Unknown Nuget license for packages pointing to MICROSOFT .NET LIBRARY

Problem statement

For a variety of nuget packages we get an unknown license while they are using Microsoft Software License Terms.

Zendesk Ticket - internal only

Examples

• System.threading.Tasks , v4.3.0, https://www.nuget.org/packages/System.Threading.Tasks/4.3.0
• System.Reflection, v4.3.0, https://www.nuget.org/packages/System.Reflection/4.3.0

Root cause

License-interfacer is responsible for finding the license of a nuget package. It does that by reaching the nuget repo. For example getting package information for System.threading.Tasks , a call is done on https://api.nuget.org/v3/registration5-gz-semver2/system.threading.tasks/index.json . The correct version is identified and in case the field licenseExpression is not set we try to follow the licenseUrl to identify the license. For this example "licenseUrl": "http://go.microsoft.com/fwlink/?LinkId=329770" which is pointing to Microsoft Software License Terms. License-interfacer is using a classifier. The classifier attempts to match the license from the url to a known asset (license) from the asset directory which is pulled by this script. The problem is that Microsoft Software License Terms is not part of the assets.

More information

This license (also referred to as a EULA by Microsoft) is used sometimes for compiled binaries for .NET although we can also find it in source code repos.

Interesting links

• https://devblogs.microsoft.com/dotnet/announcing-net-core-rc2
• https://github.com/dotnet/roslyn/issues/20169
• https://github.com/dotnet/roslyn/issues/27524

Implementation Plan

• Update interfacer so that it caches the new license
• Update schema so that the new license is in the database
• Deploy interfacer and schema on Dev
• Deploy interfacer and schema on prod
• Run nuget feeder with SKIP_CUROSR in order to update the database

/cc @cmutua