Inconsistent Display of Unknown Licenses Between Dependency List and Pipeline License Pages
Problem
There is a discrepancy between the dependency list page (Dependency List Example) and the pipeline's license page (Pipeline License Example) when handling dependencies with both known and unknown licenses. For example, on the pipeline's license page jakarta.activation/jakarta.activation-api shows up under both unknown and BSD 3-Clause "New" or "Revised" License, but the dependency list page we only display the BSD license.
Screenshots
These screenshots come from this example project.
Dependency List
Pipeline Licenses
Further details
The problem mainly comes from the fact that these two pages use different underlying data.
For the dependency list data (stored in DB), we have defined unknown as the default value for a dependency for which we don't have a license information. This makes it impossible to distinguish an unknown license provided as a result of License Scanning from an unknown license due to an unsupported component. This resulted in not having this unknown license being displayed on that page, even when coming from License Scanning results.
For the pipeline's license tab we don't use the same DB data but "live" License Scanning results, which brings both the unknown and known license (e.g. MIT), exactly as if they were two known licenses. This part of the UI just reflects the License Scanning results as is, so it shows the package as having an unknown license too.
Why do we have unknown license returned in results of License Scanning then? Well, many reasons
Proposed Solution
The dependency list page and the pipeline's license page should be brought into alignment to ensure consistent license information. Which page should be considered correct is up for discussion by PM.
A rather "simple" fix could be to remove the unknown license from a dependency in the pipeline's license tab if it has at least one known license. While this might actually be less accurate in some cases, it could make the feature more usable, at least until we improve our License Scanning accurracy and coverage. We should also review the potential side effect of that change on features like License Approval policies.
Implementation Plan
TBC