":[{"name":"xstream"}],"count":1,"url":""},{"name":"CDDL + GPLv2 with classpath exception","classification":{"id":null,"approval_status":"unclassified","name":"CDDL + GPLv2 with classpath exception"},"dependencies":[{"name":"javax.annotation-api"},{"name":"javax.el"},{"name":"javax.servlet-api"},{"name":"javax.transaction-api"}],"count":4,"url":""},{"name":"CDDL 1.1","classification":{"id":null,"approval_status":"unclassified","name":"CDDL 1.1"},"dependencies":[{"name":"istack-commons-runtime"},{"name":"jaxb-api"}],"count":2,"url":""},{"name":"CDDL+GPL License","classification":{"id":null,"approval_status":"unclassified","name":"CDDL+GPL License"},"dependencies":[{"name":"jaxb-core"},{"name":"jaxb-runtime"},{"name":"txw2"}],"count":3,"url":""},{"name":"CDDL/GPLv2+CE","classification":{"id":null,"approval_status":"unclassified","name":"CDDL/GPLv2+CE"},"dependencies":[{"name":"javax.activation-api"}],"count":1,"url":""},{"name":"COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0","classification":{"id":null,"approval_status":"unclassified","name":"COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0"},"dependencies":[{"name":"activation"}],"count":1,"url":""},{"name":"Common Development And Distribution License 1.1","classification":{"id":null,"approval_status":"unclassified","name":"Common Development And Distribution License 1.1"},"dependencies":[{"name":"jboss-annotations-api_1.2_spec"},{"name":"jboss-websocket-api_1.1_spec"}],"count":2,"url":""},{"name":"Dual license consisting of the CDDL v1.1 and GPL v2","classification":{"id":null,"approval_status":"unclassified","name":"Dual license consisting of the CDDL v1.1 and GPL v2"},"dependencies":[{"name":"stax-ex"}],"count":1,"url":""},{"name":"Eclipse Distribution License v. 1.0","classification":{"id":null,"approval_status":"unclassified","name":"Eclipse Distribution License v. 1.0"},"dependencies":[{"name":"javax.persistence-api"}],"count":1,"url":""},{"name":"Eclipse Public License - v 1.0","classification":{"id":null,"approval_status":"unclassified","name":"Eclipse Public License - v 1.0"},"dependencies":[{"name":"aspectjweaver"},{"name":"logback-classic"},{"name":"logback-core"}],"count":3,"url":""},{"name":"Eclipse Public License - Version 1.0","classification":{"id":null,"approval_status":"unclassified","name":"Eclipse Public License - Version 1.0"},"dependencies":[{"name":"jetty-continuation"},{"name":"jetty-http"},{"name":"jetty-io"},{"name":"jetty-security"},{"name":"jetty-server"},{"name":"jetty-servlet"},{"name":"jetty-servlets"},{"name":"jetty-util"},{"name":"jetty-webapp"},{"name":"jetty-xml"}],"count":10,"url":""},{"name":"Eclipse Public License 1.0","classification":{"id":null,"approval_status":"unclassified","name":"Eclipse Public License 1.0"},"dependencies":[{"name":"junit"}],"count":1,"url":""},{"name":"Eclipse Public License v1.0","classification":{"id":null,"approval_status":"unclassified","name":"Eclipse Public License v1.0"},"dependencies":[{"name":"javax.persistence-api"}],"count":1,"url":""},{"name":"EPL-2.0","classification":{"id":null,"approval_status":"unclassified","name":"EPL-2.0"},"dependencies":[{"name":"jruby-complete"}],"count":1,"url":""},{"name":"GNU General Public License v2.0 only, with Classpath exception","classification":{"id":null,"approval_status":"unclassified","name":"GNU General Public License v2.0 only, with Classpath exception"},"dependencies":[{"name":"jboss-annotations-api_1.2_spec"},{"name":"jboss-websocket-api_1.1_spec"}],"count":2,"url":""},{"name":"GNU General Public License, version 2","classification":{"id":null,"approval_status":"unclassified","name":"GNU General Public License, version 2"},"dependencies":[{"name":"auth-bypass"},{"name":"bypass-restrictions"},{"name":"challenge"},{"name":"chrome-dev-tools"},{"name":"cia"},{"name":"client-side-filtering"},{"name":"cross-site-scripting"},{"name":"csrf"},{"name":"html-tampering"},{"name":"http-basics"},{"name":"http-proxies"},{"name":"idor"},{"name":"insecure-deserialization"},{"name":"insecure-login"},{"name":"jwt"},{"name":"missing-function-ac"},{"name":"password-reset"},{"name":"secure-passwords"},{"name":"sql-injection"},{"name":"ssrf"},{"name":"vulnerable-components"},{"name":"webgoat-container"},{"name":"webgoat-introduction"},{"name":"webgoat-server"},{"name":"webwolf"},{"name":"webwolf-introduction"},{"name":"xxe"}],"count":27,"url":""},{"name":"GNU Lesser General Public License","classification":{"id":null,"approval_status":"unclassified","name":"GNU Lesser General Public License"},"dependencies":[{"name":"logback-classic"},{"name":"logback-core"}],"count":2,"url":""},{"name":"GNU Lesser General Public License v2.1 or later","classification":{"id":null,"approval_status":"unclassified","name":"GNU Lesser General Public License v2.1 or later"},"dependencies":[{"name":"hibernate-commons-annotations"}],"count":1,"url":""},{"name":"GNU Library General Public License v2.1 or later","classification":{"id":null,"approval_status":"unclassified","name":"GNU Library General Public License v2.1 or later"},"dependencies":[{"name":"hibernate-core"}],"count":1,"url":""},{"name":"GPL-2.0","classification":{"id":null,"approval_status":"unclassified","name":"GPL-2.0"},"dependencies":[{"name":"jruby-complete"}],"count":1,"url":""},{"name":"GPL2 w/ CPE","classification":{"id":null,"approval_status":"unclassified","name":"GPL2 w/ CPE"},"dependencies":[{"name":"istack-commons-runtime"},{"name":"jaxb-api"}],"count":2,"url":""},{"name":"HSQLDB License, a BSD open source license","classification":{"id":null,"approval_status":"unclassified","name":"HSQLDB License, a BSD open source license"},"dependencies":[{"name":"hsqldb"}],"count":1,"url":""},{"name":"Indiana University Extreme! Lab Software License, vesion 1.1.1","classification":{"id":null,"approval_status":"unclassified","name":"Indiana University Extreme! Lab Software License, vesion 1.1.1"},"dependencies":[{"name":"xpp3_min"}],"count":1,"url":""},{"name":"LGPL 2.1","classification":{"id":null,"approval_status":"unclassified","name":"LGPL 2.1"},"dependencies":[{"name":"javassist"}],"count":1,"url":""},{"name":"LGPL-2.1","classification":{"id":null,"approval_status":"unclassified","name":"LGPL-2.1"},"dependencies":[{"name":"jruby-complete"}],"count":1,"url":""},{"name":"MIT","classification":{"id":null,"approval_status":"unclassified","name":"MIT"},"dependencies":[{"name":"jopt-simple"},{"name":"jquery"},{"name":"jsoup"},{"name":"jul-to-slf4j"},{"name":"lombok"},{"name":"mockito-core"},{"name":"slf4j-api"},{"name":"zxcvbn"}],"count":8,"url":"http://opensource.org/licenses/mit-license"},{"name":"MPL 1.1","classification":{"id":null,"approval_status":"unclassified","name":"MPL 1.1"},"dependencies":[{"name":"javassist"}],"count":1,"url":""},{"name":"New BSD License","classification":{"id":null,"approval_status":"unclassified","name":"New BSD License"},"dependencies":[{"name":"hamcrest-core"},{"name":"hamcrest-library"}],"count":2,"url":""},{"name":"Public Domain","classification":{"id":null,"approval_status":"unclassified","name":"Public Domain"},"dependencies":[{"name":"xmlpull"},{"name":"xnio-api"},{"name":"xnio-nio"},{"name":"xpp3_min"}],"count":4,"url":""},{"name":"Public Domain, per Creative Commons CC0","classification":{"id":null,"approval_status":"unclassified","name":"Public Domain, per Creative Commons CC0"},"dependencies":[{"name":"HdrHistogram"},{"name":"LatencyUtils"}],"count":2,"url":""},{"name":"Simplified BSD","classification":{"id":null,"approval_status":"unclassified","name":"Simplified BSD"},"dependencies":[{"name":"postgresql"}],"count":1,"url":"http://opensource.org/licenses/bsd-license"},{"name":"The BSD 3-Clause License","classification":{"id":null,"approval_status":"unclassified","name":"The BSD 3-Clause License"},"dependencies":[{"name":"encoder"},{"name":"xmlunit-legacy"}],"count":2,"url":""},{"name":"unknown","classification":{"id":null,"approval_status":"unclassified","name":"unknown"},"dependencies":[{"name":"ant"},{"name":"ant-launcher"}],"count":2,"url":""}]
Output of checks
This bug happens on GitLab.com
Possible fixes
Add the different variations of the Eclipse Public License
to the normalized-licenses.yml file in the license_scanning project.
Implementation Plan
-
Add the following keys to normalized-licenses.yml -
Apache Software License - Version 2.0 -
ASF 2.0 -
COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0 -
Common Development And Distribution License 1.1 -
Eclipse Distribution License v. 1.0 -
Eclipse Public License - v 1.0 -
Eclipse Public License - Version 1.0 (already exists) -
Eclipse Public License 1.0 -
Eclipse Public License v1.0 -
EPL-2.0 (Official SPDX identifier) -
GNU General Public License v2.0 only, with Classpath exception -
GNU General Public License, version 2 -
GNU Lesser General Public License v2.1 or later -
GNU Library General Public License v2.1 or later -
GPL-2.0 (Official SPDX identifier) -
GPL2 w/ CPE -
LGPL 2.1 (already exists) -
LGPL-2.1 -
MPL 1.1 (already exists) -
New BSD License (already exists) -
The BSD 3-Clause License
-
Availability and Testing
All variations of the Eclipse license should show correctly on license scanning, this should be tested by the developer in unit tests and by the SET in end to end tests.
Edited by Can Eldem