"OR" in License is falsely concluded as "AND" with package Maven:net.java.dev.jna:jna:5.8.0 #10721
Description
Describe the bug
When analyzing, evaluating and reporting a project that includes the Maven:net.java.dev.jna:jna:5.8.0, the "Apache-2.0 OR LGPL-2.1-only" license (which can be correctly found in the analyzer and evaluator result) is falsely reported as "Apache-2.0 AND LGPL-2.1-only". Thus, license choices don't apply.
To Reproduce
Steps to reproduce the behavior:
- Run the ORT (analyze, evaluate, report) on a folder with the files:
pom.xml
<?xml` version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>1.0.0</modelVersion>
<groupId>test</groupId>
<artifactId>test</artifactId>
<version>1.0.0</version>
<properties>
</properties>
<dependencyManagement>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>net.java.dev.jna</groupId>
<artifactId>jna</artifactId>
<version>5.8.0</version>
</dependency>
</dependencies>
<build>
</build>
<profiles>
</profiles>
</project>
.ort.yml
license_choices:
repository_license_choices:
- given: "Apache-2.0 OR LGPL-2.1-only"
choice: "Apache-2.0"
- check the report: the license is evaluated to "AND" and the license choice does not apply.
Expected behavior
the license is evaluated to "OR" and the license choice does apply.
Console / log output
The following 1 rule violations have been found:
ERROR: COPYLEFT_LIMITED_IN_DEPENDENCY - Maven:net.java.dev.jna:jna:5.8.0 - LGPL-2.1-only (DECLARED) - The dependency 'Maven:net.java.dev.jna:jna:5.8.0' is licensed under the ScanCode 'copyleft-limited' categorized license LGPL-2.1-only.
Environment
Output of the ort requirements command:
Hoplite is configured to infer which sealed type to choose by inspecting the config values at runtime. This behaviour is now deprecated in favour of explicitly specifying the type through a discriminator field. In 3.0 this new behavior will become the default. To enable this behavior now (and disable this warning), invoke withExplicitSealedTypes() on the ConfigLoaderBuilder.
______________________________
/ \_______ \__ ___/ The OSS Review Toolkit, version 64.0.0,
| | | | _/ | | built with JDK 21.0.7+6-LTS, running under Jav
| | | | | \ | | Executing 'requirements' as 'ort' on Linux
\________/ |____|___/ |____| with 16 CPUs and a maximum of 8192 MiB of memo
Environment variables:
ORT_DATA_DIR = /builds/bm/jira-issues/bm-5439-maven-jna-test/.ort
ORT_CONFIG_DIR = /home/ort/.ort/config
HOME = /home/ort
JAVA_HOME = /opt/java/openjdk
ANDROID_HOME = /opt/android-sdk
Looking for ORT configuration in the following file:
/home/ort/.ort/config/config.yml
Scanners:
- Askalono: Requires 'askalono' in no specific version. Tool not found.
- BoyterLc: Requires 'lc' in no specific version. Tool not found.
- Licensee: Requires 'licensee' in no specific version. Tool not found.
* ScanCode: Requires 'scancode' in version >=30.0.0. Found version 32.4.1.
PackageManagers:
* Bazel: Requires 'bazel' in version >=7.0.0. Found version 7.0.1.
* Bower: Requires 'bower' in version >=1.8.8. Found version 1.8.14.
+ Buildozer: Requires 'buildozer' in no specific version. Found version redacted.
* Cargo: Requires 'cargo' in no specific version. Found version 1.87.0.
* CocoaPods: Requires 'pod' in version >=1.11.0. Found version 1.16.2.
* Composer: Requires 'composer' in version >=1.5.0. Found version 2.8.10.
* Go: Requires 'go' in version >=1.21.1. Found version 1.24.5.
* Npm: Requires 'npm' in version >=6.0.0 and <11.0.0. Found version 10.9.2.
+ NuGetInspector: Requires 'nuget-inspector' in no specific version. Could not determine the version.
* Pipenv: Requires 'pipenv' in version >=2018.10.9. Found version 2023.12.1.
* Pnpm: Requires 'pnpm' in version >=5.0.0 and <11.0.0. Found version 10.14.0.
* Poetry: Requires 'poetry' in no specific version. Found version 2.1.3.
* PythonInspector: Requires 'python-inspector' in version >=0.9.2. Found version 0.14.0.
+ Sbt: Requires 'sbt' in version >=1.3.3. Could not determine the version.
* Stack: Requires 'stack' in version >=2.1.1. Found version 3.7.1.
* Swift: Requires 'swift' in no specific version. Found version 6.0.3.
* Yarn: Requires 'yarn' in version >=1.3.0 and <1.23.0. Found version 1.22.22.
Other tools:
* Conan: Requires 'conan' in version >=1.44.0 and <3.0.0. Found version 1.66.0.
* Pub: Requires 'dart' in version >=2.10.0. Found version 2.18.4.
VersionControlSystems:
* Git: Requires 'git' in version >=2.29.0. Found version 2.34.1.
* GitRepo: Requires 'repo' in no specific version. Found version 2.54 (launcher).
* Mercurial: Requires 'hg' in no specific version. Found version 7.0.3.
Prefix legend:
- The tool was not found in the PATH environment.
+ The tool was found in the PATH environment, but not in the required version.
* The tool was found in the PATH environment in the required version.
ScanCode license texts found in '/opt/scancode-license-data'.
Not all tools requirements were satisfied:
! Some tools were not found in their required versions.
! For some tools the version could not be determined.