Skip to content

Adding false positive rules for Go and pycryptodomex GPL hits #4589

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Adding false positive rules for Go and pycryptodomex GPL hits #4589

wants to merge 1 commit into from

Conversation

@CsatariGergely
Copy link

@CsatariGergely CsatariGergely commented Oct 20, 2025

One for Go, where the GPLv2 licenses is mentioned in the context of GCC and one for pycryptodomex where the GPL license is mentioned in the context of a website.

Tasks

  • Reviewed contribution guidelines
  • PR is descriptively titled 📑 and links the original issue above 🔗
  • Tests pass -- look for a green checkbox ✔️ a few minutes after opening your PR
    Run tests locally to check for errors.
  • Commits are in uniquely-named feature branch and has no merge conflicts 📁
  • Updated documentation pages (if applicable)
  • Updated CHANGELOG.rst (if applicable)

@CsatariGergely @pombredanne
Adding two false positive rules
7656a81 
One for Go, where the GPLv2 licenses is mentioned in the context of GCC and
one for pycryptodomex where the GPL license is mentioned in the context of
a website.

Signed-off-by: Gergely Csatari <gergely.csatari@nokia.com>
Co-authored-by: Philippe Ombredanne <pombredanne@aboutcode.org>
AyanSinhaMahapatra
AyanSinhaMahapatra reviewed Oct 31, 2025
View reviewed changes
Copy link
Member

@AyanSinhaMahapatra AyanSinhaMahapatra left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@CsatariGergely Thanks a lot for the PR! These reports and license rules to fix detection issues are always much appreciated ❤️
What about having these rules as license clues instead of false-positives?

IMHO these license texts although they are not directly related to the license-expression for the file it is found in, they could still be important license related clues which could be interesting.

A false positive rule deletes a license text match from the results without any indication, a license clue if detected, is not reflected in the final license-expression for the file, but is present in a seperate file-level section license_clues and thus can be reviewed if someone wants to review license related clues.

The license-clue vs false-positive distinction should happen thus in a case by case basis, and IMHO proper false-positives are always texts which are not license related at all, but vaguely resembles license names/texts in some way, and license clues are always somewhat license related, even if they are not directly related to the license of a file.

We should probably better document this somewhere (probably in the documentation section how to add a license rule) 😅

What do you think? @CsatariGergely @pombredanne

@CsatariGergely
Copy link
Author

CsatariGergely commented Nov 4, 2025

In my opinion these are clearly false positives and not license clues. Both of these are talking of the licenses of other things than the code under scan. Adding them to license clues would be confusing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AyanSinhaMahapatra AyanSinhaMahapatra AyanSinhaMahapatra left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@CsatariGergely @AyanSinhaMahapatra