"Discovered" licenses from notices file showing up in "Declared" field - Google Mavens, PyPI, NuGet

[ariel11]

There is a bug with Google Maven packages (maybe other package types too?) where a notices file license data (which should be "discovered" licenses) are erroneously included in the "declared" field.

Example: https://clearlydefined.io/definitions/maven/mavengoogle/com.google.android.gms/play-services-location/21.2.0.

All the info from the third party notices file is being erroneously included in the "declared" field - those should be "discovered" licenses. In this case, the "declared" would be "OTHER" since there's not a SPDX ID for the "Android Software Development Kit License."

[ariel11]

@capfei - I thought we had an open Issue about this already but I couldn't find it?

@elrayle - FYI, this is a significant pain point I am hoping to get on your radar. Happy to chat more.

[qtomlinson]

@ariel11 @elrayle @capfei Yes, there was a previous similar issue on this. Similar to my comment on that issue: in the ScanCode v30 result, there is no package level license information, so license information for top level files is used to derive the declared license. is_license_text is true for third_party_licenses.txt in ScanCode v30 result, and therefore the licenses matched are used as the declared license. We can rerun this case after ScanCode upgrage PR is merged.

[ariel11]

@qtomlinson - I ran into this same issue for PyPI - all the NOTICE file attributions are ending up in the declared field. NOTICE file attributions should always only be "discovered" licenses.

https://clearlydefined.io/definitions/pypi/pypi/-/azure-ai-ml/1.21.1

On the "Files" tab:

[ariel11]

@qtomlinson - Hi, it looks like the Scancode update PR referenced above was merged June 26, 2024. We continue to see instances of the notice file licenses appearing in the declared field.

I don't know what other ClearlyDefined users would prefer, but I would actually prefer for the ClearlyDefined tooling to put NOASSERTION in the declared field vs. copying all the "discovered" licenses from a notices file into the declared field when it cannot tell what the top level license should be. This causes a great deal of noise.

Latest NuGet example - the top level license for this NuGet is MIT.