Scanner reports a file with license `Apache-2.0` as `ErlPL-1.1`

[kikofernandez]

Description

The scanner reports a file with license Apache-2.0 as if it had ErlPL-1.1.
The confidence score is somewhat low, 28.81, but there is no mention of the ErlPL license anywhere :)

Our impact is the use of ScanCode indirectly via ORT.

Files affected:

• lib/dialyzer/test/options1_SUITE_data/src/compiler/v3_core.erl
• lib/dialyzer/test/options1_SUITE_data/src/compiler/v3_kernel.erl
• lib/dialyzer/test/r9c_SUITE_data/src/mnesia/mnesia_log.erl

How To Reproduce

1. git clone https://github.com/erlang/otp.git
2. cd otp
3. scancode -clpeui --json-pp sample.json lib/dialyzer/test/options1_SUITE_data/src/compiler/v3_core.erl

The output shows that the file is detected to contain ErlPL-1.1:

"license_detections": [
    {
      "identifier": "apache_2_0_and_erlangpl_1_1-a2566aed-6768-f0bf-d146-11c24e734c13",
      "license_expression": "apache-2.0 AND erlangpl-1.1",
      "license_expression_spdx": "Apache-2.0 AND ErlPL-1.1",
      "detection_count": 1,
      "reference_matches": [
        {
          "license_expression": "apache-2.0",
          "license_expression_spdx": "Apache-2.0",
          "from_file": "v3_core.erl",
          "start_line": 1,
          "end_line": 11,
          "matcher": "2-aho",
          "score": 100.0,
          "matched_length": 85,
          "match_coverage": 100.0,
          "rule_relevance": 100,
          "rule_identifier": "apache-2.0_7.RULE",
          "rule_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/rules/apache-2.0_7.RULE"
        },
        {
          "license_expression": "erlangpl-1.1",
          "license_expression_spdx": "ErlPL-1.1",
          "from_file": "v3_core.erl",
          "start_line": 10,
          "end_line": 15,
          "matcher": "3-seq",
          "score": 28.81,
          "matched_length": 34,
          "match_coverage": 28.81,
          "rule_relevance": 100,
          "rule_identifier": "erlangpl-1.1_2.RULE",
          "rule_url": "https://github.com/nexB/scancode-toolkit/tree/develop/src/licensedcode/data/rules/erlangpl-1.1_2.RULE"
        }
      ]
    }
  ],

System configuration

• What OS are you running on? Ubuntu 22.04
• What version of scancode-toolkit was used to generate the scan file? 32.3.0
• What installation method was used to install/run scancode? pip

[armijnhemel]

@pombredanne there is some overlap between the rules. The license text here:

https://github.com/erlang/otp/blob/master/lib/dialyzer/test/options1_SUITE_data/src/compiler/v3_core.erl

is a concatenation of the standard Apache 2.0 license reference (bottom of this page):

https://www.apache.org/licenses/LICENSE-2.0

with the contents of this rule:

https://github.com/aboutcode-org/scancode-toolkit/blob/develop/src/licensedcode/data/rules/erlangpl-1.1_2.RULE

where there is an overlap at halfway line 15 of the apache rule and line 18 of the erlang rule