How does JFrog Xray detects the licenses of packages

Amith Kumar Mutakari
2019-04-25 11:55

Summary

How Xray will validate the license information against any package license and print in the Xray

Affected Versions

NA

Details

How does Xray detect the license and validate against any package licenses?

Resolution

1) Xray matches license to public components from JXray by matching the checksums of the components.

2) By scanning the metadata files which are inside the artifact (pom.xml, package.json and etc)

3) By analyzing licenses.txt and matching if we have 85% of the match, using Levenshtein distance logic also known as Edit distance.

To elaborate further with an example, Xray matches the license text with the package license file and find for a match. For example, as BSD-3-Clause-Clear contains the text mentioned here and the license text present in the package license.MD file as mentioned here has almost the same text.

This is how Xray matches the text with the license.md with the licenses and also Jxray knows to detect known public licenses by analyzing license text.

 

Percentage match:- 

Xray runs through a logic where it matches the known licenses with the package licenses(text) if it has more than 85% match then it would be considered.

Here, for example, WebRTC license.md have more than 85% match so it was considering BSD-3-Clause-Clear license. The reason why 100% match is not considered is people tend to change the licenses by editing the author name. Also, exact words are not essentially required to match, matching the meaning is also considered.